search

jgraph / docker-drawio

Dockerized draw.io based on whichever is the most secure image at the time.
GNU General Public License v3.0
1.56k stars 364 forks source link

Run container as non root #36

Closed antoineozenne closed 1 year ago

antoineozenne commented 3 years ago

Is it possible to run container as non root for some security reasons ? If I try with nobody user and group, there are some errors.

docker run -p 8080:8080 -u 65534:65534 jgraph/drawio:14.8.4-alpine:

Init PreConfig.js
/docker-entrypoint.sh: line 16: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 17: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 18: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 19: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 20: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 21: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 22: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 23: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 24: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 31: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 33: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 34: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 36: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 48: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 52: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 53: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 54: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 58: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 76: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/docker-entrypoint.sh: line 86: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
/**
 * Copyright (c) 2006-2020, JGraph Ltd
 * Copyright (c) 2006-2020, draw.io AG
 */
// Overrides of global vars need to be pre-loaded
window.EXPORT_URL = 'REPLACE_WITH_YOUR_IMAGE_SERVER';
window.PLANT_URL = 'REPLACE_WITH_YOUR_PLANTUML_SERVER';
window.DRAWIO_BASE_URL = null; // Replace with path to base of deployment, e.g. https://www.example.com/folder
window.DRAWIO_VIEWER_URL = null; // Replace your path to the viewer js, e.g. https://www.example.com/js/viewer.min.js
window.DRAW_MATH_URL = 'math';
window.DRAWIO_CONFIG = null; // Replace with your custom draw.io configurations. For more details, https://www.diagrams.net/doc/faq/configure-diagram-editor
urlParams['sync'] = 'manual';Init PostConfig.js
/docker-entrypoint.sh: line 98: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
/docker-entrypoint.sh: line 99: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
/docker-entrypoint.sh: line 100: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
/docker-entrypoint.sh: line 104: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
/docker-entrypoint.sh: line 115: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
/**
 * Copyright (c) 2006-2020, JGraph Ltd
 * Copyright (c) 2006-2020, draw.io AG
 */
// null'ing of global vars need to be after init.js
window.VSD_CONVERT_URL = null;
window.EMF_CONVERT_URL = null;
window.ICONSEARCH_PATH = null;Generating Self-Signed certificate
keytool error: java.io.FileNotFoundException: /usr/local/tomcat/.keystore (Permission denied)
keytool error: java.lang.Exception: Keystore file does not exist: /usr/local/tomcat/.keystore
java.lang.Exception: Keystore file does not exist: /usr/local/tomcat/.keystore
    at sun.security.tools.keytool.Main.doCommands(Main.java:772)
    at sun.security.tools.keytool.Main.run(Main.java:368)
    at sun.security.tools.keytool.Main.main(Main.java:361)
06-Jul-2021 11:09:16.750 WARNING [main] org.apache.catalina.core.StandardContext.setPath A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.20
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          May 3 2019 22:26:00 UTC
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.20.0
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.8.0-59-generic
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
06-Jul-2021 11:09:16.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/lib/jvm/java-1.8-openjdk/jre
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0_212-b04
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            IcedTea
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
06-Jul-2021 11:09:16.767 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5].
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Jul-2021 11:09:16.768 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
06-Jul-2021 11:09:16.771 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1b  26 Feb 2019]
06-Jul-2021 11:09:17.014 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
06-Jul-2021 11:09:17.033 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
06-Jul-2021 11:09:17.034 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [435] milliseconds
06-Jul-2021 11:09:17.054 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
06-Jul-2021 11:09:17.054 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.20]
06-Jul-2021 11:09:17.057 SEVERE [main] org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory for deployment: [/usr/local/tomcat/conf/Catalina/localhost]
06-Jul-2021 11:09:17.485 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
06-Jul-2021 11:09:17.552 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/manager]
06-Jul-2021 11:09:17.575 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/manager] has finished in [23] ms
06-Jul-2021 11:09:17.576 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/examples]
06-Jul-2021 11:09:17.702 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/examples] has finished in [125] ms
06-Jul-2021 11:09:17.702 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/host-manager]
06-Jul-2021 11:09:17.717 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/host-manager] has finished in [15] ms
06-Jul-2021 11:09:17.717 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/docs]
06-Jul-2021 11:09:17.729 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/docs] has finished in [11] ms
06-Jul-2021 11:09:17.729 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/draw]
06-Jul-2021 11:09:17.948 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
06-Jul-2021 11:09:17.953 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/draw] has finished in [224] ms
06-Jul-2021 11:09:17.957 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
06-Jul-2021 11:09:17.963 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
06-Jul-2021 11:09:17.964 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [929] milliseconds
realknotworking commented 3 years ago

You need to add the user (nobody) you want to run it as to the Docker group: sudo usermod -aG docker nobody

antoineozenne commented 3 years ago

My question is not very clear, sorry. I want run the drawio process inside the container as non root.

ellakk commented 3 years ago

We could also use a rootless container. We run this container in openshift which is more restricted in regards to what uids are allowed to run the pods. We currently solve this by modifying the container ourselfs.

m-mohamedin commented 3 years ago

Have you tried to write the files changed by the script https://github.com/jgraph/docker-drawio/blob/dev/alpine/docker-entrypoint.sh to your own configuration, remove all files writing from it, then build your custom image?

antoineozenne commented 3 years ago

No, I didn't. I will maybe try, but I want use the official image, not a custom image that I have to rebuild for each new version.

m-mohamedin commented 1 year ago

Will be available in the next release