Run tomcat as non-root user

[jeanpommier]

update based on PR #442

[jeanpommier]

@pierrejego I believe we can merge this PR.

We will need to document in the migration notes that the mapstore writable datadir needs to be writable by UID/GID 999 (for the docker version)

[edevosc2c]

Could you allow changing the UID and GID at build time?

You can do it with something like this:

ARG USER_GID=999
ARG USER_UID=999
RUN addgroup --gid ${USER_GID} tomcat && \
    adduser --system  -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
    chown -R ${USER_UID}:${USER_GID} /usr/local/tomcat

[jeanpommier]

Hi @edevosc2c . Can you explain why for ?

The idea is to run the georchestra official docker image, right ? Since this applies at build time, it means that to get different settings one would still have a build a custom image. I don't see the added value

[pmauduit]

Can you explain why for ?

it looks like because of georchestra/georchestra#4071

[edevosc2c]

Hi @edevosc2c . Can you explain why for ?

The idea is to run the georchestra official docker image, right ? Since this applies at build time, it means that to get different settings one would still have a build a custom image. I don't see the added value

It's a standard thing in docker images to allow anyone to set UID and GID at build time.
It doesn't hurt to add it.

On top of that, you have just one line/one place to change the UID and GID in case it's needed.

[edevosc2c]

Note: Once #671 will be merged, there will be a need here to add after RUN mkdir -p /docker-entrypoint.d this line:

RUN chown tomcat:tomcat /docker-entrypoint.d

Otherwise, the copy in this script won't work: https://github.com/georchestra/mapstore2-georchestra/pull/671/files#diff-1b0bf6d59703af25ba177c67baa3686a4aa1846098b91e7ff32375e0f4eb43eaR10

[jeanpommier]

Hi,
Sorry I had left this PR untidy. I've updated the PR according to your suggestions @edevosc2c.
Does it look OK to you ?

[edevosc2c]

good for merging

[edevosc2c]

We need to fix the CI before merge if possible.

[edevosc2c]

hey @jeanpommier can you rebase against master? this should fix the CI because geosolutions fixed it: fe581a2#diff-7c5b1aec3fd401c4634f1d2e303fa0b61fef81dd181322616a7058e833328a50R74

[jeanpommier]

hey @jeanpommier can you rebase against master? this should fix the CI because geosolutions fixed it: fe581a2#diff-7c5b1aec3fd401c4634f1d2e303fa0b61fef81dd181322616a7058e833328a50R74

Hi @edevosc2c
Done, thanks

[edevosc2c]

will probably be great to create a new mapstore release

[landryb]

there will be an rc for 2024.02 soon, see #714. unless you want to cut a release from the previous 'stable' branch.

[landryb]

actually there has been one in https://github.com/georchestra/mapstore2-georchestra/releases/tag/2024.02.00-RC1-geOrchestra

[edevosc2c]

Yes we want to backport that to previous versions. Some of our clients want this change.