Auto-fix volume permissions#32
Conversation
Al2Klimov
force-pushed
the
bugfix/volume-permissions
branch
from
bdf4d74 to
f7cb100
Compare
|
Oh, and please test how this behaves w/ running as root being forbidden by K8s. |
Al2Klimov
force-pushed
the
bugfix/volume-permissions
branch
from
f7cb100 to
d5fb0cf
Compare
|
Any news? |
julianbrost
left a comment
julianbrost
left a comment
There was a problem hiding this comment.
I do not like the idea of adding custom suid binaries to the container. Writing them correctly is really hard and this just adds attack surface.
How do other Docker images handle this situation? Why can't the volume be created with the correct permissions? If we conclude that we indeed need to chown as root, this should be done by the entrypoint starting as root and then dropping permissions. This avoids the whole problem that the suid binary might have bugs that could allow to escalate privileges in the container.
|
We can't do this as some companies disallow root. |
|
I doubt they want a random suid binary either. It should be possible to build the entrypoint so that it only does chown if it's started as root. If you don't want that, you start the container with |
|
How do you run the container? |
3 participants
https://community.icinga.com/t/icinga2-docker-on-synology/5649