-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run Dockerized server process as unprivileged user by default #79
Comments
Actually, after reading up a bit more on how Docker works, I'm not sure this feature needs to be added to acme-dns itself. I'm able to get the process to run as an unprivileged user using a version: '2'
services:
acmedns:
image: joohoi/acme-dns:latest
ports:
- "443:1443"
- "53:1053/udp"
- "80:1080"
user: 1000:1000
volumes:
- /containers/acme-dns/config:/etc/acme-dns:ro
- /containers/acme-dns/data:/var/lib/acme-dns Where '1000' is the user id of the user on the host that I want to run acme-dns as. Note also that I had to change the config file to ensure acme-dns doesn't try to bind to any privileged ports (though those ports are then remapped by Docker, as you can see in the config file above). |
Oops, looks like there's a problem; the directory cache for ACME certs, |
Now that #81 is merged, it's possible to run acme-dns as an unprivileged user with the above That's enough to satisfy my use-case, but I'm going to leave this issue open as a request to run the container as an unprivileged user by default. I realize that's a bit tricky to do since user IDs within the Docker container don't necessarily match up with user IDs on the host system, so if you hard code a user ID in the Dockerfile that might result in the container process running as an essentially random user. That's certainly confusing behavior, but it's an arguably better solution than just always running as root, and you can reduce confusion by updating the docs to tell users to explicitly specify which user ID to run the container as. |
Yeah, that sounds good. My Docker-fu runs short right about here though. If someone with strong knowledge of best practices in this area would like to help here, it would be more than welcome! |
For anyone else that needs a bit of help, here is my full FROM joohoi/acme-dns AS release
FROM tcely/alpine-aports
EXPOSE 10053/tcp 10053/udp 10080/tcp 10443/tcp
ENTRYPOINT ["/usr/local/bin/acme-dns"]
COPY --from=release /root/acme-dns /usr/local/bin/acme-dns
RUN mkdir -p /etc/acme-dns /var/lib/acme-dns && chown -R postgres:postgres /var/lib/acme-dns
VOLUME ["/etc/acme-dns", "/var/lib/acme-dns"]
RUN apk --no-cache add ca-certificates
WORKDIR /var/lib/acme-dns
USER postgres:postgres Here is the service entry from acme:
image: 'tcely/acme-dns'
build:
context: './build/acme-dns'
restart: 'unless-stopped'
ports:
- '53:10053'
- '53:10053/udp'
- '80:10080'
- '443:10443'
volumes:
- './data/acme-dns/etc:/etc/acme-dns:ro'
- './data/acme-dns/lib:/var/lib/acme-dns' The UID and GID for Put your Then just drop the |
did this ever go anywhere? does anyone have a published latest version out there that runs non-root? |
Would be nice from a security perspective if the Dockerized version of acme-dns automatically started as an unprivileged user (instead of as root).
The container does provide some level of isolation from the host system already (though as I understand it that isolation isn't perfect, especially against root), but no sense in giving the public-facing server any more permissions than necessary.
The text was updated successfully, but these errors were encountered: