From 4f3474ae3734e42d11008d103b89a41d55d70202 Mon Sep 17 00:00:00 2001 From: Dmitry Verkhoturov Date: Sat, 28 Feb 2026 11:06:49 +0000 Subject: [PATCH 1/2] Run as root by default to fix docker socket access Previously, the container ran as non-root user app (UID 1001) which failed on most systems because the docker socket GID didn't match the container's docker group GID (999). The v1.3.0 image ran as root and worked out of the box; v1.4.0 switched to non-root via the updated baseimage and broke existing setups. Set APP_UID=0 in the Dockerfile to restore root execution as default. Add documented APP_UID/DOCKER_GID options in docker-compose.yml and a "Running as Non-Root" section in README for users who prefer to drop privileges. Resolves #57 --- Dockerfile | 10 ++++++---- README.md | 23 ++++++++++++++++++++++- docker-compose.yml | 9 +++++---- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 38443d1..3babc00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM umputun/baseimage:buildgo-latest as build +FROM umputun/baseimage:buildgo-latest AS build ARG GIT_BRANCH ARG GITHUB_SHA @@ -20,10 +20,12 @@ RUN \ FROM umputun/baseimage:app-latest LABEL org.opencontainers.image.source="https://github.com/umputun/docker-logger" +# run as root by default because docker socket access requires it on most systems. +# to run as non-root, set APP_UID=1001 and DOCKER_GID to match the host's docker socket GID. +ENV APP_UID=0 + COPY --from=build /build/docker-logger /srv/docker-logger -RUN \ - chown -R app:app /srv && \ - chmod +x /srv/docker-logger +RUN chmod +x /srv/docker-logger WORKDIR /srv VOLUME ["/srv/logs"] diff --git a/README.md b/README.md index cd76215..7ebcfdf 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,28 @@ All changes can be done via container's environment in `docker-compose.yml` or w - both `--exclude` and `--exclude-pattern` flags are optional and mutually exclusive, i.e. if `--exclude` defined `--exclude-pattern` not allowed, and vice versa. - cross-kind combinations are also mutually exclusive: `--include` + `--exclude-pattern`, `--include-pattern` + `--exclude`, and `--include-pattern` + `--exclude-pattern` are not allowed. -## Build from the source +## Running as Non-Root + +By default, the container runs as root because access to the Docker socket (`/var/run/docker.sock`) requires it on most systems. To run as a non-root user, set the following environment variables: + +- `APP_UID` — the user ID for the application process (e.g., `1001`) +- `DOCKER_GID` — the group ID that owns the Docker socket on the host + +To find the Docker socket GID on the host, run: + +```shell +stat -c '%g' /var/run/docker.sock +``` + +Then configure the container accordingly: + +```yaml +environment: + - APP_UID=1001 + - DOCKER_GID=998 # use the value from the command above +``` + +## Build from the Source - clone this repo - `git clone https://github.com/umputun/docker-logger.git` - build the logger - `cd docker-logger && docker build -t umputun/docker-logger .` diff --git a/docker-compose.yml b/docker-compose.yml index dae5079..1975d59 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: '2' - services: logger: build: . @@ -22,9 +20,12 @@ services: - MAX_SIZE=50 - MAX_AGE=20 - DEBUG=false -# - TIME_ZONE=America/Chicago + - TIME_ZONE=America/Chicago + ## to run as non-root, set APP_UID to the desired user id and DOCKER_GID + ## to the group id owning /var/run/docker.sock on the host (check with: stat -c '%g' /var/run/docker.sock) + # - APP_UID=1001 + # - DOCKER_GID=999 volumes: - ./logs:/srv/logs - /var/run/docker.sock:/var/run/docker.sock - From 667d0efcf16a17b46a09d24c3038eeee02b322f1 Mon Sep 17 00:00:00 2001 From: umputun Date: Sat, 28 Feb 2026 23:28:03 +0000 Subject: [PATCH 2/2] keep TIME_ZONE commented out in docker-compose.yml --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 1975d59..539ce03 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,7 +20,7 @@ services: - MAX_SIZE=50 - MAX_AGE=20 - DEBUG=false - - TIME_ZONE=America/Chicago + # - TIME_ZONE=America/Chicago ## to run as non-root, set APP_UID to the desired user id and DOCKER_GID ## to the group id owning /var/run/docker.sock on the host (check with: stat -c '%g' /var/run/docker.sock) # - APP_UID=1001