[WIP] Rootless docker

[sapk]

Following #4749

Currently work with the default user git pid (1000)

The main blocking adjustment to use the --user docker flag to adjust running user is various check of the user by gitea but also by sub process like ssh-keygen in #7128

[lunny]

If docker user internal SSH server, it's not needed

[das7pad]

While it is not needed for the single process setup, removing it would break existing setups.

[sapk]

@das7pad yes but it is for the setup part so if we don't need it anymore we don't need to create it if it doesn't exist.

[das7pad]

For folks who backup the entire /data/git directory it is not a problem. But for those who just backup non-generated files, read only the repositories directory, the .ssh directory would be missing upon restore.

[zeripath]

But the internal sshserver doesn't use the .ssh directory...

[das7pad]

I was thinking about the third example in #7129 (review).
I know that the files in the .ssh directory are only needed to get the spawned sshd-childs talk with the correct gitea instance.

[codecov-io]

Codecov Report

Merging #7129 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #7129      +/-   ##
==========================================
- Coverage   41.57%   41.57%   -0.01%     
==========================================
  Files         446      446              
  Lines       60848    60841       -7     
==========================================
- Hits        25299    25295       -4     
+ Misses      32265    32264       -1     
+ Partials     3284     3282       -2

Impacted Files	Coverage Δ
models/ssh_key.go	46.01% <100%> (+0.2%)	⬆️
modules/setting/setting.go	48.51% <100%> (+0.17%)	⬆️
modules/log/log.go	69.36% <0%> (-2.71%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5d3177d...ba98261. Read the comment docs.

[das7pad]

This breaks almost every usage of the docker image.

Some broken usage examples:

• all of the 'official' docker-compose configs
  https://docs.gitea.io/en-us/install-with-docker/
• docker run -d -p 80:3000 -p 2222:22 gitea/gitea
• running sshd in the container to get the gitea binary
  • run gitea with git user
  • run sshd with root

[das7pad]

/app/gitea is owned by root.

Suggested change

#chmod 0755 /app/gitea

[sapk]

Yes and I don't think it is a problem. I will recheck but that a good point that the process inside the containre couldn't change content inside /app/gitea

[das7pad]

This seems to be an unrelated change. Can we move the change into a new PR?

[sapk]

It is a needed change because openssh does un-needed system check (that fail in this configuration with --user flag) for calculating the fingerprint of the key. I allready separate this in an other PR #7128

[das7pad]

What system check is failing for you?

I setup a test with alpine and the --user flag, but can not see any error.

https://gist.github.com/das7pad/62b58bfb67da516542992d8bf5744446

[sapk]

If you pass an uid/gid (numerical) that doesn't exist inside the container it should failed.

[das7pad]

Seems to be a bug fix? Let's move it into a new PR.

[sapk]

Done in #7215

[das7pad]

While it is not needed for the single process setup, removing it would break existing setups.

[das7pad]

How about adding a new image variant for the proposed changes?

For example gitea/gitea:root-less, gitea/gitea:1-root-less, gitea/gitea:1.8-root-less

This would allow any existing deployment to stay as is. And folks which require additional hardening of the container can use the new variant.

With a reasonable delay we can eventually swap the default tag: gitea/gitea:root-less-> gitea/gitea:latest.

[sapk]

@das7pad the docs will need to be updated to follow some changed needed to the run command in some cases but it should be able to reuse the same data folder.
I like the idea to have a transition tag to not enforce this rootless image at start.

[das7pad]

Manual ownership changes to the ssh directory in the data volume are needed.

[das7pad]

The ssh-hostkeys are owned by root and locked down to root only read access. The internal ssh-server will not be able to read them as git user.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[westurner]

Rather than try and maintain/rebase this separate branch, would it be easier to:

• leave the existing config in
• check for an environment variable like GITEA_ROOTLESS in the setup and entrypoint scripts
• create a templates/app_rootless.ini

[sapk]

@westurner I would suggest more to define a rootless tagged image that could become the main later but would ease the transition and allow us to break some pattern existing in the current image.

[alexanderadam]

@westurner I would suggest more to define a rootless tagged image that could become the main later but would ease the transition and allow us to break some pattern existing in the current image.

I like this idea.

When the rootless image is working (i.e. two months without new issues on the rootless image) the 'legacy root' image could show a warning in the frontend (i.e. Hey, we are now switching to a proper rootless image. You should migrate, too. Click here for more information on how to migrate).

[sapk]

Yes and this transition duration would help us write a migration guide (like changing owner, possible change of key signature of ssh server, ...)

[sapk]

I will send another PR that will replace this one for a image tagged rootless

[sapk]

The fixes related to help remove external deps (openssh) are already merged (in separe PR) and the rootless part of this PR is moved to a new PR (non breaking by using an other tag -rootless)