Open E-t-z opened 2 years ago
jarischaefer
commented
2 years ago Good idea, similar to #131. There is some support already, see https://github.com/jarischaefer/docker-librenms/pull/50. I will add documentation. Support for docker run --user=... would be nice.
Do you want every process in the container to run as PUID & PGID? Or is it only about ensuring file permissions on the volumes?
E-t-z
commented
2 years ago It is mostly about permissions for the volumes. It adds ability to spawn an actual user in the system and write files with correct permissions on host. Also, current implementation can have clashes with underlying host, if those id’s would match on existing user on host, who’s account has nothing to do with docker and who actually should not even have access to those files.
Running all processes inside container with same PUID and PGID would be nice, but is not very important in this case. (I know, security experts would disagree, but it is completely different topic alltogether)
E-t-z
commented
1 year ago Ok, tried this out, but container fails to start:
2022-09-23T05:10:36.012722000Z | stdout | *** /etc/my_init.d/librenms_001_early_permissions failed with status 4
2022-09-23T05:10:36.012494000Z | stdout | groupadd: GID '100' already exists
2022-09-23T05:10:36.007687279Z | stdout | Done.
2022-09-23T05:10:35.765885263Z | stdout | Removing group `librenms' ...
2022-09-23T05:10:35.688004083Z | stdout | Done.
2022-09-23T05:10:35.518352022Z | stdout | Removing user `www-data' from group `librenms' ...
2022-09-23T05:10:35.434356438Z | stdout | Done.
2022-09-23T05:10:35.082543237Z | stdout | userdel: group librenms not removed because it has other members.
2022-09-23T05:10:35.051962465Z | stdout | Removing user `librenms' ...
2022-09-23T05:10:34.941606664Z | stdout | *** Running /etc/my_init.d/librenms_001_early_permissions...
2022-09-23T05:10:34.932411237Z | stdout | *** Running /etc/my_init.d/librenms_000_environment...
2022-09-23T05:10:33.959092010Z | stdout | Sep 23 08:10:33 LibreNMS syslog-ng[13]: syslog-ng starting up; version='3.35.1'
2022-09-23T05:10:33.877696103Z | stdout | *** Running /etc/my_init.d/10_syslog-ng...
Unfortunately had yet no chance to debug it.
jarischaefer
commented
1 year ago @E-t-z There are some default users and groups in /etc/passwd and /etc/group. The number of reserved IDs could be reduced in the future. For now it is best to use IDs greater than 1000.
It would be great if we could GUID / PUID in the environment variables (similar to all images produced by LinuxServer.io images. https://docs.linuxserver.io/general/understanding-puid-and-pgid
It would make way easier to assign proper permissions for mapped volumes and create actual corresponding isolated users on host, in case needed.