New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🔦 Feature: support read-only and non-root docker containers #8347
Comments
It is not. Simply removing the untar (also from the other start scripts) nocodb/packages/nocodb/docker/start-litestream.sh Lines 27 to 30 in 08dfcfa
and adding the following line to the Dockerfile at this position should suffice. RUN tar -xzf /usr/src/appEntry/app.tar.gz -C /usr/src/app/ && rm -f /usr/src/appEntry/app.tar.gz I wonder what @pranavxc thinks. |
We are keeping our build as a compressed tar file to reduce the overall size, on the first run we are extracting the build and then proceeding. We will check how we can make it support |
@pranavxc Extracting on the first run is unfavorable in the case of a containerized app since the extraction is repeated on every container restart (unless I'm successfully using the above approach with the official Docker image, i.e. FROM nocodb/nocodb:latest
RUN tar -xzf /usr/src/appEntry/app.tar.gz -C /usr/src/app/ && rm -f /usr/src/appEntry/app.tar.gz
COPY --link --chown=0:0 mystartup.sh /usr/src/appEntry/start.sh (where so I think it should work in general. Would you welcome a PR? |
Your concerns make sense, I will have a look at the Dockerfile and get back to you. Skipping compressing will increase the overall image size slightly and other than that no issues are there but I will double-check. |
@salim-b: I've reviewed it, and I suggest removing the compression part entirely from the Dockerfile and keeping the build in the extracted state. If you're interested in collaborating on this, please let me know, or I can handle this aspect. Regarding the |
One way could be to just allow for easy non-root user usage. That way it's up to the user to migrate - if they want. But I think with good upgrade instructions it would not be that bad either. In the end it's just a |
Please reopen this thread if you need further assistance |
Please confirm if feature request does NOT exist already ?
Describe the usecase for the feature
For security reasons some companies require containers to be run as non-root and sometimes even in read-only mode. This usually is no bigger problem but nocodb seems to have a very unusual docker setup.
Setting this should work without bigger problems:
Suggested Solution
TBH I am not quite sure why an un-tar would be necessary at container startup at runtime over build time.
If possible the image should be setup correctly at build time.
And if some folders need special permissions this here could be a work around:
Additional Context
No response
The text was updated successfully, but these errors were encountered: