-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃悑 <Running Docker Container As Non-Root> #1074
Comments
What are the permissions for the mounted volumes? |
They are all owned by the host user 'arm' part of group 'arm'. I used these respective UID and GID to pass into the container. The actual files shared as volumes were chown arm:arm recursively, including the hidden files. Here is the docker file that works. When I try to uncomment the user statement, it breaks with the error mentioned in the original post.
Using a custom build which only installs the required tools and compiles the code needed to enable Intel Quicksync. Not other modifications to any scripts or anything. Using current tag docker image. |
I've encountered some similar issues when trying to get it running on my TrueNAS host. There is a project "Truecharts" providing apps as Kubernetes Helm charts. They provide ARM too, which is basically the docker container wrapped into a Helm chart and some glue configs for a "pretty" config UI. Since a while their CI for updates of the container seems to fail due to the inacessability of the home directory for user "arm", which in their case gets mapped to "apps" (UID/GID 568). AFAIK noone over there looked at the issue (yet), but I highly doubt the PVC mounted as home for user "arm" was set with the wrong permissions, as they strictly stick to some common settings for all apps they provide, ensuring functional setups (at least in that regard). |
At the moment, there has been limited testing with use of Docker-Compose, although I have started doing some work on that for V3.0 in the dev branch. Currently ARM requires root permissions for the access required to the system host. As far as I am aware, we have limited the permissions where we can, but some root access is required. If you can get ARM working and reduce the permissions please do, and raise a PR or post the propose changes here. As always, reducing permissions to those only required is important. |
That does answer quite a few questions :) I use docker-compose with pretty much everything, so happy to test out things as we get close with development. If I find spots to reduce the permissions, to eventually get to running everything as a regular user, will certainly submit information. |
One thought I had about this is the issue with mounting devices - according to my research The Just a thought, sorry if I didn't explain it properly. |
While I agree on your idea in general and see the benefits, I don't agree on most ripping machines being dedicated hardware. As this got available as an "app" on TrueNAS (as stated in my previous comment), more and more people will use it as such. But relying on docker external host mods will completely break the setup for those. So I'd say doing that is not really an option :/ |
Is there an existing issue for this?
Does this issue exist in the latest version?
Describe the bug?
When I attempt to run a container with the UID and GID of the arm user on the docker host, I receive errors.
Here is the addition to my docker-compose.yml file --- user: '1002:1003'.
Here is the error:
I have the docker image running perfect as the root user with Intel QSV acceleration, however, trying to see if its possible to run this in a more secure manner.
To Reproduce
See description.
Built from source files ?
What architecture are you seeing the problem on?
amd64
Expected behavior?
Should be able to run as a non-root user.
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: