Run tomcat as non-root user

[jeanpommier]

update based on PR #442

[jeanpommier]

@pierrejego I believe we can merge this PR.

We will need to document in the migration notes that the mapstore writable datadir needs to be writable by UID/GID 999 (for the docker version)

[edevosc2c]

Could you allow changing the UID and GID at build time?

You can do it with something like this:

ARG USER_GID=999
ARG USER_UID=999
RUN addgroup --gid ${USER_GID} tomcat && \
    adduser --system  -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
    chown -R ${USER_UID}:${USER_GID} /usr/local/tomcat

[jeanpommier]

Hi @edevosc2c . Can you explain why for ?

The idea is to run the georchestra official docker image, right ? Since this applies at build time, it means that to get different settings one would still have a build a custom image. I don't see the added value

[pmauduit]

Can you explain why for ?

it looks like because of georchestra/georchestra#4071

[edevosc2c]

Hi @edevosc2c . Can you explain why for ?

The idea is to run the georchestra official docker image, right ? Since this applies at build time, it means that to get different settings one would still have a build a custom image. I don't see the added value

It's a standard thing in docker images to allow anyone to set UID and GID at build time.
It doesn't hurt to add it.

On top of that, you have just one line/one place to change the UID and GID in case it's needed.

[edevosc2c]

Note: Once #671 will be merged, there will be a need here to add after RUN mkdir -p /docker-entrypoint.d this line:

RUN chown tomcat:tomcat /docker-entrypoint.d

Otherwise, the copy in this script won't work: https://github.com/georchestra/mapstore2-georchestra/pull/671/files#diff-1b0bf6d59703af25ba177c67baa3686a4aa1846098b91e7ff32375e0f4eb43eaR10

[jeanpommier]

Hi,
Sorry I had left this PR untidy. I've updated the PR according to your suggestions @edevosc2c.
Does it look OK to you ?

[edevosc2c]

good for merging