Open ibotty opened 7 years ago
agreed :)
On 20-02-2017 12:46, Tobias Florek wrote:
It would be great to run the container as non-root, preferably as random-non-root (via ld-wrapper). That's necessary for restricted kubernetes (e.g. openshift).
If you agree, I can provide a patch.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/piwik/docker-piwik/issues/55, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxvHQIPTnJn58yBbCNXAyiMBVIRZJgMks5reYsagaJpZM4MGIjo.
-- I use PGP to protect our privacy, if you want to know more, you can follow this https://emailselfdefense.fsf.org/en/
If you have further questions, please do not hesitate to ask. You can verify my public key here: https://keybase.io/pierreozoux
Hello all, was there any progress with this PR? It looks ready for merging :-) I am mostly just checking as I wanted to run the Apache version of piwik container on OpenShift v3 (www.openshift.com) and it failed at startup because it could not write to logs.
I've built an alpine-based image for piwik, runs as user 1000 by default https://github.com/wodby/matomo, we run it in kubernetes with nginx
I've been wondering if this is on the agenda?
I'm not sure if this is necessary. See also the discussion here. Some images are using gosu, but this seems not be necessary all the time: https://github.com/tianon/gosu/#chroot
@tianon are there any best practices on this topic?
I do think it is necessary. The original problem is still there and will not be going away. Using non-root uid is strictly more secure than using user namespaces, and that won't change in the near future.
I think the contents of https://github.com/docker-library/docs/pull/1215 are probably relevant here -- I imagine given a volume with appropriate permissions for the user the container gets run as, this will mostly just work out of the box.
It would be great to run the container as non-root, preferably as random-non-root (via nss-wrapper). That's necessary for restricted kubernetes (e.g. openshift).
If you agree, I can provide a patch.