caddy-docker icon indicating copy to clipboard operation
caddy-docker copied to clipboard

Published 20 hours ago verified publisher icon abiosoft

Use a user, not root, to run caddy

Open asakurayoh opened this issue 6 years ago • 7 comments

Would it be possible to set a user to run caddy, and not root. It's not possible to override root user and group id, and that cause problem with the local filesystem (as files are created as root).

I've try to create my own image based on abiosoft/caddy, without success...

asakurayoh avatar Apr 23 '18 16:04 asakurayoh

This has been done in the past but it broke things for people and it got reversed after multiple complaints. I'd give it another shot and maybe put it under a :noroot tag for a start.

abiosoft avatar Apr 23 '18 16:04 abiosoft

That would be appreciated. It's a bad practice to use root to run process in docker, as you can't override the id of root...

Thanks.

asakurayoh avatar Apr 25 '18 13:04 asakurayoh

Could you elaborate on how it broke in the past?

hartwork avatar Jun 24 '18 12:06 hartwork

Haven't extensively tested this yet but this has been working so far:

docker run -p 80:80 -u 1000:1000 --sysctl net.ipv4.ip_unprivileged_port_start=0 -v /home/you/Caddyfile:/etc/Caddyfile abiosoft/caddy

docker-compose has a sysctl and user section to achieve the same effect.

Using this method, the container no longer has permission to access the host /etc/shadow for example, even if you mount it.

I'll report back if I encounter any issues.

gnat avatar Oct 30 '19 10:10 gnat

Just FYI got this working fairly seamlessly with Caddy over https:// with Let's Encrypt working. You can de-escalate your privileges from root to a caddy user using setpriv (or gosu). setpriv is a standard utility in most distros now making it super easy in ubuntu or even alpine.

Doing the de-escalation at runtime is important so you can re-chown your host bind mounts (enabling the ability to change your Caddyfile locally at any time).

Basically, set an entrypoint.sh script to perform any needed chown with your host bind mounts, and then have it run caddy with setpriv --reuid=caddy --regid=nogroup --init-groups /usr/bin/caddy.

You can see an example of this in action in the mysql and jenkins docker images currently.

For this to work you also need to remember to set sysctls: net.ipv4.ip_unprivileged_port_start=0 in your docker-compose.yml or set the sysctl when using docker run so you can access port 80 and port 443 as a non-root user. (You could also set this seamlessly in entrypoint.sh using setcap 'cap_net_bind_service=+ep' /usr/bin/caddy before switching to the caddy user. Probably the best way!)

gnat avatar Nov 01 '19 11:11 gnat

@abiosoft @asakurayoh if you want me to post my changes and entrypoint.sh, let me know. I'm just hesitant because apparently Caddy v2 is doing their own Dockerfile to replace this project?

gnat avatar Nov 01 '19 11:11 gnat

@gnat If it is possible, can you post your changes and entrypoint.sh? Thanks in beforehand.

dmigis avatar Dec 02 '19 10:12 dmigis