Rootless Container Configuration
This page is dedicated to providing guidelines for configuring XDM container execution environment. It is important to understand the distinction between running a docker daemon in rootless mode and container execution users.
Running XDM on a Rootless Docker Daemon
The daemon user defines which host user runs containers. This defines the upper permission boundary containers can have.
| Running the docker daemon as root is not recommended due to security risks. |
For more detailed information on how to set up a rootless docker daemon environment, you can refer to the official documentation for both Docker and Kubernetes.
If you are using a rootless docker daemon, you need to override the Docker execution user to "0:0" for the containers core-server and dataflow-server in the docker-compose file.
More information on how to accomplish this can be found here: Override Execution User.
|
|
If you are using a rootless Podman daemon, additional settings needs to be done for container
|
Rootless Container Execution Users
The execution user is the user inside the container running the application. Below are instructions on handling the individual behavior of Docker and Kubernetes environments.
| For a Kubernetes environment, the default execution user is root. It is recommended to use a rootless execution user. To achieve this, you can follow the instructions below. |
The two variables, runRootless and migrateToRootless can be set to true.
runRootless lets the containers run as non-root users.
migrateToRootless automatically migrates the existing volumes to be owned by the new non-root user 1000:1000.
runRootless: true
migrateToRootless: true
If you set another user or group via Security context, then these settings will be used instead of the default user 1000:1000.
After the migration, the option migrateToRootless should be set to false to avoid unnecessarily running the temporary migration container with root privileges.
|
| For a Docker environment, the default execution user is 1000. |
The volume permissions must be adjusted to allow the non-root user access to the volumes.
Execute the following command on your host machine to change the ownership of the XDM volumes to user 1000 and group 1000:
sudo chown -R 1000:1000 /path/to/xdm/volumes
Replace /path/to/xdm/volumes with the actual path of your persistent XDM volumes.
|