Non-root support

How to run the container with non-root access via Docker Container

Step 1: get the docker image from docker hub (Refer to: Run image published on OPSWAT Docker Hub)

Step 2: launch docker image with non-root option

docker run --user 1000:1000 -it \

-e MD_USER=admin -e MD_PWD=admin \

-e ACCEPT_EULA=true -e DB_HOST=localhost \

-e DB_MODE=1 -e DB_TYPE=local -e DB_USER=postgres -e DB_PWD=posgres \

-e DB_PORT=5432 opswat/metadefendericapsrv-debian:5.8.0

Step 3: verify the UID:GID works properly

run command inside container to see the process mdicapsrv is running

ps -ef

Non-root access on Kubernetes

Step 1: Download help chart of MD ICAP Server from Github

Step 2: Modify UID:GID to run as non-root

create file override.values.yaml to override default value

ACCEPT_EULA: false

mdicapsrv_user: admin                          # Initial admin user for the MD ICAP Server web interface

mdicapsrv_password: admin                      # Initial admin password for the MD ICAP Server web interface, if not set it will be randomly generated

mdicapsrv_license_key: <SET_LICENSE_KEY_HERE>  # A valid license key, **this value is mandatory**

icap_components:

  md_icapsrv:

    securityContext:

      runAsUser: 1000  # Specify the UID of the user, id is 1000

      runAsGroup: 1000 # Specify the GID of the group, id is 1000

      runAsNonRoot: true

      allowPrivilegeEscalation: false

Step 3: deploy the helm chart with override values

helm install mdicapsrv -n default -f override.values.yaml .

Step 4: verify the pod and mdicapsrv are running

How to customer the UID and GID value?

The default value of UID and GID is 1000, these default value can be customized via Docker toolkit on My OPSWAT Portal and rebuild a new image (refer to Using build tool kit with your own docker image)

Step 1: modify RUN_UID and RUN_GID value in file Dockerfile

Step 2: Rebuild docker image

cd <build-kit-directory>

docker build --build-arg VERSION=5.8.0 -t oharbor.opswat.com/icap/mdicapsrv-debian:5.8.0 .