IBM PEM applications running as non-root user inside Podman containers

The IBM PEM podman image is enabled with non-root as a default user inside the container. All application processes that are running inside the container are owned by the IBM PEM non-root default user. The IBM PEM non-root default user name is pemuser (id:1011) and the group name pemgroup (id:1011).

Prerequisites before deploying IBM PEM by using the 18.4.4 podman image

  • Logs directory that are mounting to the application must have the 755 permission.
  • The MountFiles directory and all sub-directories of MountFiles must have the 755 permission to read and execute for accessing all MountFiles by the pemuser (id:1011) container.

Changes after non-root user implementation in the IBM PEM podman image

  • All application processes that are running inside the IBM PEM image are owned by the IBM PEM non-root default user - pemuser (id:1011).

    If the IBM PEM non-root default user is not part of the host system, all the files that are created by the container are displayed with id:group (1011:1011).

  • All the log files that are generated by the IBM PEM containers are owned by pemuser: pemgroup (1011:1011) and all logs have the read access for the host system user.
  • Existing log files that are rolled back are also owned by the IBM PEM non-root default user pemuser: pemgroup (1011:1011).
  • All the users of the host system has the read access to the log files.
  • MountFiles and logs directory permission will be changed to 755.

Run IBM PEM podman container as a non-root user

To run podman containers as an IBM PEM non-root user in the host system, see the podman documentation to enable the host system for the non-root user to run podman containers.

Steps to change the root user to the non-root user for running IBM PEM containers

If an exiting container is run by the root user, MountFiles and log directory are owned by the root user. You must update the ownership permissions from root to non-root user before starting the IBM PEM container by the non-root user.

Steps to run a container as a non-root user

  1. Create a new podmanfile using the PEM release image as base image with the following details:
    1. Add the following command to take the release image as base image:
      FROM <release image>
    2. Add the following command to run the below mentioned commands as root:
      USER root
    3. Add the following command to define argument for custom user:
      ARG customUser=
    4. Add the following command to define argument for custom user ID:
      ARG customUserId=
    5. Add the following command to define argument for custom group:
      ARG customGroup=
    6. Add the following command to define argument for custom group ID:
      ARG customGroupId=
    7. Add the following command to create a custom group:
      RUN groupadd -g ${customGroupId} ${customGroup}
    8. Add the following command to create a custom name and assign it to the custom group:
      RUN useradd -u ${customUserId} -r -g ${customGroup} -m -d /${customUser} -s /sbin/nologin -c "PEM custom user" ${customUser}
    9. Add the following command to provide permissions for the created user:
      RUN chmod 750 /${customUser}
    10. Add the following command to provide permissions for the created user to the working directory in image:
      RUN chown -f -R ${customUser}:${customGroup} /opt/IBM/ && chmod -R 755 /opt/IBM/
    11. Add the following command to add the custom group to the sudoers group:
      RUN echo "%$customGroup ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
    12. Add the following command to switch to the custom user:
      USER ${customUser}
    13. Add the following CMD command to run the script:
      CMD ["/bin/bash", "/opt/IBM/runContainer.sh"]
    Note: The name of the podman file that you created should be podmanfile.
  2. Run the build command to build the image for the podmanfile you created.
    podman build --build-arg customGroupId=1012 --build-arg customUserId=1012 --build-arg customUser=test_user --build-arg customGroup=podman -t pem .
    Note:
    • The customGroupId, customUserId, customUser, and customGroup are environmental variables.
    • The build arguments customUserId and customGroupId must be the uids for the selected host user and group. The build arguments customUser and customGroup must be the names for the selected host user and group.
    • If --build-arg for USER_NAME/GROUP_NAME is missing from the command, pemuser/pemgroup is considered as the default USER_NAME/GROUP_NAME.
  3. Use the following command to use the new image to start the container:
    podman run --name=PEM_PEM_Headstream1 -v /home/test_user/MountFiles:/opt/IBM/Resources -v /home/test_user/logs/pem:/opt/IBM/PEM_PR_PP_servers/usr/servers/mrm/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application=pem -e userGroup=podman -e userName=test_user -p 10.15.101.181:17100:9443 -dt pem
  4. Note: This step is only applicable for certified containers.
    Use the new image id/tag for all subsequent Certified Container installation configurations. If you use ibm-pem-standard-prod Helm chart to deploy, then you must edit values.yaml with the following and use same the user/group ID used during creation of image in Step 3:
    security:
  supplementalGroups:
    - 555
  fsGroup: ${customGroupId}
  runAsUser: ${customUserId}

Run IBM PEMcontainers with restricted permission for MountFiles

If you want to start the container with the restricted MountFiles read and execute permissions (750: No read permission for unknown users), host system must have the same user and group name with ID pemuser (id:1011) :pemgroup (id:1011). After the host system replicates the same user from the container to the host system, IBM PEM container will start with the restricted MountFiles.