Add support for skipping the permission enforcement #41
Conversation
| understand what and why you're doing**. This allows qBittorrent-nox to run | ||
| in the environments where the user id is enforced outside of the | ||
| container. |
There was a problem hiding this comment.
"the user id is enforced outside of the container" what does it mean? Could you elaborate?
There was a problem hiding this comment.
e.g. with a following security context in kubernetes:
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
qBitTorrent will be started as 1000:1000, and you won't be able to call doas, or, most probably, chown the files.
There was a problem hiding this comment.
qBitTorrent will be started as 1000:1000, and you won't be able to call doas, or, most probably, chown the files.
I see. But as you can see, it is supposed to be the container job to lower the privileges (run as non-root user) or at least this is the designated usage.
Docker also has similar directives: https://docs.docker.com/reference/dockerfile/#user but it is not supposed to be used when using this image. Our readme/manual has given exact steps of how to run it.
So you shouldn't use these security contexts in kubernetes when running this image, or are you not able to disable them?
|
Another question: If you strip all these functions then it is not too different than merely executing the binary directly. Are there still advantages of using docker container in this case? |
It still does the initial config bits, so I think it's somewhat more useful than just overriding the entrypoint. |
|
Done in 19e0318. |
This adds
QBT_IGNORE_PERMISSIONSto skip all the permission verification features of the entrypoint, mostly so that's it's usable in the restricted containers.