New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden Traefik systemd service #4302

Merged
merged 2 commits into from Jan 7, 2019

Conversation

Projects
None yet
6 participants
@jacksgt
Copy link
Contributor

jacksgt commented Dec 17, 2018

Since Traefik is running as root on the system, it makes sense to
apply various lock down measures to keep the system as safe as possible.

Includes mounting most of the directories as read-only or even making them
inaccessible, restricting kernel modifications and limiting the number of
processes the unit may spawn.

Also add checks at service startup to ensure all required files are present.

@jacksgt

This comment was marked as outdated.

Copy link
Contributor Author

jacksgt commented Dec 17, 2018

No idea why the build failed, it definitely isn't related to my change.

Step 3/9 : RUN go get github.com/containous/go-bindata/... && go get golang.org/x/lint/golint && go get github.com/kisielk/errcheck && go get github.com/client9/misspell/cmd/misspell
 ---> Running in 17a424b3a78e
package github.com/containous/go-bindata/...: github.com/containous/go-bindata/...: invalid import path: malformed import path "github.com/containous/go-bindata/...": double dot
The command '/bin/sh -c go get github.com/containous/go-bindata/... && go get golang.org/x/lint/golint && go get github.com/kisielk/errcheck && go get github.com/client9/misspell/cmd/misspell' returned a non-zero code: 1
make: *** [build] Error 1
make validate failed, attempt 3/3

Can someone please trigger a re-build?

@ldez ldez force-pushed the jacksgt:harden-systemd-service branch from a898065 to d2be65c Dec 17, 2018

@mmatur mmatur added this to the 1.7 milestone Dec 17, 2018

@mmatur mmatur force-pushed the jacksgt:harden-systemd-service branch from d2be65c to fc042bb Dec 17, 2018

@jacksgt jacksgt requested review from containous/docker as code owners Dec 17, 2018

@mmatur mmatur changed the base branch from master to v1.7 Dec 17, 2018

@mmatur mmatur removed request for containous/kubernetes Dec 17, 2018

@mmatur mmatur removed the bot/no-merge label Dec 17, 2018

@ldez ldez requested a review from mmatur Dec 18, 2018

@alemairebe

This comment has been minimized.

Copy link

alemairebe commented Dec 21, 2018

it could also be run by a standard user with these 2 under [Service]
User=traefik
AmbientCapabilities=CAP_NET_BIND_SERVICE

@jacksgt

This comment has been minimized.

Copy link
Contributor Author

jacksgt commented Dec 22, 2018

@alemairebe I thought about adding that too, but then again it requires setting up a user for traefik and assigning appropriate permissions to /etc/traefik.toml and /etc/acme.json.
Nothing complicated, but at least its not documented anywhere.

Maybe we can add that as a comment to the service file?

[Service]
# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
#User=traefik
#AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=...
@alemairebe

This comment has been minimized.

Copy link

alemairebe commented Dec 27, 2018

@jacksgt I guess that would be a good first step :-)
I have no idea how useful it can be to the whole community and users.

@jacksgt jacksgt force-pushed the jacksgt:harden-systemd-service branch from fc042bb to f634229 Dec 27, 2018

@jacksgt

This comment has been minimized.

Copy link
Contributor Author

jacksgt commented Jan 2, 2019

@mmatur Could you please review this PR?

@mmatur
Copy link
Member

mmatur left a comment

Hi @jacksgt,

First of all thanks for your interest in the project. In this contribution all new params should be commented because there are not mandatory.

Only few comments

Show resolved Hide resolved contrib/systemd/traefik.service Outdated
Show resolved Hide resolved contrib/systemd/traefik.service Outdated

@jacksgt jacksgt force-pushed the jacksgt:harden-systemd-service branch from 83c081a to 389cb86 Jan 4, 2019

@jacksgt jacksgt requested review from containous/marathon as code owners Jan 4, 2019

@jacksgt

This comment has been minimized.

Copy link
Contributor Author

jacksgt commented Jan 4, 2019

I added brief comment for all new parameters (for more in-depth information the systemd man page should be consulted).

@ldez ldez force-pushed the jacksgt:harden-systemd-service branch from 389cb86 to 5db899b Jan 4, 2019

@ldez ldez removed the request for review from containous/marathon Jan 4, 2019

@ldez ldez removed the request for review from containous/rancher Jan 4, 2019

@mmatur

mmatur approved these changes Jan 4, 2019

Copy link
Member

mmatur left a comment

LGTM

@dtomcej

dtomcej approved these changes Jan 7, 2019

Copy link
Member

dtomcej left a comment

LGTM
:shipit:

@ldez

ldez approved these changes Jan 7, 2019

Copy link
Member

ldez left a comment

LGTM

jacksgt and others added some commits Dec 17, 2018

Harden Traefik systemd service
Since Traefik is directly connected to the internet, it makes sense to
apply various lock down measures to keep the system as safe as possible.

Includes mounting most of the directories as read-only or even making them
inaccessible, restricting kernel modifications and limiting the number of
processes the unit may spawn.

Also add checks at service startup to ensure all required files are present.

Additionally documents how to set up a separate user for traefik and run the
service as that user.

@traefiker traefiker force-pushed the jacksgt:harden-systemd-service branch from 11fb692 to c311a12 Jan 7, 2019

@traefiker traefiker merged commit 13c32de into containous:v1.7 Jan 7, 2019

3 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
deploy/netlify Deploy preview ready!
Details
semaphoreci The build passed on Semaphore.
Details

@ldez ldez referenced this pull request Jan 8, 2019

Merged

Cherry pick v1.7 into master #4365

16 of 16 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment