Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run container with a non root user #24635

Closed
wants to merge 1 commit into from
Closed

Run container with a non root user #24635

wants to merge 1 commit into from

Conversation

antonydenyer
Copy link

@antonydenyer antonydenyer commented Apr 4, 2022
edited
Loading

Note this is potentially a breaking change for some users the default data directory changes from /root/.ethereum to /home/geth/.ethereum

Initially raised in Consensys/quorum#1367

@antonydenyer
Run container with a non root user
114d5e2 
Note this is potentially a breaking change for some users
The default data directory changes from /root/.ethereum
to /home/geth/.ethereum


Signed-off-by: Antony Denyer <[email protected]>
@ligi
Copy link
Member

ligi commented Apr 4, 2022

Thanks! The breaking change is most likely a dealbreaker though - will discuss it in triage tomorrow. If you have any idea on how to do it in a backward compatible that would be helpful and increase chances this will be considered.

@antonydenyer
Copy link
Author

Thanks @ligi

It's possible to allow the geth user access to /root/.ethereum but it feels a little bit wrong 😃

The other possibility is to copy any existing data over on startup but that would mean either:

  • adding an entryscript and the complexities that involves (happy to implement this if that's the way to go)
  • doing something in geth to specifically check /root/.ethereum and do the copy 🤮

I'd say it's pretty common/best practice for people to map a volume and specify the --datadir. Worst case nothing terrible happens. You re-sync?! Something in your keystore is missing, so you need to copy them over manually.

@karalabe
Copy link
Member

karalabe commented Apr 5, 2022

We've discussed this many many times over and will not accept this change. It breaks potentially everybody's workflow who use Geth via docker containers (just search the issue tracked for all the issues we've closed with this).

If you'd like to run Geth in docker with a non-root user, you can specify it during runtime https://docs.docker.com/engine/reference/run/#user. If there's some permission issue inside the docker container with /root/.ethereum, you can just specify --datadir to point to a different location and map it accordingly from the outside.

Creating a user internally doesn't really solve any problem, because it will have UID 1000, which will work for some systems where you only have a single user (e.g. Ubuntu), but if you share the OS with multiple users, then 1000 is an arbitrary lottery as to who will have access and you'd need to specify explicitly from the outside anyway. Unfortunately this is a limitation of docker and not messing with the users is at least predictable from our side.

@karalabe karalabe closed this Apr 5, 2022
@antonydenyer antonydenyer mentioned this pull request Apr 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status:triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@antonydenyer @ligi @karalabe