[MDEV-25497] rootl(full?) container images and singularity compatibility - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Minor
Resolution: Not a Bug
Fix Version/s: N/A
Component/s: Docker
Labels:
None

Description

Apparently the best practice to achieve rootless is:

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

So USER=mysql in the container file.

given https://github.com/MariaDB/mariadb-docker/blob/master/docker-entrypoint.sh#L350 is the only usage of gosu, and its conditional, I'm note sure why the previous folks didn't do it. I'll ask.

Interesting interactions need investigating
https://github.com/MariaDB/mariadb-docker/issues/363#issuecomment-824496833

Attachments

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2021-04-23 08:07

and consider https://github.com/MariaDB/mariadb-docker/pull/348

Daniel Black added a comment - 2021-04-23 08:07 and consider https://github.com/MariaDB/mariadb-docker/pull/348

Daniel Black added a comment - 2021-05-20 06:11

At the moment its looks like the entrypoint can be run as root and non-root users.

running as arbitrary user works - https://github.com/MariaDB/mariadb-docker/issues/363#issuecomment-824496833

Probably can't change without breaking compatibility

Daniel Black added a comment - 2021-05-20 06:11 At the moment its looks like the entrypoint can be run as root and non-root users. running as arbitrary user works - https://github.com/MariaDB/mariadb-docker/issues/363#issuecomment-824496833 Probably can't change without breaking compatibility

Daniel Black added a comment - 2022-01-29 07:24

Need to look closer at singularity (and found its a fedora package)

https://github.com/MariaDB/mariadb-docker/pull/348 was the original.

Daniel Black added a comment - 2022-01-29 07:24 Need to look closer at singularity (and found its a fedora package) https://github.com/MariaDB/mariadb-docker/pull/348 was the original.

Daniel Black added a comment - 2022-02-03 08:31

Comments on pull request, but once I specified a datadir volume and scratch space (or changed the socket/pid-file to the datadir), it started fine.

copied main comment from PR
By using a volume for the datadir, and using --scratch /var/run/mysqld, prevents [ERROR] Can't start server : Bind on unix socket: Read-only file system. The scratch space isn't enough for a full datadir. Alternately instead of scratch, you can also specify --socket=/var/lib/mysql/mariadb.sock --pid-file=/var/lib/mysql/mariadb.pid

Starting as non-root.

$ sudo rm -rf mydatadir && mkdir mydatadir

$ singularity run --no-home --bind $HOME/mydatadir:/var/lib/mysql --env MARIADB_RANDOM_ROOT_PASSWORD=1 --net --network-args "portmap=3308:3306/tcp" --fakeroot --scratch=/run/mysqld docker://mariadb:10.5
...

Daniel Black added a comment - 2022-02-03 08:31 Comments on pull request, but once I specified a datadir volume and scratch space (or changed the socket/pid-file to the datadir), it started fine. copied main comment from PR By using a volume for the datadir, and using --scratch /var/run/mysqld, prevents [ERROR] Can't start server : Bind on unix socket: Read-only file system. The scratch space isn't enough for a full datadir. Alternately instead of scratch, you can also specify --socket=/var/lib/mysql/mariadb.sock --pid-file=/var/lib/mysql/mariadb.pid Starting as non-root. $ sudo rm -rf mydatadir && mkdir mydatadir $ singularity run --no-home --bind $HOME/mydatadir:/var/lib/mysql --env MARIADB_RANDOM_ROOT_PASSWORD=1 --net --network-args "portmap=3308:3306/tcp" --fakeroot --scratch=/run/mysqld docker://mariadb:10.5 ...

People

Assignee:: Daniel Black

Reporter:: Daniel Black

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-04-23 08:00

Updated:: 2022-02-03 08:31

Resolved:: 2022-02-03 08:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server