Running Tutor containers in unprivileged mode

This is a follow-up on previous conversations that I’ve had in the past with some Tutor users, particularly on Kubernetes, and notably @menardorama: Are you open to PR for K8S compliance?

I have now time to work again on this issue, such that Tutor runs 100% on unprivileged containers in Maple (scheduled for December 9th 2021).

As I mentioned earlier, the big issue is getting unprivileged containers to work well both in Kubernetes and docker-compose. The big problem with docker-compose is that we bind-mount directories (such as the media folder) from the host directly in the containers, and these folders are created with root ownership. Thus, any unprivileged user running in the Docker containers will not be able to write to these folders.

To bypass this issue, I suggest that we create a “ownership-job” job, in docker-compose only, which bind-mounts the data folder and sets the right permissions appropriately:

ownership-job
    image: alpine
    volumes:
      ../data:/data

The “init” job associated to this service would be:

chown -R 1000:1000 /data/openedx-media
chown -R 1000:1000 /data/mongodb
chown -R 1000:1000 /data/mysql
{{ patch("ownership-init") }}

I believe this should work and I can have a proof-of-concept fairly quickly. I would need testers to try it out in Kubernetes, where privileged containers are not authorized. Who would be interested?