Don't run as root

[danp]

With the current Dockerfile, using docker run as the README suggests means the service runs inside the container as root.

[dmp42]

ping @samalba @shin-

How do you see this?
Shall we go with supervisord?

[samalba]

What about adding a simple config to gunicorn to change user: http://docs.gunicorn.org/en/latest/settings.html#user

Since we bind on 5000 by default, it should not be an issue.

What I would do:

From the Dockerfile:

1. create a registry user
2. declare a ENV var called DOCKER_REGISTRY_USER that contains this username
3. From config/gunicorn.py, if the env var exist, I set the user config directive to the right user.

[sirupsen]

Note that this may not be backwards compatible for some users because of permission issues with local storage.

[bacongobbler]

Note that this may not be backwards compatible for some users because of permission issues with local storage

👍 to elaborate, volume mounts are always mounted with root permissions, so you won't have RW access to the mount unless you explicitly chown the mountpoint.

[dmp42]

The mechanism is in place to drop privileges - but yes, there are a number of other considerations to look at before this is ready.