Change default user in the Docker image from root to couchdb

[mgangelov]

I would like to change the defualt running user in the couchdb image from root to couchdb. What that means is basically when I do docker exec into the container I log in as couchdb rather than root. This is mainly aimed with security concerns in mind - I don't wont everybody who can log into the container to be root.

Expected Behavior

Be able to log in as user couchdb.

Current Behavior

I tried adding USER couchdb before the ENTRYPOINT in the Dockerfile, however it seems that root access is needed for docker-entrypoint.sh, so it seems I can't do that on the Dockerfile side.

Possible Solution

Steps to Reproduce (for bugs)

Context

Limit the root access for people logging into the container

Your Environment

Using the 2.1.1 image.

• Version used: 2.1.1
• Browser Name and version:
• Operating System and version (desktop or mobile): Host system is Ubuntu 16.04
• Link to your project:

[wohali]

I don't see how this is possible. Without root access inside of the container, we can't fix ownership of files in mounted volumes, which is an issue, since Docker mounts volumes as root. Unless Docker behaviour changes, we're blocked on this one.

Feel free to propose something in a PR.

[mgangelov]

I actually just managed to do this by adding a USER couchdb tag after the ENTRYPOINT in the Dockerfile and also modifying exec gosu couchdb "$@" to exec "$@" in

couchdb-docker/2.1.1/docker-entrypoint.sh

Line 71 in 1f85f08

exec gosu couchdb "$@"

This successfully modifies the ownership of mounted volume and also sets the default user in the container to couchdb.

Not tested yet if this solution will have problems when the couchdb container is actually used.

[wohali]

I don't see how this can work, since these lines explicitly need to change ownership of files that may be mounted via -v on the docker launch line, files that aren't necessarily owned by the couchdb user.

[bgehman]

@wohali There has been a considerable focus in the community to get containers to start and run as non-root -- for example: Openshift requires this: https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

The couchdb image currently requires itself to start as root -- then it quickly de-escalates down to non-root (the internal couchdb user) for its internal processes. Per the OpenShift docs, they recommend that container files be owned by the root group, so the files are still read/writeable when they start the container with an arbitrarily assigned UID -- which avoids dealing with the file ownership problem you mentioned...

[wohali]

A tested pull request that does the right thing and keeps the same uid/gid we currently use would be welcomed and considered seriously.