Open parisni opened 2 weeks ago
sounds like it works fine !
the volume is not anymore an issue, and it's much more secure to run docker in rootless. DIND works also fine, but the shiny-proxy container has to run with user=0 (in order to read the /run/user/1000/docker.sock file)
Hi, as you noticed ShinyProxy works fine with rootless docker, although it's important that ShinyProxy is using the same user, such that it's able to access the docker socket (the use of a TCP port is insecure and would remove the benefit of rootless docker).
When running ShinyProxy in Docker, you can use (almost) the same commands as here: https://github.com/openanalytics/shinyproxy-config-examples/tree/master/02-containerized-docker-engine#how-to-run . Apparently when mounting the Docker socket, docker changes the ownership to root:docker
, where docker
is the docker group on the host machine. Therefore, you must pass the --group-add $(getent group docker | cut -d: -f3)
option to the docker run
command. This ensure ShinyProxy runs with a user that is part of the docker
group. Therefore, ShinyProxy will have access to the docker socket, even if the shinyproxy user and the user running the docker daemon have a different id.
EDIT: we will add this information to the documentation and examples.
sounds like it works fine !
the volume is not anymore an issue, and it's much more secure to run docker in rootless. DIND works also fine, but the shiny-proxy container has to run with user=0 (in order to read the /run/user/1000/docker.sock file)
@parisni just adding my experience since I happened to work on exactly the same problem the last weeks (getting containerized shinyproxy running in Rootless mode). It took us some time to get mounted volumes working, but we managed to get the setup working without setting a user to root in any of the containers (including the ShinyProxy container).
Following this advice, we used rootlesskit
to change ownership of the volume that needs to be mounted to a UID that is available in the container (thus, to a specific subUID on the host):
rootlesskit -- chown -R shinyproxy:shinyproxy data_folder
I tested since last week, and so far it works quite well with ShinyProxy, regardless of the number of containers in use.
Wondering if sp would work w/ docker in rootless mode.
Apart from security perspective one interesting effect would be docker volume access.
Right now when SP mounts a dynamic volume let's say containing the username, the very first time docker creates the folder both on the host and within the container with root access. As a result if the docker image is no root, that folder is read-only.
With docker rootless the volume would be created by the user , say 1000:1000, which is used by most containers (Jupyter, rstudio at least)