search

mainsail-crew / mainsail

Mainsail is the popular web interface for managing and controlling 3D printers with Klipper.
https://docs.mainsail.xyz
GNU General Public License v3.0
1.63k stars 342 forks source link

Docker user support #1212

Open kjkent opened 1 year ago

kjkent commented 1 year ago

Requested feature:

As per my admittedly limited understanding: Within Docker containers, processes run as root by default, but Docker allows for running in-container processes as a less privileged UID/GID combo.

This has previously been accomplished by some image developers by passing the desired UID/GID via an environment variable, but docker now has the functionality to explicitly pass a user parameter to either docker run or within a Docker Compose file.

However, this user parameter does not currently work with the current mainsail edge image, producing logs that implicate docker-entrypoint.sh and nginx.

Solves the following problem:

As far as I'm aware, this is good security practice and something many mainstream images allow.

Additional information:

mainsail  | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
mainsail  | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
mainsail  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
mainsail  | 10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
mainsail  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
mainsail  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
mainsail  | /docker-entrypoint.sh: Configuration complete; ready for start up
mainsail  | 2022/12/28 22:51:52 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
mainsail  | nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
mainsail  | 2022/12/28 22:51:52 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
mainsail  | nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
Laikulo commented 10 months ago

Mainsail is (for the most part) just a static web app, so that container includes nginx to act as a web server. Nginx implements it's own privilege dropping (to the nginx user) once it has started, as controlled by the user directive in it's config.