Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Docker image running rootless #54

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support Docker image running rootless #54

wants to merge 1 commit into from
+11 −2

Conversation

bishtawi
Copy link

I run all my Docker images rootless and unfortunately the binary doas requires running as root. I understand why you are using it, as the vast majority of people run Docker images as root and dropping to an unprivileged user when running the actual binary is a good idea. But for people who are already running rootless, doas becomes a problem instead of a solution.

The solution to satisfy both parties is to only use doas when running as root. If not root, then run the binary directly.

@Chocobo1
Copy link
Member

Could you provide instructions on how you run docker rootless?

@bishtawi
Copy link
Author

So I run Podman and specifically I use the option --userns=keep-id. It tends to resolve (but not always) the file permission issues with directory bind mounts as it matches the container user/group ids to the host's. And it has the added benefit that inside the container nothing is running with uid 0.

Im not running qbittorrent on Kubernetes but back when I was deploying stuff there, I usually used the following config for all my pods:

securityContext:
  allowPrivilegeEscalation: false
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  capabilities:
    drop:
      - ALL

This ensured that the containers were running as non-root and if I can I try to make my containers as locked down as possible (read only filesystem, no root, no unnecessary capabilities, etc).

On Docker I see there is the --user=1000:1000 argument to run a container with specific uid/gid which I would think more people would use but seeing all the PUID and PGID evars support in many images I guess not.

In general, if the process inside a container has no need to run as uid 0, then I like to force it NOT to run with uid 0. With qbittorrent, there is no need to run the container as root. The only limitation is the doas call in the bootstrap script. The vast majority of users wont change the default settings so I totally get why its there but I see no harm in updating the script support the scenario where the container has already been started as non-root.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bishtawi @Chocobo1