Hi,
From what I can see in https://github.com/geoserver/docker/blob/master/Dockerfile, there is no mechanism in place in the geoserver docker image to support running it as non-privileged user.
Is there a strong reason why not ? This is usually considered a good practice not to run the docker containers as root, if it can be prevented.
The geOrchestra geoserver image, for instance, runs as uid 999. But it is not using tomcat (uses jetty), which might change a bit the context, I no expert on tomcat, but I believe this should not be too complicated to set up.
I’d gladly spend some time working on the feature, if you see no objection to it and think it would be of interest.
Best
Jean
···
–
Jean Pommier – pi-Geosolutions
Ingénieur, consultant indépendant
Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier
Hi Jean,
yes, I guess you are right that currently there is no mechanism to do this and as there is no strong reason to not have it, it would be great to bring the Dockerfile forward here.
What comes to my mind in this context: Such changes could lead to incompatibilities/problems with the ownership on data (i.e. existing geoserver data dirs), but I’d be really happy to find a backward compatible solution.
So feel free to open a PR with such changes. We can discuss it then on github.
Best regards
Nils
···
On 9/10/24 09:36, Jean Pommier wrote:
Hi,
From what I can see in https://github.com/geoserver/docker/blob/master/Dockerfile, there is no mechanism in place in the geoserver docker image to support running it as non-privileged user.
Is there a strong reason why not ? This is usually considered a good practice not to run the docker containers as root, if it can be prevented.
The geOrchestra geoserver image, for instance, runs as uid 999. But it is not using tomcat (uses jetty), which might change a bit the context, I no expert on tomcat, but I believe this should not be too complicated to set up.
I’d gladly spend some time working on the feature, if you see no objection to it and think it would be of interest.
Best
Jean
–
Jean Pommier – pi-Geosolutions
Ingénieur, consultant indépendant
Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier
_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@anonymised.comsourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)
Hi Nils,
Thanks for the reply. Yes, I understand your concern.
Looking for backward-compatible solution, I’m thinking of a compromise: what about changing to an unprivileged user at the entrypoint stage ? This is less clean than doing it in the Dockerfile, but gives more flexibility, including the possibility to change ownership on the existing volumes.
I made a PR based on this scenario: https://github.com/geoserver/docker/pull/97/files
Best
Jean
···
Jean Pommier – pi-Geosolutions
Ingénieur, consultant indépendant
Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier
Le 10/09/2024 à 13:57, Nils Bühner a écrit :
Hi Jean,
yes, I guess you are right that currently there is no mechanism to do this and as there is no strong reason to not have it, it would be great to bring the Dockerfile forward here.
What comes to my mind in this context: Such changes could lead to incompatibilities/problems with the ownership on data (i.e. existing geoserver data dirs), but I’d be really happy to find a backward compatible solution.
So feel free to open a PR with such changes. We can discuss it then on github.
Best regards
Nils
On 9/10/24 09:36, Jean Pommier wrote:
Hi,
From what I can see in https://github.com/geoserver/docker/blob/master/Dockerfile, there is no mechanism in place in the geoserver docker image to support running it as non-privileged user.
Is there a strong reason why not ? This is usually considered a good practice not to run the docker containers as root, if it can be prevented.
The geOrchestra geoserver image, for instance, runs as uid 999. But it is not using tomcat (uses jetty), which might change a bit the context, I no expert on tomcat, but I believe this should not be too complicated to set up.
I’d gladly spend some time working on the feature, if you see no objection to it and think it would be of interest.
Best
Jean
–
Jean Pommier – pi-Geosolutions
Ingénieur, consultant indépendant
Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier
_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)
_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)