You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems like the expected configuration for the edgedb Docker Image is to startup as the "root" user and then use "gosu" to switch toa non-root user (such as "edgedb"). What I discovered was that if the directory /var/lib/edgedb/data existed and allowed a non-root user to access then the edgedb service can be started and run as a non-root user - no need to use root or gosu at all.
My specific Dockerfile is here:
FROM edgedb/edgedb:4.5
RUN mkdir -p /var/lib/edgedb/data
RUN chown edgedb:edgedb /var/lib/edgedb/data
# set the USER here to ensure all future build and run commands are done as edgedb
USER edgedb
COPY ./dbschema /dbschema
If this is correct the challenge is in finding a way to ensure that the /var/lib/edgedb/data is writable by the user utilizing edgedb. This could be accomplished a few different ways
simply adding this snippet above to a README.md file (I'd be happy to do that)
by having the image only support the edgedb user
by making the /var/lib/edgedb/data world-writable
I actually don't know if this is worth pursuing but the solution we implemented potentially allowed a less complex and (at least in perception - where a certain large enterprise required we have a non-root user specified) more secure image based on the edgedb image.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
It seems like the expected configuration for the edgedb Docker Image is to startup as the "root" user and then use "gosu" to switch toa non-root user (such as "edgedb"). What I discovered was that if the directory
/var/lib/edgedb/data
existed and allowed a non-root user to access then the edgedb service can be started and run as a non-root user - no need to use root or gosu at all.My specific Dockerfile is here:
If this is correct the challenge is in finding a way to ensure that the
/var/lib/edgedb/data
is writable by the user utilizing edgedb. This could be accomplished a few different ways/var/lib/edgedb/data
world-writableI actually don't know if this is worth pursuing but the solution we implemented potentially allowed a less complex and (at least in perception - where a certain large enterprise required we have a non-root user specified) more secure image based on the edgedb image.
Beta Was this translation helpful? Give feedback.
All reactions