search

openanalytics / shinyproxy

ShinyProxy - Open Source Enterprise Deployment for Shiny and data science apps
https://www.shinyproxy.io
Apache License 2.0
521 stars 151 forks source link

docker rootless support ? #525

Open parisni opened 2 weeks ago

parisni commented 2 weeks ago

Wondering if sp would work w/ docker in rootless mode.

Apart from security perspective one interesting effect would be docker volume access.

Right now when SP mounts a dynamic volume let's say containing the username, the very first time docker creates the folder both on the host and within the container with root access. As a result if the docker image is no root, that folder is read-only.

With docker rootless the volume would be created by the user , say 1000:1000, which is used by most containers (Jupyter, rstudio at least)

parisni commented 2 weeks ago

sounds like it works fine !

the volume is not anymore an issue, and it's much more secure to run docker in rootless. DIND works also fine, but the shiny-proxy container has to run with user=0 (in order to read the /run/user/1000/docker.sock file)

LEDfan commented 1 week ago

Hi, as you noticed ShinyProxy works fine with rootless docker, although it's important that ShinyProxy is using the same user, such that it's able to access the docker socket (the use of a TCP port is insecure and would remove the benefit of rootless docker).

When running ShinyProxy in Docker, you can use (almost) the same commands as here: https://github.com/openanalytics/shinyproxy-config-examples/tree/master/02-containerized-docker-engine#how-to-run . Apparently when mounting the Docker socket, docker changes the ownership to root:docker, where docker is the docker group on the host machine. Therefore, you must pass the --group-add $(getent group docker | cut -d: -f3) option to the docker run command. This ensure ShinyProxy runs with a user that is part of the docker group. Therefore, ShinyProxy will have access to the docker socket, even if the shinyproxy user and the user running the docker daemon have a different id.

EDIT: we will add this information to the documentation and examples.

LDSamson commented 1 week ago

sounds like it works fine !

the volume is not anymore an issue, and it's much more secure to run docker in rootless. DIND works also fine, but the shiny-proxy container has to run with user=0 (in order to read the /run/user/1000/docker.sock file)

@parisni just adding my experience since I happened to work on exactly the same problem the last weeks (getting containerized shinyproxy running in Rootless mode). It took us some time to get mounted volumes working, but we managed to get the setup working without setting a user to root in any of the containers (including the ShinyProxy container).

Following this advice, we used rootlesskit to change ownership of the volume that needs to be mounted to a UID that is available in the container (thus, to a specific subUID on the host):

rootlesskit -- chown -R shinyproxy:shinyproxy data_folder

I tested since last week, and so far it works quite well with ShinyProxy, regardless of the number of containers in use.