allow running as non-root

matomo-org / docker

Official Docker project for Matomo Analytics

https://matomo.org

Other

834 stars 348 forks source link

allow running as non-root #55

Open ibotty opened 7 years ago

ibotty commented 7 years ago

It would be great to run the container as non-root, preferably as random-non-root (via nss-wrapper). That's necessary for restricted kubernetes (e.g. openshift).

If you agree, I can provide a patch.

pierreozoux commented 7 years ago

agreed :)

On 20-02-2017 12:46, Tobias Florek wrote:

It would be great to run the container as non-root, preferably as random-non-root (via ld-wrapper). That's necessary for restricted kubernetes (e.g. openshift).

If you agree, I can provide a patch.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/piwik/docker-piwik/issues/55, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxvHQIPTnJn58yBbCNXAyiMBVIRZJgMks5reYsagaJpZM4MGIjo.

-- I use PGP to protect our privacy, if you want to know more, you can follow this https://emailselfdefense.fsf.org/en/

If you have further questions, please do not hesitate to ask. You can verify my public key here: https://keybase.io/pierreozoux

mkosek commented 6 years ago

Hello all, was there any progress with this PR? It looks ready for merging :-) I am mostly just checking as I wanted to run the Apache version of piwik container on OpenShift v3 (www.openshift.com) and it failed at startup because it could not write to logs.

csandanov commented 6 years ago

I've built an alpine-based image for piwik, runs as user 1000 by default https://github.com/wodby/matomo, we run it in kubernetes with nginx

superseacat commented 6 years ago

I've been wondering if this is on the agenda?

J0WI commented 6 years ago

I'm not sure if this is necessary. See also the discussion here. Some images are using gosu, but this seems not be necessary all the time: https://github.com/tianon/gosu/#chroot

@tianon are there any best practices on this topic?

ibotty commented 6 years ago

I do think it is necessary. The original problem is still there and will not be going away. Using non-root uid is strictly more secure than using user namespaces, and that won't change in the near future.

tianon commented 6 years ago

I think the contents of https://github.com/docker-library/docs/pull/1215 are probably relevant here -- I imagine given a volume with appropriate permissions for the user the container gets run as, this will mostly just work out of the box.