[Geoserver-devel] run docker container as non-root user

Hi,

From what I can see in https://github.com/geoserver/docker/blob/master/Dockerfile, there is no mechanism in place in the geoserver docker image to support running it as non-privileged user.

Is there a strong reason why not ? This is usually considered a good practice not to run the docker containers as root, if it can be prevented.

The geOrchestra geoserver image, for instance, runs as uid 999. But it is not using tomcat (uses jetty), which might change a bit the context, I no expert on tomcat, but I believe this should not be too complicated to set up.

I’d gladly spend some time working on the feature, if you see no objection to it and think it would be of interest.

Best

Jean

···

Jean Pommier – pi-Geosolutions

Ingénieur, consultant indépendant

Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier

Hi Jean,

yes, I guess you are right that currently there is no mechanism to do this and as there is no strong reason to not have it, it would be great to bring the Dockerfile forward here.

What comes to my mind in this context: Such changes could lead to incompatibilities/problems with the ownership on data (i.e. existing geoserver data dirs), but I’d be really happy to find a backward compatible solution.

So feel free to open a PR with such changes. We can discuss it then on github.

Best regards
Nils

···

On 9/10/24 09:36, Jean Pommier wrote:

Hi,

From what I can see in https://github.com/geoserver/docker/blob/master/Dockerfile, there is no mechanism in place in the geoserver docker image to support running it as non-privileged user.

Is there a strong reason why not ? This is usually considered a good practice not to run the docker containers as root, if it can be prevented.

The geOrchestra geoserver image, for instance, runs as uid 999. But it is not using tomcat (uses jetty), which might change a bit the context, I no expert on tomcat, but I believe this should not be too complicated to set up.

I’d gladly spend some time working on the feature, if you see no objection to it and think it would be of interest.

Best

Jean

Jean Pommier – pi-Geosolutions

Ingénieur, consultant indépendant

Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier

_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@anonymised.comsourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)

Hi Nils,

Thanks for the reply. Yes, I understand your concern.

Looking for backward-compatible solution, I’m thinking of a compromise: what about changing to an unprivileged user at the entrypoint stage ? This is less clean than doing it in the Dockerfile, but gives more flexibility, including the possibility to change ownership on the existing volumes.

I made a PR based on this scenario: https://github.com/geoserver/docker/pull/97/files

Best

Jean

···

Jean Pommier – pi-Geosolutions

Ingénieur, consultant indépendant

Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier

Le 10/09/2024 à 13:57, Nils Bühner a écrit :

Hi Jean,

yes, I guess you are right that currently there is no mechanism to do this and as there is no strong reason to not have it, it would be great to bring the Dockerfile forward here.

What comes to my mind in this context: Such changes could lead to incompatibilities/problems with the ownership on data (i.e. existing geoserver data dirs), but I’d be really happy to find a backward compatible solution.

So feel free to open a PR with such changes. We can discuss it then on github.

Best regards
Nils

On 9/10/24 09:36, Jean Pommier wrote:

Hi,

From what I can see in https://github.com/geoserver/docker/blob/master/Dockerfile, there is no mechanism in place in the geoserver docker image to support running it as non-privileged user.

Is there a strong reason why not ? This is usually considered a good practice not to run the docker containers as root, if it can be prevented.

The geOrchestra geoserver image, for instance, runs as uid 999. But it is not using tomcat (uses jetty), which might change a bit the context, I no expert on tomcat, but I believe this should not be too complicated to set up.

I’d gladly spend some time working on the feature, if you see no objection to it and think it would be of interest.

Best

Jean

Jean Pommier – pi-Geosolutions

Ingénieur, consultant indépendant

Tél. : (+33) 6 09 23 21 36
E-mail : jp@anonymised.com
Web : www.pi-geosolutions.fr
linkedin : jean-pommier

_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)

_______________________________________________
Geoserver-devel mailing list
[Geoserver-devel@lists.sourceforge.net](mailto:Geoserver-devel@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-devel](https://lists.sourceforge.net/lists/listinfo/geoserver-devel)