Run as non root user

[timlinux]

It would be nice if the container ran as e.g. apache or other non-priveledged user....

[mbernasocchi]

@timlinux part of it is already done, https://github.com/gem/oq-qgis-server/blob/master/start-xvfb-nginx.sh#L55
we'd need to add the USER directive to the dockerfile as well.

[mbernasocchi]

@daniviga what do you think?

[daniviga]

You can run the FCGI process as different user, but not the entire container (e.g. passing -u). It should not be complex to make it user-friendly. At least I see that:

• We need to put nginx running dirs (/var/lib/nginx, /var/log/nginx) on 777, since we can't predict the UID and GUID
• We need to move away from port 80 since it cannot be bind by non-root users

However, does it worth the effort when the container runs perfectly fine in rootless mode? (Podman is your friend!) @vot4anto may have opinions here

[daniviga]

If someone (@timlinux?) wants to test it: https://github.com/daniviga/oq-qgis-server/tree/usermode

Please note that nginx is now exposed on 8080:

podman run --user 1000 --rm -ti -v $(pwd)/conf/qgis-server-nginx.conf:/etc/nginx/nginx.conf -v $(pwd)/test/data:/io/data -p 8010:8080 qgis

[vot4anto]

Rootless is also available from docker: https://docs.docker.com/engine/security/rootless/
We can avoid to do modification if the container runs perfectly fine in rootless mode either with docker and podman.
It is necessary to add the USER directive to Dockerfile? Because at gem we always use the container with docker-compose and set on the yaml file of the compose all the necessary environment

[mbernasocchi]

@timlinux did you get the chance to try @daniviga's work?

[JakobMiksch]

is this issue still relevant?