-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Docker build target for container that doesn't run as root #174
base: main
Are you sure you want to change the base?
Conversation
Running `docker build --target no-root` will build a container image without sudo and as the user/group `chia`. UID and GID can be adjusted with the UID and GID build-arg parameters. Gotchas: * if volumes are mounted in the container, they must have open read/write permissions if the host uid:gid for them is different than the container's or the must have the same uid:gid as the container * if the volumes are mounted but the intervening directories in the mount path inside the container do not exist, docker will create those directories as root:root by default, this will break permissions
the lint errors reported are not caused directly by this PR, but older code that may have existed before the linters were enabled |
'This PR has been flagged as stale due to no activity for over 60 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM to address the security issues of #163
It would be very, very nice to not run as root, especially in a Kubernetes environment. |
'This PR has been flagged as stale due to no activity for over 60 |
'This PR has been flagged as stale due to no activity for over 60 |
#163
Add a Dockerfile target
no-root
that will run chia blockchain binary as user/groupchia:chia
and does not havesudo
installed. Final target in the Dockerfile allows building a container that runs as root and hassudo
. People building the container can set the UID/GID that chia:chia will map to at build time. End users running the container must ensure that permissions work out properly for mounted directories in the chia:chia user/group if they are using the non-root container. This means either matching chia:chia's UID/GID with the host system user's UID/GID or modifying directory permissions on the host to allow read/writes by others (writes may be required for storing config files in a host-mounted directory)New no-root version with UID/GID matching the current user can be built with
docker build -t <tags> --build-arg UID=$(id -u) --build-arg GID=$(id -g) --build-arg BRANCH=<target version> --target no-root -f Dockerfile .