docker: rootless image

[sapk]

Replace #7129

This solution propose a new docker image tag -rootless with a image using internal ssh running with an unprivileged user.

The main advantage is to provide a breaking solution that users can transition slowly and when adoption and returns are good should become the default.

This will allow us to break past mistake/compatibility for docker image.

How to build image

docker build -f Dockerfile.rootless -t gitea/gitea:latest-rootless .

How to migrate/test

• Backup your setup
• Change volume mountpoint from /data to /var/lib/gitea
• If you used a custom app.ini move it to a new volume mounted to /etc/gitea
• Rename folder (inside volume) gitea to custom
• chown -R uid:gid /data volume of --user flag if needed
• Edit app.ini if needed
  • Set START_SSH_SERVER = true
• Use image gitea/gitea:latest-rootless (when merged or use sapk/gitea:rootless for testing)

[codecov-io]

Codecov Report

Merging #10154 into master will increase coverage by 0.03%.
The diff coverage is 55.55%.

@@            Coverage Diff             @@
##           master   #10154      +/-   ##
==========================================
+ Coverage   42.14%   42.18%   +0.03%     
==========================================
  Files         690      690              
  Lines       75871    75888      +17     
==========================================
+ Hits        31975    32010      +35     
+ Misses      38668    38645      -23     
- Partials     5228     5233       +5     

Impacted Files	Coverage Δ
modules/context/api.go	75.22% <ø> (ø)
routers/api/v1/repo/release_tags.go	53.57% <46.66%> (-7.97%)	⬇️
routers/api/v1/api.go	79.50% <100.00%> (+0.05%)	⬆️
modules/charset/charset.go	68.53% <0.00%> (-6.75%)	⬇️
services/gitdiff/gitdiff.go	67.39% <0.00%> (-1.99%)	⬇️
modules/git/repo.go	46.70% <0.00%> (-1.02%)	⬇️
modules/notification/webhook/webhook.go	49.65% <0.00%> (+0.34%)	⬆️
services/pull/pull.go	41.27% <0.00%> (+0.49%)	⬆️
models/error.go	36.56% <0.00%> (+0.83%)	⬆️
models/notification.go	66.66% <0.00%> (+0.90%)	⬆️
... and 10 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b5e974c...f35a3ef. Read the comment docs.

[zeripath]

This looks fine to me, I guess one thing I might suggest is to put a note in the app.ini stating that only internal SSH is supported on rootless installs

[techknowlogick]

Speaking of “breaking” items, maybe we make the binary in this image FHS compliant?

[techknowlogick]

This looks great! Thanks @sapk for your work on this.

In addition to @zeripath’s review could you add a small section to our documentation’s docker section re:rootless?

[sapk]

For FHS, I am hesitating for the binary path:

• 👍 /usr/local/bin/gitea
• 👎 /usr/lib/gitea/gitea
• 😄 /usr/bin/gitea

Since we don't have any file I would be in favor to put the binary directly to /usr/local/bin/gitea

[zeripath]

I think /usr/bin would even be appropriate as it's a pre-installed package

[sapk]

@zeripath I have looked at docker-library official image and they tend to kept under /usr/local/bin everything that are not package managed (apt, apk, ...).
I will try to follow that and also move entrypoint and setup scripts there.
Ex for redis: https://github.com/docker-library/redis/blob/master/5.0/alpine/Dockerfile#L49

root@2a327f2bc55e:/data# ls /usr/local/bin/
docker-entrypoint.sh  gosu  redis-benchmark  redis-check-aof  redis-check-rdb  redis-cli  redis-sentinel  redis-server

[sapk]

The only part that still isn't FHS compliant is that the config file is currently under /var/lib/gitea/custom/conf/app.ini but I hesitate to create a second volume only for the config file.

[lunny]

@sapk, create a link?

[lunny]

And I think we could also create some necessary envs to skip the installation guide which will override app.ini. Maybe another PR.

[sapk]

Rethinking of the config file for FHS, It maybe a good idea to separate it from the data folder since in most cases it is not needed to backup it and can be generated at each startup of container. The config file could still be backup but it would need to be explicitly defined (with an other volume) if needed. An other advantage is that someone that want to configure via variable would just need to restart the container and not rewrite the config file.

[sapk]

I will re-add the wip label since I will make change that need to be retested.

[zeripath]

So can we get this merged at some point?

[sapk]

I will intentionally not backport this commit ff50274#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557
As I think, socat is not needed for 99% of gitea users and could easily be added by the at most 1% left. socat can be leveraged to open two-way connection to keep open a remote shell. Ex: https://gtfobins.github.io/gtfobins/socat/
I don't think it is a big security risk but we shouldn't make it more easy by default.

[sapk]

This PR is ready for review.

[lafriks]

Please update with base branch

[Grepsd]

I've run into an error when trying to install the helm chart on my local minikube, runAsNonRoot issues.

After using the rootless images, the error is now : Error: container has runAsNonRoot and image has non-numeric user (git), cannot verify user is non-root

This happens because I use pod security policies.

Is there any solution beside replacing USER git:git (if it does even work) in the rootless docker image ?

[techknowlogick]

@Grepsd please don't comment on closed issues/PRs as your comment will be lost. Please reach out on discord or discourse for support.

[sapk]

@Grepsd I am not against using numeric id. The fact that your tool cannot verify the user is not root is strange since it is how it is done in most docker official image :

• https://github.com/docker-library/docker/blob/master/Dockerfile-dind-rootless.template#L67
• https://github.com/docker-library/official-images/blob/d2dddc2956ed7c09a570ec95a88f72ea636273e7/test/tests/ruby-nonroot/run.sh#L11

If you want to discuss more, create a issue on the subject or come on discord

[wxiaoguang]

Please help to take a look at this one: Fix the mode of custom dir to 0700 in docker-rootless

• Fix the mode of custom dir to 0700 in docker-rootless #20861