search

linuxserver / docker-radarr

GNU General Public License v3.0
650 stars 104 forks source link

[FEAT] Support rootless environments #203

Closed uhthomas closed 1 year ago

uhthomas commented 1 year ago

Is this a new feature request?

Wanted change

This container needs to be run as root. This is not necessary. For environments like Kubernetes, s6 should be removed entirely really.

❯ k -n radarr logs radarr-5f66b9b784-k2tmd
s6-overlay-suexec: warning: unable to gain root privileges (is the suid bit set?)
s6-mkdir: warning: unable to mkdir /run/s6: Permission denied
s6-mkdir: warning: unable to mkdir /run/service: Permission denied
s6-overlay-suexec: fatal: child failed with exit code 111

Reason for change

Running containers as root is a security risk.

Proposed code change

Providing a non-s6 image is probably the best way forward. I presume it's necessary for environments without security restrictions unlike Kubernetes?

github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 1 year ago

We're not going to remove s6 in the near future

Roxedus commented 1 year ago

Kubernetes is currently not our target audience, nor is rootless in general. onedr0p provides images for this audience.

uhthomas commented 1 year ago

We're not going to remove s6 in the near future

Is it possible to consider a second image with a different tag like linuxserver/radarr:4.0.0-rootless? It looks like I'm going to have to build my own image otherwise.

uhthomas commented 1 year ago

Kubernetes is currently not our target audience, nor is rootless in general. onedr0p provides images for this audience.

A small Kubernetes cluster to run applications like this is becoming increasingly more common, and with improvements to container tools in general I imagine that s6 will eventually become unnecessary? It feels backwards to use an overlay for security rather than delegating it to the container runner.

I don't see any images for radarr published by onedr0p. Am I missing something?

j0nnymoe commented 1 year ago

To be frank, with the amount of images we have, we aren't going to make rootless images along side our main ones.

Support is already stretched at best for our current set of images, duplicating them all for rootless just isn't doable.

uhthomas commented 1 year ago

To be frank, with the amount of images we have, we aren't going to make rootless images along side our main ones.

Support is already stretched at best for our current set of images, duplicating them all for rootless just isn't doable.

That's a fair point, I respect that.

ilbarone87 commented 11 months ago

@uhthomas have you find a way to do do achieve this? I would be interested to the solution if you can share it please.

uhthomas commented 10 months ago

@ilbarone87 I switched to @onedr0p's image.

https://github.com/onedr0p/containers/pkgs/container/radarr