Feature Requests

Docker container running as non-root
I am trying to run the blockscout-stack in Kubernetes. For security reasons, I am providing it a specific uid/gid (non-root user/group) but the 'blockscout' pod (backend?) is logging these errors: {"time":"2024-05-13T14:52:25.694Z","severity":"error","message":"GenServer :tzdata_release_updater terminating\n** (File.Error) could not write to file \"/app/lib/tzdata-1.1.1/priv/latest_remote_poll.txt\": permission denied\n (elixir 1.14.5) lib/file.ex:1104: File.write!/3\n (tzdata 1.1.1) lib/tzdata/data_loader.ex:43: Tzdata.DataLoader.last_modified_of_latest_available/1\n (tzdata 1.1.1) lib/tzdata/release_updater.ex:81: Tzdata.ReleaseUpdater.loaded_tzdata_matches_remote_last_modified?/0\n (tzdata 1.1.1) lib/tzdata/release_updater.ex:42: Tzdata.ReleaseUpdater.poll_for_update/0\n (tzdata 1.1.1) lib/tzdata/release_updater.ex:19: Tzdata.ReleaseUpdater.handle_info/2\n (stdlib 3.17) gen_server.erl:695: :gen_server.try_dispatch/4\n (stdlib 3.17) gen_server.erl:771: :gen_server.handle_msg/6\n (stdlib 3.17) proc_lib.erl:226: :proc_lib.init_p_do_apply/3\nLast message: :check_if_time_to_update\nState: []","metadata":{"error":{"initial_call":null,"reason":"** (File.Error) could not write to file \"/app/lib/tzdata-1.1.1/priv/latest_remote_poll.txt\": permission denied\n (elixir 1.14.5) lib/file.ex:1104: File.write!/3\n (tzdata 1.1.1) lib/tzdata/data_loader.ex:43: Tzdata.DataLoader.last_modified_of_latest_available/1\n (tzdata 1.1.1) lib/tzdata/release_updater.ex:81: Tzdata.ReleaseUpdater.loaded_tzdata_matches_remote_last_modified?/0\n (tzdata 1.1.1) lib/tzdata/release_updater.ex:42: Tzdata.ReleaseUpdater.poll_for_update/0\n (tzdata 1.1.1) lib/tzdata/release_updater.ex:19: Tzdata.ReleaseUpdater.handle_info/2\n (stdlib 3.17) gen_server.erl:695: :gen_server.try_dispatch/4\n (stdlib 3.17) gen_server.erl:771: :gen_server.handle_msg/6\n (stdlib 3.17) proc_lib.erl:226: :proc_lib.init_p_do_apply/3\n"}}} I'd like to update the Dockerfile to create a user and group with a specific UID/GID (maybe as args?) and modify the /app directory to be owned by this user/group. Would you be open to such a change? I believe it's generally a best practice to run containers as non-root. If so, I'll create a PR. If there's a concern for compatibility, I could create a separate nonroot.Dockerfile (for example) but your CI/CD would need to build/publish that with the current Dockerfile -- perhaps with a nonroot tag. I haven't looked at your CI/CD but I'm happy to take that on too if you'd like.
1
Load More