PloverDB should run as user "user" in ITRB-deployed settings

[saramsey]

NCATS DevOps is requesting that the PloverDB service not run as root, inside the container. It should run as a less-privileged user (and we should document the username in the README or Wiki).

[amykglen]

uwsgi is run as nobody, not root (see this). is there somewhere else they're talking about?

[saramsey]

Hmm, IDK. Is nginx running as root?

[saramsey]

Just checking back.... can we close out this issue?

[saramsey]

Maybe it would make sense to slack Kanna to ask b/f we close it out

[amykglen]

thanks for the reminder - good idea. will check in with Kanna.

[amykglen]

checked in with Kanna for more details - they want us to run all services as user. example code from Kanna:

# Create unprivileged user to run all services
RUN groupadd -g 8888 cureuser && \
    useradd -r -u 8888 -g cureuser cureuser && \
    chown -R cureuser:cureuser /code
#USER cureuser

because PloverDB uses a base image that handles users a certain way, this might get a little weird. but I'm sure is doable.

[saramsey]

This seems like an "After the Sept. 28 demo" kind of issue (though still worth doing, just on the longer term).