Allow running tomcat as non-root
It is a good practice to allow running a container as unprivileged user. To preserve backward compatibility and provide flexibility, this feature is added at the entrypoint level and is set using environment variables. - RUN_UNPRIVILEGED=true activates the unprivileged mode with default uid:gid as 999:999 - RUN_WITH_USER_UID allows to set the uid used for tomcat user - RUN_WITH_USER_UID allows to set the gid used for tomcat group - CHANGE_OWNERSHIP_ON_FOLDERS accepts a space-separated list of folder on which a chmod will be run, changing (recursively) the ownership for the tomcat user.pull/97/head
Jean Pommier
parent
d2127af5a7
commit
245d346801
14
Dockerfile
14
Dockerfile
|
|
@ -39,6 +39,10 @@ ENV HEALTHCHECK_URL=''
|
|||
ENV INSTALL_EXTENSIONS=false
|
||||
ENV POSTGRES_JNDI_ENABLED=false
|
||||
ENV ROOT_WEBAPP_REDIRECT=false
|
||||
ENV RUN_UNPRIVILEGED=false
|
||||
ENV RUN_WITH_USER_UID=
|
||||
ENV RUN_WITH_USER_GID=
|
||||
ENV CHANGE_OWNERSHIP_ON_FOLDERS="/opt $GEOSERVER_DATA_DIR"
|
||||
ENV SKIP_DEMO_DATA=false
|
||||
ENV STABLE_EXTENSIONS=''
|
||||
ENV STABLE_PLUGIN_URL=$STABLE_PLUGIN_URL
|
||||
|
|
@ -62,7 +66,7 @@ WORKDIR /tmp
|
|||
RUN set -eux \
|
||||
&& export DEBIAN_FRONTEND=noninteractive \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --no-install-recommends openssl unzip curl locales gettext \
|
||||
&& apt-get install -y --no-install-recommends openssl unzip curl locales gettext gosu \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/cache/apt/* \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
|
|
@ -116,6 +120,14 @@ RUN apt purge -y \
|
|||
|
||||
RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh
|
||||
|
||||
# # Create a non-privileged tomcat user
|
||||
# ARG USER_GID=999
|
||||
# ARG USER_UID=999
|
||||
# RUN addgroup --gid ${USER_GID} tomcat && \
|
||||
# adduser --system -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
|
||||
# chown -R tomcat:tomcat /opt && \
|
||||
# chown tomcat:tomcat $GEOSERVER_DATA_DIR
|
||||
|
||||
ENTRYPOINT ["bash", "/opt/startup.sh"]
|
||||
|
||||
WORKDIR /opt
|
||||
|
|
|
|||
21
startup.sh
21
startup.sh
|
|
@ -167,4 +167,23 @@ if [ -n "$GEOSERVER_ADMIN_PASSWORD" ] && [ -n "$GEOSERVER_ADMIN_USER" ]; then
|
|||
/bin/sh /opt/update_credentials.sh
|
||||
fi
|
||||
|
||||
exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
|
||||
# Run as non-privileged user
|
||||
if [ "${RUN_UNPRIVILEGED}" = "true" ]; then
|
||||
echo "The server will be run as non-privileged user 'tomcat'"
|
||||
|
||||
RUN_WITH_USER_UID=${RUN_WITH_USER_UID:=999}
|
||||
RUN_WITH_USER_GID=${RUN_WITH_USER_GID:=${RUN_WITH_USER_UID} }
|
||||
|
||||
echo "creating user tomcat (${RUN_WITH_USER_UID}:${RUN_WITH_USER_GID})"
|
||||
addgroup --gid ${RUN_WITH_USER_GID} tomcat && \
|
||||
adduser --system -u ${RUN_WITH_USER_UID} --gid ${RUN_WITH_USER_GID} \
|
||||
--no-create-home tomcat
|
||||
|
||||
if [ -n "$CHANGE_OWNERSHIP_ON_FOLDERS" ]; then
|
||||
echo "Changing ownership accordingly ($CHANGE_OWNERSHIP_ON_FOLDERS)"
|
||||
chown -R tomcat:tomcat $CHANGE_OWNERSHIP_ON_FOLDERS
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
exec gosu tomcat $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
|
||||
|
|
|
|||
Loading…
Reference in New Issue