search

opennms-forge / docker-minion

🐳 Docker container running the minion service
MIT License
6 stars 5 forks source link

Run as non-root by default #11

Closed agalue closed 6 years ago

agalue commented 6 years ago

Minion will run as root by default but it was designed to run as non-root, assuming the kernel is recent enough to allow the execution of ICMP requests for unprivileged users.

To run docker, you also need a recent kernel version, so it is entirely possible to be able to run Minion as non-root. Although, this might require to add some kernel tuning on the docker machine though, according to Minion's documentation (please let me know if a note on the README.md is required).

This small change makes sure to use the default minion user as the owner of the process to run minion as non-root.

syepes commented 6 years ago

@agalue @indigo423 I would have let the user select if the minion runs as "root" or "minion" using the env vars. What do you thing?

@agalue By the way what tuning / options did you use to allow it to work correctly as user = minion? I have tried "net.ipv4.ping_group_range=0 429496729" plus the running the container in privileged mode, but I am still not able to use the ICMP

agalue commented 6 years ago

Hi @syepes, thanks a lot for your input.

I'm planning to update the README to provide better instructions about how to use the container to allow it to execute ICMP requests.

Certainly the docker machine should have the appropriate value for net.ipv4.ping_group_range, but that doesn't guarrantee it will be passed to the container. In order for this to happen, you should use the --sysctl directive when executing docker run; for example:

docker run --sysctl "net.ipv4.ping_group_range=0 429496729" --rm --name minion -it
 -e MINION_LOCATION=Apex \
 -e OPENNMS_BROKER_URL=tcp://192.168.205.1:61616 \
 -e OPENNMS_HTTP_URL=http://192.168.205.1:8980/opennms \
 opennms/minion:bleeding -f

That way, you should be able to execute pings. I tested it and it works.

In terms of running as root, you can use the --user directive, and in this case, you won't need the --sysctl directive; for example:

docker run --user 0 --rm --name minion -it \
 -e MINION_LOCATION=Apex \
 -e OPENNMS_BROKER_URL=tcp://192.168.205.1:61616 \
 -e OPENNMS_HTTP_URL=http://192.168.205.1:8980/opennms \
 opennms/minion:bleeding -f

Makes sense ?

syepes commented 6 years ago

@agalue Thanks man, I was setting these option on the host not the container :-)

agalue commented 6 years ago

You're very welcome. And, that's exactly why adding those details to the README will be useful. I'll work on that soon.