Add ability to run augur container as a non-root user #3131
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: John Strunk <[email protected]>
Signed-off-by: John Strunk <[email protected]>
Signed-off-by: John Strunk <[email protected]>
Allow setting cache directories and other paths via environment variables, update docker-compose.yml and Dockerfile to reflect these changes, and make other related changes to improve flexibility and consistency. Signed-off-by: John Strunk <[email protected]>
Uncomment user and post_start commands in docker-compose.yml to ensure the arbitrary non-root user has access to necessary volumes, enhancing security and preventing potential permission issues with /facade, /logs, /config, and /cache directories. Signed-off-by: John Strunk <[email protected]>
Update keyman Dockerfile to install pip with --no-cache-dir, add ENV PYTHONUNBUFFERED for straight to terminal output, and set logger to output to stdout with a specified format in Orchestrator.py. Also, update docker-compose.yml to run keyman as a non-root user and add keyman service. Signed-off-by: John Strunk <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR provides the ability to run the augur backend container as an arbitrary non-root user. This is important for running on OpenShift where the userid is not known until runtime, and containers are not permitted to run as uid 0.
The majority of the changes are related to moving R/W files such as config and log files out of the source tree and into paths that will have data volumes mounted. The
docker-compose.ymlwas updated to provide the required volumes.File permissions during the build process were also updated so that non-root users will have read access.
I also changed the build steps for
scorecardandsccto directlygo installthem instead of manually checking out the repo and runninggo buildon the local copy.This PR fixes #3107
Notes for Reviewers
/tmpdirectory). I'm happy to modify this PR to that model if you can provide some guidance about what's important to keep and what is ephemeral.Signed commits