Consider building the container to run as non-root about watchstate HOT 7 CLOSED

As i described in my previous post, everything except the php-fpm can be disabled via environment variables WS_DISABLE_HTTP, WS_DISABLE_CRON, WS_DISABLE_CACHE. There is merit in having single process container, however from my personal experience telling normal users to configure multi service docker-compose leads to never ending problems, there is reason many containers use multi process specially for user related containers.

The task runner is a bash script now, so we no longer use real CRON, the script does one thing and that is call system:tasks every minute, the reason we call it every minute is because the tasks themselves are user configurable, someone maybe want to run the import task every 1h and export every 2hrs or push every 5min. So ofelia will not work for needs and it's one more runtime we have to worry and check compatibility with.

The cache is needed to reduce calls as there are difference in the way media servers response without the caching of relationships many many requests will be needed on every sync attempt. Right now when you disable the cache we simply null the adapter, in the next versions I'll make it use to disk based cache if cache server is disabled.

Without http frontend there is no way for us to process webhook requests and it's core feature of the tool.

if you simply just use the tool for state:import and state:export then yeah you could disable all the included tools and change your ofelia.job-exec.watchstate.command to

/usr/bin/console state:import && /usr/bin/console state:export

And the tool is more then just import/export as described in readme.

from watchstate.

Np. Thanks for your insight, in the future I'll hopefully have enough time to create customized releases i.e. minimal and full. However this should come after we actually have stable v1 branch which is not too far off.

from watchstate.

You could also point users to this project and document how to help run the service as a cron, instead of baking it into the container:

https://github.com/mcuadros/ofelia

from watchstate.

Hi

Thank you for your concerns. The container and the tool does not need to run as root there are already checks to prevent running the tool from running as user 0. When you run the console command it executes it under user not root. What is missing is the actual change user step in Dockerfile. and i am planning to shuffle some of the things baked in entrypoint to the dockerfile. after that it should be easy to activate the user directive.

About the the external runtimes, everything that is external to the tool itself can be disabled including http, cron, redis. I include everything needed for ease of management for users. However you are free to disable everything included and use you own scheduler, frontend proxy or redis cache alternative.

P.S: i personally use the tool directly on metal not inside container, so i am pretty sure the tool run without root. :-)

Thank you.

from watchstate.

@onedr0p ghcr.io/arabcoders/watchstate:dev is now rootless, could you pull and try it now?

from watchstate.

I didn't run the container but I reviewed your changes, there's a couple more things I would do.

• Keep the running processes in the container to 1
• Remove redis and make that an external dep
• Remove the cron logic and make that also a external dep.

Here's quick example I whipped up

version: "3"
services:
  ofelia:
    image: mcuadros/ofelia:latest
    depends_on:
      - nginx
    command: daemon --docker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  redis:
    image: redis:6.2-alpine
    restart: always
    ports:
      - 6379:6379
    command: redis-server
    volumes: 
      - /hostpath/watchstate/cache:/data

  watchstate:
    image: ghcr.io/arabcoders/watchstate
    depends_on:
      - redis
    labels:
      ofelia.enabled: "true"
      ofelia.job-exec.watchstate.schedule: "@hourly"
      ofelia.job-exec.watchstate.command: "/usr/bin/console system:tasks --run --save-log"

More importantly, does watchstate need to run continuously? Does it need a webserver? Couldn't the entrypoint to the container be ..

ENTRYPOINT ["/usr/bin/console"]
CMD ["system:tasks", "--run", "--save-log" ]

I know these aren't root related but I am just trying to help you build the docker part more eloquently.

from watchstate.

Sounds good, the rootless support is much appreciated! Good work.

from watchstate.