Rootless Container and Read-Only Filesystem

[jameswynn]

I don't run containers that require root in my cluster, so I forked and refactored the project such that it doesn't run as root and has a read-only filesystem. The big changes I made come down to:

• Move to standard ubuntu:22.04 as base image (no LSIO)
• Removed all chown commands
• Calling calibre_postinstall in Dockerfile instead of on startup
• Refactored s6 services to normal scripts in the CWA scripts directory
  • New entrypoint.sh that kicks off all the "services"
  • All RW data is under /config
    • dirs.json - copied on startup from /app/calibre-web-automated/dirs.json
    • metadata_change_logs
    • cwa_update_notice
    • metadata_temp

[geekifier]

Just wanted to say thank you for your work on this! I hope this can be reviewed soon. Presumably, this would be quite a breaking change for existing users due to potential ownership changes needed on existing volumes?

[FennyFatal]

I have some concerns that there are some people using the LS.io docker mods and init script runners which may not work well with an immutable filesystem.

Either way, this probably needs a rebase and further discussion, given recent merges.

[geekifier]

@FennyFatal at a minimum, I think dirs.json should be moved out of the overlay FS and into the /config path. Maybe I am missing something, but how do the custom settings there survive the container being recreated? If you agree, maybe I could work on a PR (I would also like to add ENV VAR to configure the paths).

[distante]

Following! I hope this PR gets merged and released soon.