Jennings Zhang
opened 2 years ago
-
This is not a bug. OneDev currently does not support to run as non-root user inside container.
-
Name Previous Value Current Value Type
Bug
Improvement
-
Previous Value Current Value Underprivileged container user
Able to run OneDev as unprivileged user in docker
-
Previous Value Current Value Able to run OneDev as unprivileged user in docker
Able to run OneDev as unprivileged user in container
-
How about creating a second docker image of OneDev? Like a 1dev/server:rootless-$VERSION?
-
Rootles container (OD-52) Discarded
-
Just feedback after quick evaluation in Kubernetes:
- Sadly, this issue is no-go for me
- I noticed too broad cluster permissions (hope, it can run with namespaced role, see Woodpecker)
- Seems OneDev doesn't run in IPv6-only environment, but it is probably not OneDev's fault: looks like Hazelcast messes with address - adds port to address and then it cannot be parsed, because there are no [].
- If it's still using file&kubectl approach, consider to call Kubernetes API via library.
With no offense, project is promising, wish you luck 🤘
| Type |
Improvement
|
| Priority |
Normal
|
| Assignee | |
| Labels |
No labels
|
Issue Votes (1)
Watchers (5)
In many Kubernetes environments it is a best practice to set the container user to be some arbitrary underprivileged UID. For example, this is a requirement on OpenShift.
I am trying to deploy onedev using Helm, with these values:
The pod crashes, with the following logs:
This is because in the Dockerfile, code is stored in
/root.https://code.onedev.io/onedev/server/~files/bf56093cc4231963397f69d6a2f402d5715d87e9/server-product/docker/Dockerfile.server?position=source-25.1-25.32-1
My recommendation is to put code inside container images in a world-readable directory, for example,
/app,/usr/local/bin, or/opt/onedev.