Rootless containers

Alessandro_Re · January 3, 2022, 10:02pm

The idea is:

Current Dockerfile will drop root privileges and switch to node user; when the container engine is configured to be rootless, this is annoying as the in-container node user will not match the out-container rootless user.

I suggest to have a separated rootful image (e.g. our solution) that would be published along with the other n8n images, or to have the image support the -u flag so that containers could be ran specifying a user which is not node (would be root in my use case).

My use case:

We deploy containers in rootless environments, either via podman or via rootless docker. This allows users to run containers such as n8n without root privileges, allowing for better isolation. Since n8n drops privileges and does not seems to support the -u flag (user node is enforced), running n8n in rootless environment results in non-user owned files produced by the container, making management a bit annoying.

We are currently maintaining a rootful version of the Dockerfile and entry-point script, but I believe this could be maintained upstream.

I think it would be beneficial to add this because:

Rootful docker is not a great idea and alternatives are now in place. Users adopting rootless solutions should be facilitated in deploying n8n.

Any resources to support this?

Are you willing to work on this?

Yes, I could maintain the rootless Dockerfile/Containerfile.

FukjemiCZ · April 3, 2023, 10:38am

+1
I have the same problem and i would hate to maintain my own build image just to change user.

zippm · August 2, 2023, 8:55am

+1
requiring root inside the container is a major obstacle to integrating n8n in our company as we have strict security policies.

jan · August 2, 2023, 9:39am

The new docker images (v1) do not use root anymore. So should be all fine. You can check it out on GitHub.

Alessandro_Re · August 2, 2023, 12:55pm

Well, my problem was exactly the inverse: I am using root inside the container, so it’s mapped to non-root user outside the container.

Trying with the latest version:

$ mkdir my_n8n_data
$ podman run -it --rm -p 5678:5678 -v "$PWD/my_n8n_data:/home/node/.n8n" docker.n8n.io/n8nio/n8n
Error: EACCES: permission denied, open '/home/node/.n8n/crash.journal'
Error: Exiting due to an error.
Error: EACCES: permission denied, open '/home/node/.n8n/crash.journal'

It’s not necessarily the only course of action, though… If the host user has the same UID as the node user in the container, --userns=keep-id could also be used to correctly map the UIDs, otherwise one could create a directory on the host with the mapped permissions of the container’s node user (say, 65001).

In generale, it would be nice to provide support for podman.