ufuk, thanks for the suggestion. However, it does not work. I understand that ENV values in Dockerfile can be overridden when Docker runs, not Docker builds. Therefore, "solr" user still owns the /var/solr directory.
> Unless you remove the container completely (not stop, completely remove) > it would keep indexes written inside the container, not requiring a volume. > “docker system prune” or “docker-compose down” would remove all container data > so you would lose the index. That's right, but I need volumes. Hisashi 2023年7月16日(日) 9:42 ufuk yılmaz <uyil...@vivaldi.net.invalid>: > Unless you remove the container completely (not stop, completely remove) > it would keep indexes written inside the container, not requiring a volume. > “docker system prune” or “docker-compose down” would remove all container > data so you would lose the index. > > Instead of rewriting official docker images, wouldn’t just rewriting a new > Dockerfile which inherits from the official image work? > > FROM solr:9.2.1 > ENV SOLR_USER="youruser" \ > SOLR_UID="youruid" \ > SOLR_GROUP="yourgroup" \ > SOLR_GID="yourgid" \ > .. etc > > Build an image from that: > docker image build -t mysolr . > > When running it: > docker run --user "$(id -u):$(id -g)" mysolr -p …. > > Installing and running Docker as non-root user is hard enough, if you > succeeded that solr part should be easier 😊 > > -ufuk yilmaz > > > Sent from Mail for Windows > > From: Hisashi Kojima > Sent: Sunday, July 16, 2023 3:11 AM > To: users@solr.apache.org > Subject: Re: Running Solr as an arbitrary user > > I use solr-docker with the server in my university lab. > > > Are you using numeric uid/gid in that config, or names? > > Yes, I use numeric uid/gid. > > > Unless I'm mistaken one of the primary benefits of using docker is that > > you can avoid having to heavily customize things in each application > > so that it can coexist with other applications. > > I agree. > > FYI, MySQL and PostgreSQL images support an arbitrary user other than root. > > > Do you have a volume where you map some local path to /var/solr inside > > the container? If so, you should be able to simply chown the local path > > for that volume and its contents to the uid/gid that you have > > configured, and then the permissions inside the container should also be > > updated so Solr can write to that location. > > That's right. However, I cannot use chown command because > I’m not a root user and have limited permission > (cannot use chown or su commands) in the university lab’s server. > > In my situation, Solr fails to write to volumed directories because > the directory owner is my non-root user and the writer is also non-root > user (”solr”). > If I can replace “solr” user with my non-root user, Solr will also run in > my situation. > > Dima, thanks for the suggestion. > However, I should rewrite when the Solr "official" image updates, right? > > Hisashi > > 2023年7月16日(日) 3:23 dmitri maziuk <dmitri.maz...@gmail.com>: > > > On 2023-07-15 11:55 AM, Shawn Heisey wrote: > > > On 7/15/23 10:30, dmitri maziuk wrote: > > >> OP needs to pull Dockerfile from upstream, change the numbers in > > >> ``` > > >> ENV SOLR_USER="solr" \ > > >> SOLR_UID="8983" \ > > >> SOLR_GROUP="solr" \ > > >> SOLR_GID="8983" \ > > >> ... > > >> ``` > > > > > > Thanks for that detail! Always learning something new about Solr. > > > > Well, this is about docker, strictly speaking. When you look at > > Dockerfile, there's useradd, groupadd, and chown commands that use the > > above IUD:GID, as well as "USER $SOLR_UID" at the end (that daemon runs > > as). > > > > That's pretty standard for daemons that won't run as root and/or write > > to mounted volumes that "other people" need access to. (The latter being > > the only legitimate reason to run as non-root in a container, but after > > a couple of decades of "dropping privileges" and "secure coding > > practices" and all that, most daemons refuse to run as root anymore.) > > > > Dima > > > > > >
