Run Graphdb as different user then root

[phlegx]

Would be nice to have Graphdb running as a different user then root. This is actually docker best practice.

[stefanbischof]

I'm currently creating my own Docker image with this simple Dockerfile (tag is a build argument which has to be set when running docker build):

FROM ontotext/graphdb:${tag}

RUN chown -R nobody /opt/graphdb
USER nobody

Maybe the USER command could be easily integrated into the official Dockerfile? Then we wouldn't need the chown shell command anymore.

[ThomasThelen]

+1 for this, especially since it's common for people to expose sparql endpoints to the open world. This opens up a direct route to a service in the container with elevated privs

[bkis]

If you're using docker compose, it seems to work to do the following:

services:
  graphdb:
    image: "ontotext/graphdb:${WHATEVER_VERSION_YOU_USE}"
    volumes:
      - "./data:/opt/graphdb/home"
    user: 2222:2222
    # ...

... and chown ./data to 2222:2222, of course.

[stefanbischof]

Thank you for the hint, that looks promising. I'll try that. I still think this should be done in the Dockerfile.

[bkis]

Thank you for the hint, that looks promising. I'll try that. I still think this should be done in the Dockerfile.

Absolutely.