Use of su-exec now requires container be started as root

[st3iny]

Trilium Version

0.52.2

What operating system are you using?

Other Linux

What is your setup?

Server access only

Operating System Version

Kubernetes

Description

There was a breaking change in #2864 that breaks Kubernetes setups which use a securityContext to change the uid. This also potentially breaks dockerfiles and docker-compose setups that try to change the uid.

The binary su-exec has to be run as root. Otherwise, there will be errors on execution like su-exec: setgroups: Operation not permitted and the app won't start.

I'm fine with this change but encourage you to add it to the release notes.

This is a common issue, e.g. minio/minio#7773

[zadam]

Hi, thanks for the heads-up.

TBH the Dockerfile situation is pretty frustrating, there have been some breaking changes in the past and every iteration seems to have problems.

[bill88t]

Yea this isn't kubernetes-specific. My docker-compose which enforces uid & gid = 1000 broke too.
It just doesn't want to run without root.

[mikkel1156]

Looking through the minio issue I saw that they have a fallback for the su-exec command, which works for @st3iny since Kubernetes should take care of the permissions. But would probably also need a fallback for the chown in that case.

[st3iny]

I prefer the current solution because it makes the image more self-contained and secure by default. In my opinion, using security contexts is more of a crutch to fix overprivileged containers/apps. I was also able to drop my init container that I added to fix the default permissions inside the persistent volume.

This change should just be communicated in a clear way because this change breaks some setups and requires manual intervention to fix. It is already documented in the release notes but it wouldn't hurt to amend the wiki as well (e.g. here and here).

[zadam]

I added some details based on my limited understanding. Wiki is publicly editable, correcting/improving information is highly appreciated.

[st3iny]

Wiki is publicly editable, correcting/improving information is highly appreciated.

Good to know! I amended the kubernetes page with some more information.

[cwilliams5]

TBH the Dockerfile situation is pretty frustrating, there have been some breaking changes in the past and every iteration seems to have problems.

Well then let me pass a thank you on, being able to maintain my own server to sync to is one of the things I adore about Trilium. Apologies that doing so has been so frustrating.

[st3iny]

I'm closing this issue because it is documented well enough now.