[docker] Run tomcat as non-root user #442
Conversation
jeanpommier
changed the title
|
@jeanpommier can we merge ? how to test ? |
|
Regarding testing, I have no testing proposal for that, except deploy an image configured that way and check it works well on a georchestra from scratch. About merging, the fun thing is that since previous mapstore containers will have run as root, this will need to chmod the data volumes, otherwise the tomcat 999 user won't be able to write anything. So if we do that, it would be good to do it jointly with a release and add instructions in the upgrade doc. But security-wise, yes, it would be nice to follow the same security policy as the rest of the platform: don't run the containers as root, at least when we don't need it |
|
I'm testing it right now, it seems to be working well, provided that your mapstore datadir is writable by user 999. I can see a small change that may be unwanted in this PR, I'm going to update it's code, it might interfer with the GH action build process |
|
Closing this one, you can merge the update one, #612 |
Based on PR georchestra#442 Updated according to suggestions from @edevos on PR georchestra#612
Based on PR georchestra#442 Updated according to suggestions from @edevosc2c on PR georchestra#612
All georchestra images run as a non-privileged user (uid 999). For a better consistency, and better security practices, I propose we do the same here, run the tomcat server as non-privileged user 999
Addresses #403