Rootless Container Configuration

This page is dedicated to providing guidelines for configuring XDM container execution environment. It is important to understand the distinction between running a docker daemon in rootless mode and container execution users.

Running XDM on a Rootless Docker Daemon

The daemon user defines which host user runs containers. This defines the upper permission boundary containers can have.

Running the docker daemon as root is not recommended due to security risks.

For more detailed information on how to set up a rootless docker daemon environment, you can refer to the official documentation for both Docker and Kubernetes.

If you are using a rootless docker daemon, you need to override the Docker execution user to "0:0" for the containers core-server and dataflow-server in the docker-compose file. More information on how to accomplish this can be found here: Override Execution User.

If you are using a rootless Podman daemon, additional settings needs to be done for container web-ui in the docker-compose file, because Podman handles port mappings differently than docker.

  1. Two environment variables need to be set

  2. Depending on what port you are using for the UI, the port mapping needs to be adjusted.

    web-ui:
      ports:
        - "4280:8443"
      environment:
        - http_port=8080
        - https_port=8443

Rootless Container Execution Users

The execution user is the user inside the container running the application. Below are instructions on handling the individual behavior of Docker and Kubernetes environments.

  • Kubernetes

  • Docker

For a Kubernetes environment, the default execution user is root. It is recommended to use a rootless execution user. To achieve this, you can follow the instructions below.

The two variables, runRootless and migrateToRootless can be set to true.

runRootless lets the containers run as non-root users.

migrateToRootless automatically migrates the existing volumes to be owned by the new non-root user 1000:1000.

runRootless: true
migrateToRootless: true

If you set another user or group via Security context, then these settings will be used instead of the default user 1000:1000.

After the migration, the option migrateToRootless should be set to false to avoid unnecessarily running the temporary migration container with root privileges.
For a Docker environment, the default execution user is 1000.

The volume permissions must be adjusted to allow the non-root user access to the volumes.

Execute the following command on your host machine to change the ownership of the XDM volumes to user 1000 and group 1000:

sudo chown -R 1000:1000 /path/to/xdm/volumes
Replace /path/to/xdm/volumes with the actual path of your persistent XDM volumes.