[WIP] Rootless docker

[sapk]

This would be breaking some configs for docker.
So I will keep it as WIP because I may haven't done the good choices and this PR need changes to be merge. For examples, new config where introduce and need to be configured via env var. And maybe some people would be opposed to those changes.

To do rootless :

• It listen on 2222 for ssh
• It use the internal ssh server

With that change, we lost :

• The configuration of uid via USER_UID USER_GID (Because we are not root we can not change the passwd file)

I will search if there is any solution around to allow to setup the uid user of the container.

Related: #1190

[codecov-io]

Codecov Report

Merging #4749 into master will increase coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #4749      +/-   ##
==========================================
+ Coverage    20.7%   20.71%   +<.01%     
==========================================
  Files         167      167              
  Lines       32359    32359              
==========================================
+ Hits         6699     6702       +3     
+ Misses      24678    24676       -2     
+ Partials      982      981       -1

Impacted Files	Coverage Δ
modules/process/manager.go	73.91% <0%> (+4.34%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fa93857...21e5043. Read the comment docs.

[pittar]

@sapk , this is great! Is there a build I could test? If not, when one is available let me know and I can try it out on OpenShift.

[pittar]

Hey all, any progress on this? I see merging is blocked.

[sapk]

@pittar it should already work but I will be careful before changing how the container works 😈. It will add some security but we loose container configuration. If I remember it is possible to change uid/gid and more with option (--group-add and --user) and keep the same flexibility as before but I haven't tested those (yet).

and the merge is blocked because this PR doesn't have LGT-M validation

[pittar]

Hey @sapk , thanks for this.

So, I built a new image based on your fork and it let me start Gitea (sweet!).

My problem now is that I hit the main page just fine, but as soon as I hit "Register" it asks me for install info. This is fine, except it also wants a "Run as" user. OpenShift seems to be saying the user is "unknown" and with a random id.

/app/gitea $ whoami whoami: unknown uid 1000500000

I can't put in a valid "Run as" user, so I can't complete the install. Any guidance would be greatly appreciated.

Thanks!

[sapk]

@pittar did you try to put the uid in the runas field ? (1000500000)

[pittar]

@sapk , thanks for the suggestion, but that doesn't work. It wouldn't do much good, since OpenShift assigns random UIDs on start.

I've made some progress by locking the install and switching the USER command to 1000 instead of git. My issue now is that it says permission denied on the .gitconfig file:

2018/09/08 22:11:01 [...gitea/models/repo.go:144 NewRepoContext()] [E] Failed to set git user.name(exec(2:NewRepoContext(set user.name)) failed: exit status 255(<nil>) stdout:  stderr: error: could not lock config file //.gitconfig: Permission denied
--
  | ): error: could not lock config file //.gitconfig: Permission denied

I'm assuming the git user (1000) doesn't have access to wherever that file is?

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[stale]

This pull request has been automatically closed because of inactivity. You can re-open it if needed.