Definition of Done / Acceptance Criteria

• Containers are no longer run as root.
• Files created by containers on mounted file systems are no longer owned by root, and thus they are readable/writable/deletable by a normal user.

The criteria above will both be fixed if the container no longer runs as root. If for some reason you only implement a fix for the file permissions issue (eg. by chowning the files after creating them), this issue should be split so the running as root issue is not lost.

Testing

System test should check which user each container is running as after bringing them up. Note that running on a non-linux host will falsely cause such a test to pass, as the special docker linux kernel on these platforms doesn't map container root to host root in the first place.

Any test that checks the presence and contents of an output file should also check the file's ownership. For an example, see check_radiology_parquet.py where these tests exist but have been temporarily demoted to logging only.

Documentation

Depends on implementation as to whether user will have to do anything different because of this (eg. set an environment var)

Dependencies

Some possible solutions would need a reconfiguration of the GAE via Atos, which could take some time.

Details and Comments

Rationale

• Running as root is a security hazard. If one of the services gets compromised then the attacker can do more bad stuff to the GAE than they would otherwise.
• Files owned by root cannot be deleted/moved/etc by a normal user (or indeed a system test).

Possible implementations

• Run docker daemon in "rootless" mode - will require some changes via Atos?
• User namespaces (userns_mode ) - also requires admin?
• Set the user directly with the user property of the docker compose service spec.

Someone may have to play around with a Docker install on Linux to see what works so we know what (if anything) we want to ask Atos for.