Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rootless & introduction of configuration service #2813

Open
Diman0 opened this issue May 8, 2023 · 0 comments
Open

Rootless & introduction of configuration service #2813

Diman0 opened this issue May 8, 2023 · 0 comments
Labels
type/enhancement Enhances existing functionality

Comments

@Diman0
Copy link
Member

Diman0 commented May 8, 2023

As discussed during last meeting, we want to move to rootless. This means we need a configuration (init) service/container that handles initializing all configuration.

We also discussed that this container could be used to handle configuring Mailu for the first time. We looked at the nextcloud all-in-one that is a good example.

I was thinking to do this in two phases (two PRs). Phase one implements the initial configuration service/container and moving to rootless. Phase two (a second PR after Phase one) will look into adding a configuration wizard and container management. We can discuss Phase two in a new issue after phase one is complete.

Phase one (this issue) requirements:

  • All services run rootless.
    • 'Run rootless' means that the CMD/ENTRYPOINT program (start.py) is started with a local user (with name mailu) that has no root privileges.
  • GID/UID for the Mailu user can be configured by the user.
    • This means that at least all host-mounted files/folders for each container must have the GID/UID of the user.
  • Initial configuration (jinja scripting) is handled by the configuration service.
  • Overrides are processed by the configuration service.

Implementation:

  • All mailu services (but the configuration service)
    • Start.py will be modified. After startup the container enters a while loop. In the while loop it will call an endpoint of the configuration service to check if the configuration service is done. When the configuration service is done, the endpoint will return a returncode 200 and the service will actually start.
  • configuration service
    • Uses the python docker api (the docker socket will be host mounted to enable this) for:
      • via docker api pull all configuration files
      • locally perform all jinja scripting.
      • If applicable, locally process the overrides.
      • via docker api push the initialized configuration files back to each service.
      • If applicable via docker exec process overrides on each service. E.g. for the postfix service (postconf -e ...)
      • Via docker exec, set the correct file permissions for each container to the mailu GID/UID.
    • Via flask, provide an endpoint that returns code 200 when it has finished doing the configuration.

Technically the configuration service can also run rootless. Via the docker exec functionality we can run commands as root.

@nextgens @ghostwheel42
Can you provide your thoughts. Do the requirements match with your idea what we discussed during last meeting?
I just want to make when I start with the above, it does align with what you were thinking.
@Diman0 Diman0 added the type/enhancement Enhances existing functionality label May 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/enhancement Enhances existing functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Diman0