[Feature request]: Rootless containers for hardened deployments

[icsy7867]

Use Case

I am testing ghcr.io/openvoxproject/openvoxserver:8.8.0-latest, and it is running as root. For production workloads and best practices, it is generally a good idea to run a container as a non-root user (I.E with UID 1000).

Many hardened environments in rancher (Or Rancher Carbide, Openshift, etc...) require the use of non-root users running the containerized process.

Describe the solution you would like

Write the Dockerfile in a way that creates and uses a non-root user.

Describe alternatives you've considered

Creating an exception and allowing puppet to run as root. But this is not best practice.

Additional context

Love the project, thank you!

[bastelfreak]

@icsy7867 thanks for the issue. Are you able to provide a patch?

[icsy7867]

I might be able to. I am giving it a whirl on my dev podman server now :D

[icsy7867]

Okay I think I have this working. I ran into an issue with a non-root user, where puppet wanted to assume everything was in:

~/.puppetlabs/etc/puppet/puppet.conf

This was a bit challenging, but I ended up just solving the issue with a simple symlink.

The next issue I ran into was that the base was ubuntu. And if your host is RHEL with FIPS mode enabled, this causes all sorts of openssl issues. I was able to solve this by building openssl 3.4 from source which seemed to work fine... but a lot of extra steps.

I will try to capture these changes and do a pull tomorrow. I might also try to rebase the container on alpine or a ubi image.