search

temporalio / docker-builds

Temporal service Docker images build
https://hub.docker.com/r/temporaliotest/auto-setup
MIT License
30 stars 59 forks source link

Use uid 2000, not 1000, for GKE compatibility #244

Closed smcgivern closed 1 month ago

smcgivern commented 2 months ago

On GCP (and hence GKE), user IDs in the range 2000 to 4999 are available for custom users: https://cloud.google.com/container-optimized-os/docs/how-to/create-configure-instance#using_cloud-init_with_the_cloud_config_format

Choose an ID from the [2000, 4999] range to avoid collision with other user accounts.

This lets us use runAsNonRoot / runAsUser in a Kubernetes deployment, and I don't think (I hope?) most people won't care that the user ID changed.

Happy to just do this ourselves if we need to, but I figured it was worth a try upstream 🙂

CLAassistant commented 2 months ago

CLA assistant check
All committers have signed the CLA.

robholland commented 1 month ago

My impression is that whichever we use we are outside of some providers acceptable ranges, but I'll do some more research here.

smcgivern commented 1 month ago

Yes, frustratingly I can't actually find a good list - even GCP doesn't have this documented particularly well.

robholland commented 1 month ago

I'm going to mark this wontfix for now, I don't think there is a safe range that works on all providers.