orientechnologies/orientdb-docker

Docker container should not run as root!

Opened this issue · 5 comments

Currently the docker container for orientdb runs as root and that means that the user has to grant the container access to the entire filesystem and that is super dangerous. The image should be changed to reuqire a user named orientdb in the group docker to run properly. Then the instructions for install should be updated to say:

  * Create a database user: `sudo useradd -N -r orientdb -g docker -s /sbin/nologin`
  * Create directories: `sudo mkdir -p /var/orientdb/config /var/orientdb/databases /var/orientdb/backup`
  * Change directory ownership `sudo chown -R /var/orientdb`
  * Run OrientDB with docker: 
      docker run -d --name orientdb -p 2424:2424 -p 2480:2480 \
        -v config_path:/var/orientdb/config \
        -v databases_path:/var/orientdb/databases \
        -v backup_path:/var/orientdb/backup \
        -e ORIENTDB_ROOT_PASSWORD=root \
        -e ORIENTDB_NODE_NAME=odb1 \
        orientdb /orientdb/bin/server.sh  -Ddistributed=true

I think that this article explains very well how uid/gid are working inside a Docker container and in the host:

https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf

The orientDB team can improve the documentation, but more important all the users should understand better how Docker works.

I dont understand then what is going on because when I run orientdb it is DEFINITELY running as root and that is a security risk. I was only running the "latest" image in docker which is oddly the 2.2 release, not the 3.0. I believe you have to set USER in the dockerfile.

I think you should describe an orientDB user as the USER in the dockerfile. Is there a 3.0+ release of the docker version yet?

How do you get past the permissions denied error upon deployment of OrientDB?

I could only run it without docker.