Running Discourse in Docker as a non-root user?


#1

So Ive followed the installation guide and things are up and running with Docker. However, I believe Discourse is now currently running as root. Whats the recommended workaround here? Ive created a user and added it to the docker group. Can I then simply make sure the docker service runs under that user, chown all the Discourse files and start the app as that user?


(Jens Maier) #2

No, Discourse runs as a user called discourse, but it runs inside a Docker container. The docker daemon process must have full root privileges to bring up, configure and tear down containers.

Docker (as root) sets up an LXC container. These containers are isolated namespaces in your kernel: processes inside the container can not interact with processes in any other container or in the host via signals, debugging or IPC; user names resolve to different user ids; containers usually have a different filesystem root; and containers can have different network devices (and always have a private loopback device).

Just like the kernel starts init after booting, Docker starts a single initial process inside the container. This process runs as root (but with the limitations above) and its job, just like init, is to start all the services that should be running in the container.

In Discourse’s case, this amounts to

  • an SSH server,
  • PostgreSQL
  • Redis,
  • Nginx,
  • and of course Discourse itself.

And just like on the host system, all of these services can run under different, non-privileged user accounts. For instance, PostgreSQL runs as postgres and Discourse’s unicorn and sidekiq run as discourse.