starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🚀 Feature: Distroless, rootless pocket-id #153

New Issue
Closed
opened 2025-10-07 00:03:56 +03:00 by OVERLORD · 9 comments
OVERLORD commented 2025-10-07 00:03:56 +03:00
Owner
Copy Link

Originally created by @robvanvolt on GitHub.

Feature description

Provide additional features in the form of

  • distroless docker
  • rootless configuration

Pitch

https://github.com/11notes/docker-pocket-id

Merge the changes in this docker-pocket-id repostiory! :)

Originally created by @robvanvolt on GitHub. ### Feature description Provide additional features in the form of - distroless docker - rootless configuration ### Pitch https://github.com/11notes/docker-pocket-id Merge the changes in this docker-pocket-id repostiory! :)
OVERLORD added the featurebreaking labels 2025-10-07 00:03:56 +03:00
OVERLORD commented 2025-10-07 00:03:58 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

The problem with a truly rootless image is that users need to manually fix permissions for bind mounts. This happens because Docker creates mounted folders with root permissions. To solve this, users must either use a named volume, or
 create the mounted folder first and then change its ownership or permissions. These are two extra setup steps that users need to do.

While our current Docker image is not rootless, the Pocket ID process inside the container still runs as a non-root user by default. But I see the advantage of a distroless images which eliminates dependencies that could be vulnerable.

Any solution we choose would be a breaking change. Please upvote the issue if you're interested. We will decide whether to use a distroless Docker image in the next breaking release based on how many upvotes this issue receives.

@stonith404 commented on GitHub: The problem with a truly rootless image is that users need to manually fix permissions for bind mounts. This happens because Docker creates mounted folders with root permissions. To solve this, users must either use a named volume, or
 create the mounted folder first and then change its ownership or permissions. These are two extra setup steps that users need to do. While our current Docker image is not rootless, the Pocket ID process inside the container still runs as a non-root user by default. But I see the advantage of a distroless images which eliminates dependencies that could be vulnerable. Any solution we choose would be a breaking change. **Please upvote the issue if you're interested.** We will decide whether to use a distroless Docker image in the next breaking release based on how many upvotes this issue receives.
OVERLORD commented 2025-10-07 00:03:58 +03:00
Author
Owner
Copy Link

@robvanvolt commented on GitHub:

I appreciate your quick response! I think for a safety-critical application such as this authentication platform this change would be a bigger advantage in comparison to the slightly more cumbersome initial setup! Let's see what the community thinks!:)

@robvanvolt commented on GitHub: I appreciate your quick response! I think for a safety-critical application such as this authentication platform this change would be a bigger advantage in comparison to the slightly more cumbersome initial setup! Let's see what the community thinks!:)
OVERLORD commented 2025-10-07 00:03:59 +03:00
Author
Owner
Copy Link

@ovizii commented on GitHub:

I don't see anything cumbersome here. Any decent docker image I am using already offers me the option to choose the uuid and guid I want to run it as and the minimum one should know about docker is how to create folders and set permissions.
If you lack that knowledge imho you have no business running an oic provider. Not addressing anyone directly here, just stating my opinion.

@ovizii commented on GitHub: I don't see anything cumbersome here. Any decent docker image I am using already offers me the option to choose the uuid and guid I want to run it as and the minimum one should know about docker is how to create folders and set permissions. If you lack that knowledge imho you have no business running an oic provider. Not addressing anyone directly here, just stating my opinion.
OVERLORD commented 2025-10-07 00:03:59 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

Just a note that you already can run Pocket ID as non-root AND with read-only root FS. We made changes in the last few months to make sure that's possible.

  • On Docker, you can run the container with: --user 1000:1000 --read-only
  • On K8s (includes Podman) you can use pods with securityContext: {readOnlyRootFilesystem: true, runAsUser: 1000, runAsGroup: 1000}

In fact, I've been using the above for a while in my own setup. It works like a charm (assuming you have preemptively set the permissions on the filesystem)

So this issue may be more about docs than actual changes in the project, at least for the non-root part? I can write the docs too.

As for distroless... There have been conversations about that. Right now we are using a base image with a shell because of the entry script, which sets the permissions on the file system.

I would agree with @stonith404 that having the entrypoint (which requires a shell AND root) is a convenience.

But maybe we could offer an additional image variant that is distroless (and rootless by default)?

@ItalyPaleAle commented on GitHub: Just a note that you **already can** run Pocket ID as non-root AND with read-only root FS. We made changes in the last few months to make sure that's possible. - On Docker, you can run the container with: `--user 1000:1000 --read-only` - On K8s (includes Podman) you can use pods with `securityContext: {readOnlyRootFilesystem: true, runAsUser: 1000, runAsGroup: 1000}` In fact, I've been using the above for a while in my own setup. It works like a charm (assuming you have preemptively set the permissions on the filesystem) So this issue may be more about docs than actual changes in the project, at least for the non-root part? I can write the docs too. As for distroless... There have been conversations about that. Right now we are using a base image with a shell because of the [entry script](https://github.com/pocket-id/pocket-id/blob/main/scripts/docker/entrypoint.sh), which sets the permissions on the file system. I would agree with @stonith404 that having the entrypoint (which requires a shell AND root) is a convenience. But maybe we could offer an additional image variant that is distroless (and rootless by default)?
OVERLORD commented 2025-10-07 00:03:59 +03:00
Author
Owner
Copy Link

@robvanvolt commented on GitHub:

I don't see anything cumbersome here. Any decent docker image I am using already offers me the option to choose the uuid and guid I want to run it as and the minimum one should know about docker is how to create folders and set permissions. If you lack that knowledge imho you have no business running an oic provider. Not addressing anyone directly here, just stating my opinion.

I agree, my wording here was a bit exaggerated - I should have written "a minimum amount of additional steps in the initial setup" instead of "the slightly more cumbersome initial setup" to be more clear!

@robvanvolt commented on GitHub: > I don't see anything cumbersome here. Any decent docker image I am using already offers me the option to choose the uuid and guid I want to run it as and the minimum one should know about docker is how to create folders and set permissions. If you lack that knowledge imho you have no business running an oic provider. Not addressing anyone directly here, just stating my opinion. I agree, my wording here was a bit exaggerated - I should have written _"a minimum amount of additional steps in the initial setup"_ instead of _"the slightly more cumbersome initial setup"_ to be more clear!
OVERLORD commented 2025-10-07 00:04:00 +03:00
Author
Owner
Copy Link

@robvanvolt commented on GitHub:

The size of the distroless pocket-id is 30% of the current pocket-id version (~30 vs ~70 megabytes), and it most likely requires less compute resources to run... I think these are two big advantages, especially for low-resources compute environments!

The advantages of distroless base images are smaller images (so faster pulls) and less maintenance. It shouldn't make any difference on the performance of the app, especially since Pocket ID is a statically-linked binary since 1.0.

I agree that the main benefits of distroless are smaller image size and less maintenance. But I still think there’s a case to be made for improved runtime characteristics, especially in lower-resource or edge environments - even with a statically-linked binary. The fact that the distroless version strips away the shell, package manager, init system means there’s just less for the container runtime to deal with. That usually translates to lower memory overhead, faster cold starts, and fewer background processes consuming resources.

In practice, the difference might not be dramatic in all environments, but I’d still argue it matters... especially when you’re running many containers at once, or operating in tight memory conditions (e.g., Raspberry Pi Zero 2W).

@robvanvolt commented on GitHub: > > The size of the distroless pocket-id is 30% of the current pocket-id version (~30 vs ~70 megabytes), and it most likely requires less compute resources to run... I think these are two big advantages, especially for low-resources compute environments! > > The advantages of distroless base images are smaller images (so faster pulls) and less maintenance. It shouldn't make any difference on the performance of the app, especially since Pocket ID is a statically-linked binary since 1.0. I agree that the main benefits of distroless are smaller image size and less maintenance. But I still think there’s a case to be made for improved runtime characteristics, especially in lower-resource or edge environments - even with a statically-linked binary. The fact that the distroless version strips away the shell, package manager, init system means there’s just less for the container runtime to deal with. That usually translates to lower memory overhead, faster cold starts, and fewer background processes consuming resources. In practice, the difference might not be dramatic in all environments, but I’d still argue it matters... especially when you’re running many containers at once, or operating in tight memory conditions (e.g., Raspberry Pi Zero 2W).
OVERLORD commented 2025-10-07 00:04:00 +03:00
Author
Owner
Copy Link

@robvanvolt commented on GitHub:

Just a note that you already can run Pocket ID as non-root AND with read-only root FS. We made changes in the last few months to make sure that's possible.

  • On Docker, you can run the container with: --user 1000:1000 --read-only
  • On K8s (includes Podman) you can use pods with securityContext: {readOnlyRootFilesystem: true, runAsUser: 1000, runAsGroup: 1000}

In fact, I've been using the above for a while in my own setup. It works like a charm (assuming you have preemptively set the permissions on the filesystem)

So this issue may be more about docs than actual changes in the project, at least for the non-root part? I can write the docs too.

As for distroless... There have been conversations about that. Right now we are using a base image with a shell because of the entry script, which sets the permissions on the file system.

I would agree with @stonith404 that having the entrypoint (which requires a shell AND root) is a convenience.

But maybe we could offer an additional image variant that is distroless (and rootless by default)?

The size of the distroless pocket-id is 30% of the current pocket-id version (~30 vs ~70 megabytes), and it most likely requires less compute resources to run... I think these are two big advantages, especially for low-resources compute environments!

@robvanvolt commented on GitHub: > Just a note that you **already can** run Pocket ID as non-root AND with read-only root FS. We made changes in the last few months to make sure that's possible. > > * On Docker, you can run the container with: `--user 1000:1000 --read-only` > * On K8s (includes Podman) you can use pods with `securityContext: {readOnlyRootFilesystem: true, runAsUser: 1000, runAsGroup: 1000}` > > In fact, I've been using the above for a while in my own setup. It works like a charm (assuming you have preemptively set the permissions on the filesystem) > > So this issue may be more about docs than actual changes in the project, at least for the non-root part? I can write the docs too. > > As for distroless... There have been conversations about that. Right now we are using a base image with a shell because of the [entry script](https://github.com/pocket-id/pocket-id/blob/main/scripts/docker/entrypoint.sh), which sets the permissions on the file system. > > I would agree with [@stonith404](https://github.com/stonith404) that having the entrypoint (which requires a shell AND root) is a convenience. > > But maybe we could offer an additional image variant that is distroless (and rootless by default)? The size of the distroless pocket-id is 30% of the current pocket-id version (~30 vs ~70 megabytes), and it most likely requires less compute resources to run... I think these are two big advantages, especially for low-resources compute environments!
OVERLORD commented 2025-10-07 00:04:00 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

Docs PR with instructions for running as rootless: pocket-id/website#115

@ItalyPaleAle commented on GitHub: Docs PR with instructions for running as rootless: pocket-id/website#115
OVERLORD commented 2025-10-07 00:04:01 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

The size of the distroless pocket-id is 30% of the current pocket-id version (~30 vs ~70 megabytes), and it most likely requires less compute resources to run... I think these are two big advantages, especially for low-resources compute environments!

The advantages of distroless base images are smaller images (so faster pulls) and less maintenance. It shouldn't make any difference on the performance of the app, especially since Pocket ID is a statically-linked binary since 1.0.

@ItalyPaleAle commented on GitHub: > The size of the distroless pocket-id is 30% of the current pocket-id version (~30 vs ~70 megabytes), and it most likely requires less compute resources to run... I think these are two big advantages, especially for low-resources compute environments! The advantages of distroless base images are smaller images (so faster pulls) and less maintenance. It shouldn't make any difference on the performance of the app, especially since Pocket ID is a statically-linked binary since 1.0.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label breaking feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#153
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?