steve
/
geoserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #97 from pi-geosolutions/run_as_non_root 

Allow running tomcat as non-root
pull/102/merge
Nils Bühner 2024-10-07 11:12:50 +02:00 committed by GitHub
parent ef31e65f70 a306878d8a
commit bf317fddaf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Dockerfile
View File

@ -39,6 +39,10 @@ ENV HEALTHCHECK_URL=''
ENV INSTALL_EXTENSIONS=false ENV INSTALL_EXTENSIONS=false
ENV POSTGRES_JNDI_ENABLED=false ENV POSTGRES_JNDI_ENABLED=false
ENV ROOT_WEBAPP_REDIRECT=false ENV ROOT_WEBAPP_REDIRECT=false
ENV RUN_UNPRIVILEGED=false
ENV RUN_WITH_USER_UID=
ENV RUN_WITH_USER_GID=
ENV CHANGE_OWNERSHIP_ON_FOLDERS="/opt $GEOSERVER_DATA_DIR"
ENV SKIP_DEMO_DATA=false ENV SKIP_DEMO_DATA=false
ENV STABLE_EXTENSIONS='' ENV STABLE_EXTENSIONS=''
ENV STABLE_PLUGIN_URL=$STABLE_PLUGIN_URL ENV STABLE_PLUGIN_URL=$STABLE_PLUGIN_URL
@ -81,7 +85,7 @@ WORKDIR /tmp
RUN set -eux \ RUN set -eux \
&& export DEBIAN_FRONTEND=noninteractive \ && export DEBIAN_FRONTEND=noninteractive \
&& apt-get update \ && apt-get update \
&& apt-get install -y --no-install-recommends openssl unzip curl locales gettext \ && apt-get install -y --no-install-recommends openssl unzip curl locales gettext gosu \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/cache/apt/* \ && rm -rf /var/cache/apt/* \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
@ -139,6 +143,14 @@ RUN apt purge -y \
RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh
# # Create a non-privileged tomcat user
# ARG USER_GID=999
# ARG USER_UID=999
# RUN addgroup --gid ${USER_GID} tomcat && \
# adduser --system -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
# chown -R tomcat:tomcat /opt && \
# chown tomcat:tomcat $GEOSERVER_DATA_DIR
ENTRYPOINT ["bash", "/opt/startup.sh"] ENTRYPOINT ["bash", "/opt/startup.sh"]
WORKDIR /opt WORKDIR /opt

22
startup.sh
View File

@ -167,4 +167,26 @@ if [ -n "$GEOSERVER_ADMIN_PASSWORD" ] && [ -n "$GEOSERVER_ADMIN_USER" ]; then
/bin/sh /opt/update_credentials.sh /bin/sh /opt/update_credentials.sh
fi fi
# Run as non-privileged user
if [ "${RUN_UNPRIVILEGED}" = "true" ]
then
echo "The server will be run as non-privileged user 'tomcat'"
RUN_WITH_USER_UID=${RUN_WITH_USER_UID:=999}
RUN_WITH_USER_GID=${RUN_WITH_USER_GID:=${RUN_WITH_USER_UID} }
echo "creating user tomcat (${RUN_WITH_USER_UID}:${RUN_WITH_USER_GID})"
addgroup --gid ${RUN_WITH_USER_GID} tomcat && \
adduser --system -u ${RUN_WITH_USER_UID} --gid ${RUN_WITH_USER_GID} \
--no-create-home tomcat
if [ -n "$CHANGE_OWNERSHIP_ON_FOLDERS" ]; then
echo "Changing ownership accordingly ($CHANGE_OWNERSHIP_ON_FOLDERS)"
chown -R tomcat:tomcat $CHANGE_OWNERSHIP_ON_FOLDERS
fi
exec gosu tomcat $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
else
exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
fi