search

openhab / openhab-docker

Repository for building Docker containers for openHAB
https://www.openhab.org/
Eclipse Public License 2.0
209 stars 128 forks source link

Allow running as non-root #353

Open ibotty opened 3 years ago

ibotty commented 3 years ago

It is possible to run OpenHAB without being root. You will have to jump through some hoops to do so though. It would be great not to have to do that.

Would you consider a pull request adding the option to run the image as a different uid?

wborn commented 3 years ago

It already runs openHAB as a non root "openhab" user that you can specify using the USER_ID and GROUP_ID env vars.

See: https://github.com/openhab/openhab-docker#environment-variables

ibotty commented 3 years ago

That's not entirely correct:

++ test -t 0
++ echo true
+ interactive=true
+ set -euo pipefail
+ IFS='
        '
+ '[' limited = unlimited ']'
+ rm -f /openhab/runtime/instances/instance.properties
+ rm -f /openhab/userdata/tmp/instances/instance.properties
+ NEW_USER_ID=3f1e5ad9-5389-4eba-92c7-cde61560f459
+ NEW_GROUP_ID=0
+ echo 'Starting with openhab user id: 3f1e5ad9-5389-4eba-92c7-cde61560f459 and group id: 0'
Starting with openhab user id: 3f1e5ad9-5389-4eba-92c7-cde61560f459 and group id: 0
+ id -u openhab
++ getent group 0
+ '[' -z root:x:0: ']'
++ getent group 0
++ cut -d: -f1
+ group_name=root
+ echo 'Rename group root to openhab'
Rename group root to openhab
+ groupmod --new-name openhab root
groupmod: Permission denied.
groupmod: cannot lock /etc/group; try again later.

This can be worked around with some effort. Also the (version-) update script hardcodes a check for uid 0.

wborn commented 3 years ago

Yes it does some initial setup as "root" so users can use a custom UID/GID for the "openhab" user, e.g. so it matches those of a user on the host. Afterwards it uses gosu to run openHAB as "openhab". Would you like to skip that setup part when running as non-root user? It probably already has sufficient permissions to do the upgrade as "openhab" user.

ibotty commented 3 years ago

Yes. That's what I mean. In some environments running as non-root is required. The image is generally suitable for that but not quiet.

I propose to skip this setup (in the entrypoint) when not running as root. In the upgrade skript I would simply warn that it's not running as root or simply drop the check altogether.

wborn commented 3 years ago

Yes that makes sense to also support such a setup for users who prefer the extra security over customizing UID/GIDs. Skipping the chown command in that case will make the container also start a lot faster on SBCs with slow storage.