![docker run as root dockerfile docker run as root dockerfile](https://www.middlewareinventory.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-09-at-7.31.14-AM.png)
Sure, but that's if you want to use /data and /config - you don't have to. Īs it stands, that is as simple as chowning the /data and /config directory as a non-root user It is only possible by explicitly doing so in another Dockerfile, changing the ownership/mode, and then re-assigning it as a VOLUME (as I've done in the my image). Due to docker's design, it is not possible to change the ownership (or the mode) of a VOLUME in a running container. This was what initially prompted me to raise this as an issue. As it stands, that is as simple as chowning the /data and /config directory as a non-root user. I think even if Caddy doesn't change the default, that would totally be okay, but making it easier for individual to run caddy in non-root mode, in my opinion is a must. Though this is a personal preference, and isn't entirely based on any specific threat model, rather it's more of a precautionary issue. I'm using caddy for a personal project, but I think running as non-root is a no-brainer for me considering it's such a trivial task that gives a lot with little effort. It's worth considering why you want to run as non-rootĭefinitely agree with this. It is also impossible to run it as a non-root user using docker's (and docker-compose's) user arguments because the volumes /data and /config are owned by root, so when caddy runs as non-root, it does not have the correct permissions to those directories to function correctly.
![docker run as root dockerfile docker run as root dockerfile](https://cdn.thenewstack.io/media/2019/06/56059748-dockerfilec.jpg)
In addition, for nginx, the configuration ignores the user/group options if the main process runs a non-root user.Ĭaddy does not have an option to delegate workers (I'm presuming requests run in go routines so that wouldn't even make sense). One can indeed run as root, though it is discouraged in multiple places. While this is true, it's worth noting that nginx and httpd both have the option to delegate the actual workers (I don't know if it's the same with traefik and haproxy).
#Docker run as root dockerfile update
If you could let me know what that option is I'll gladly update my image. Maybe I was blind and/or I misunderstood. I didn't see an option to run caddy on a non-standard port, hence why I used setpcap. In most cases where users want to run as non-root, they also don't need to listen to :80/:443 in the container, so the setpcap magic isn't necessary at all. I will leave this open to discuss possibilities, but I think the starting point is probably to just provide some better documentation around running as sorry, I had forgotten about this issue. In my experience the main reason for running as non-root is to pass compliance checks - not a bad reason, but it's also worth recognizing that non-compliance does not automatically equal decreased security (and vice-versa). It's also worth considering user namespace remapping as a mitigation. What attack vectors are you trying to avoid? Container escape vulnerabilities are pretty much the only real risk, but anyone running a modern Docker version is immune to many of them. At a quick glance, none of nginx, traefik, httpd, or haproxy support running as non-root out of the box either.įinally, it's worth considering why you want to run as non-root. It's also worth noting that caddy is an official image, and as such needs to be similarly-shaped to other official images of the same type. In most cases where users want to run as non-root, they also don't need to listen to :80/ :443 in the container, so the setpcap magic isn't necessary at all. If your Dockerfile works for you, that's great. We actually originally did run as non-root by default, but simplicity we decided to drop that (see #24, and also #103 for some other related discussion).
![docker run as root dockerfile docker run as root dockerfile](https://cdn.ttgtmedia.com/rms/onlineImages/itoperations_docker_plain-text-manifesto-file_mobile.png)
Hi - my apologies for replying so late (been vacationing and otherwise distracted)! Then after perhaps a couple of versions, this stop gap can be replaced fully with a non-root user without going through the trouble of dropping privileges.
#Docker run as root dockerfile upgrade
One thing worth considering is that this might be not be an easy upgrade for many, indeed, it may be that we'd need a temporary stop gap that runs the container as root, changes ownership of files/folders, then drops privileges. FROM alpine:3.12ĬOPY -from=deps /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crtĬOPY -from=deps /etc/mime.types /etc/nf /etc/ĬOPY -from=builder /usr/bin/caddy /caddyĪdduser -u 101 -D -S -G www-data www-data \ĮNV XDG_CONFIG_HOME=/config XDG_DATA_HOME=/dataĬMD Presuming because libcap isn't available? Not sure. # We cannot use FROM scratch because, despite adding cap_net_bind_service to the binary # it still won't run.