Page MenuHomePhabricator
Create Task
Maniphest T122621

Run docker containers as non-root users
Closed, InvalidPublic
Actions

Description

Currently, mediawiki-containers runs each container as root. The mariadb container then starts mariadb as a mysql user inside the container, which happens to have a uid of 999.

It would be desirable to

  1. run all daemons in containers as non-root users, and
  2. have more control over how data, configuration files and logs are owned.

I created a WIP patch for running the mediawiki container as an arbitrary uid via docker run -u <uid> at https://github.com/wikimedia/mediawiki-docker/pull/1. However, the flexibility comes at the price of having to make /var/{run,lock}/apache2 world-writable.

A safer approach might be to start the container itself as root, but then drop privileges to a specified uid after chown'ing specific filesystem locations to the runtime user.

Long term: User namespaces

The longer term solution should be user namespaces, which have now arrived as an experimental feature in docker 1.9. However, this isn't ready for production yet, and wider roll-out is blocking on Linux gaining the ability to remap uid ranges in bind mounts.

Related Objects
Search...

Event Timeline

GWicke created this task.Dec 29 2015, 10:33 PM
GWicke raised the priority of this task from to Medium.
GWicke updated the task description. (Show Details)
GWicke added a project: MediaWiki-Containers.
GWicke subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 29 2015, 10:33 PM
GWicke set Security to None.Dec 29 2015, 10:33 PM
GWicke added a project: Services.
GWicke updated the task description. (Show Details)
GWicke edited subscribers, added: Pchelolo; removed: Aklapper.
GWicke added subscribers: yuvipanda, bd808, Joe, ori.Dec 29 2015, 11:00 PM
jayvdb subscribed.Jan 7 2016, 2:39 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:45 PM
GWicke moved this task from Backlog to later on the Services board.Jul 12 2017, 5:24 PM
GWicke edited projects, added Services (later); removed Services.
GWicke added a parent task: T170456: FY2017/18 Program 6 - Outcome 2 - Objective 3: Integrated, container-based development environment.Jul 12 2017, 6:40 PM
mobrovac added a project: Platform Team Legacy (Later).Dec 20 2018, 12:07 PM
Pchelolo closed this task as Invalid.Jul 11 2019, 12:43 AM

This ticket is related to a mediawiki-containers with all the services prototype that was a part of investigation about how viable it is to make a minikube-based dev environment. Not relevant anymore.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL