Details
-
Task
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Not a Bug
-
None
Description
Apparently the best practice to achieve rootless is:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
So USER=mysql in the container file.
given https://github.com/MariaDB/mariadb-docker/blob/master/docker-entrypoint.sh#L350 is the only usage of gosu, and its conditional, I'm note sure why the previous folks didn't do it. I'll ask.
Interesting interactions need investigating
https://github.com/MariaDB/mariadb-docker/issues/363#issuecomment-824496833
Attachments
Activity
At the moment its looks like the entrypoint can be run as root and non-root users.
running as arbitrary user works - https://github.com/MariaDB/mariadb-docker/issues/363#issuecomment-824496833
Probably can't change without breaking compatibility
Need to look closer at singularity (and found its a fedora package)
https://github.com/MariaDB/mariadb-docker/pull/348 was the original.
Comments on pull request, but once I specified a datadir volume and scratch space (or changed the socket/pid-file to the datadir), it started fine.
|
copied main comment from PR |
By using a volume for the datadir, and using --scratch /var/run/mysqld, prevents [ERROR] Can't start server : Bind on unix socket: Read-only file system. The scratch space isn't enough for a full datadir. Alternately instead of scratch, you can also specify --socket=/var/lib/mysql/mariadb.sock --pid-file=/var/lib/mysql/mariadb.pid
|
|
|
Starting as non-root.
|
|
|
$ sudo rm -rf mydatadir && mkdir mydatadir
|
|
|
$ singularity run --no-home --bind $HOME/mydatadir:/var/lib/mysql --env MARIADB_RANDOM_ROOT_PASSWORD=1 --net --network-args "portmap=3308:3306/tcp" --fakeroot --scratch=/run/mysqld docker://mariadb:10.5
|
...
|
and consider https://github.com/MariaDB/mariadb-docker/pull/348