Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OKD kubernetes - non-root user #148

Open
Rezorl opened this issue Jun 20, 2024 · 5 comments
Open

OKD kubernetes - non-root user #148

Rezorl opened this issue Jun 20, 2024 · 5 comments

Comments

@Rezorl
Copy link

Rezorl commented Jun 20, 2024

Is it possible to build a geoserver image so that it works for a non-root user? I don't know the user's ID and group at the image building level, only when the container is launched. The image will run on OKD Kubernetes. There is a custom_build.sh file for building your own geoserver image. Is it possible to use this image for this problem?

@randomorder randomorder self-assigned this Jun 20, 2024
@randomorder
Copy link
Member

Hi @Rezorl
Yes sure. By default the image does not run as root but with a "tomcat" user with UID 1000 and GID 1000. That is configurable in the Docker file https://github.com/geosolutions-it/docker-geoserver/blob/master/Dockerfile#L65-L67 or by specifying a build argument at build time to override the defaults

@Rezorl
Copy link
Author

Rezorl commented Jun 21, 2024

Hi @randomorder

Thanks for the answer!

I am trying to run geoserver version geosolutionsit/geoserver:2.24.4 on OKD. I get an error:
From container logs:
image
From file /usr/local/tomcat/logs/localhost.2024-06-21.log:
image

The user who runs the container:
image

Access on files/folders:
image

Why am I getting a permission denied error? What do I need to do to solve the problem?

@mbartosi
Copy link

Basically this is a situation like this:
docker run --user $UID:$GID ...
but we don't know UID and GID in advance. And those are dynamically set to different values in different namespaces under OKD.

@camuffo
Copy link
Contributor

camuffo commented Jul 12, 2024

Hi @Rezorl.
You get the error because the user can't write in the data directory.

If I understand correctly your UID is random. I'm not sure if it also changes every time the Pod is restarted.
If the UID is somewhat "static" you might be able to leverage the fsGroup setting.

If fsGroup doesn't work for your case, you can chown the data dir contents using an initContainer, so before GeoServer starts.

@mbartosi
Copy link

mbartosi commented Jul 12, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants