Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow running as non-root #353

Open
ibotty opened this issue Feb 17, 2021 · 5 comments
Open

Allow running as non-root #353

ibotty opened this issue Feb 17, 2021 · 5 comments

Comments

@ibotty
Copy link

ibotty commented Feb 17, 2021

It is possible to run OpenHAB without being root. You will have to jump through some hoops to do so though. It would be great not to have to do that.

Would you consider a pull request adding the option to run the image as a different uid?

@wborn
Copy link
Member

wborn commented Feb 17, 2021

It already runs openHAB as a non root "openhab" user that you can specify using the USER_ID and GROUP_ID env vars.

See: https://github.com/openhab/openhab-docker#environment-variables

@ibotty
Copy link
Author

ibotty commented Feb 17, 2021

That's not entirely correct:

++ test -t 0
++ echo true
+ interactive=true
+ set -euo pipefail
+ IFS='
        '
+ '[' limited = unlimited ']'
+ rm -f /openhab/runtime/instances/instance.properties
+ rm -f /openhab/userdata/tmp/instances/instance.properties
+ NEW_USER_ID=3f1e5ad9-5389-4eba-92c7-cde61560f459
+ NEW_GROUP_ID=0
+ echo 'Starting with openhab user id: 3f1e5ad9-5389-4eba-92c7-cde61560f459 and group id: 0'
Starting with openhab user id: 3f1e5ad9-5389-4eba-92c7-cde61560f459 and group id: 0
+ id -u openhab
++ getent group 0
+ '[' -z root:x:0: ']'
++ getent group 0
++ cut -d: -f1
+ group_name=root
+ echo 'Rename group root to openhab'
Rename group root to openhab
+ groupmod --new-name openhab root
groupmod: Permission denied.
groupmod: cannot lock /etc/group; try again later.

This can be worked around with some effort. Also the (version-) update script hardcodes a check for uid 0.

@wborn
Copy link
Member

wborn commented Feb 17, 2021

Yes it does some initial setup as "root" so users can use a custom UID/GID for the "openhab" user, e.g. so it matches those of a user on the host. Afterwards it uses gosu to run openHAB as "openhab". Would you like to skip that setup part when running as non-root user? It probably already has sufficient permissions to do the upgrade as "openhab" user.

@ibotty
Copy link
Author

ibotty commented Feb 17, 2021

Yes. That's what I mean. In some environments running as non-root is required. The image is generally suitable for that but not quiet.

I propose to skip this setup (in the entrypoint) when not running as root. In the upgrade skript I would simply warn that it's not running as root or simply drop the check altogether.

@wborn
Copy link
Member

wborn commented Feb 18, 2021

Yes that makes sense to also support such a setup for users who prefer the extra security over customizing UID/GIDs. Skipping the chown command in that case will make the container also start a lot faster on SBCs with slow storage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants