Replies: 2 comments 4 replies
-
|
@Dreneg did you ever since encounter problems with your own user? |
Beta Was this translation helpful? Give feedback.
-
|
@datze, No, so far we did not notice any problem with our custom user, except that our dockerfile a bit uglier than it should be. The relevant part is, where "my-keycloak" is a group and a user: |
Beta Was this translation helpful? Give feedback.
-
|
As I just learned, Keycloak runs with a random UID in OpenShift for security reasons. To still be able to prepare the file system, the GID is 0 so Keycloak needs to use this to access its file system when running in OpenShift. |
Beta Was this translation helpful? Give feedback.
-
|
OK, that sounds plausible, but it also means that the admin group is not necessary if I know the UID. Right? |
Beta Was this translation helpful? Give feedback.
-
|
Correct. |
Beta Was this translation helpful? Give feedback.
-
|
If Keycloak needs to rely on its process group for permissions, then why not just set the group owner to the non-root keycloak group for all resources it needs to access?? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Background: In my project we are working on creating more secure docker images, and one step is changing our docker containers to run with non root user. We gladly noticed that keycloak does not use the root user by default, which is great. However the keycloak user is still in the root group (see: https://github.com/keycloak/keycloak/blob/main/quarkus/container/Dockerfile ).
Question: We wonder if there are any specific reason why keycloak guys did not create a new group as well, instead of using root group.
Our currently "workaround" is just create our user and group and change the owner of the /opt/keycloak to our new user. Everything seems to be working, still we wonder if we missed something.
Beta Was this translation helpful? Give feedback.
All reactions