chasquid icon indicating copy to clipboard operation
chasquid copied to clipboard
verified publisher icon albertito

Use bridge network instead of host network and improve the README

Open Guiorgy opened this issue 6 months ago • 2 comments

First of all, this is a breaking change!

Using host network breaks Dockers network isolation security features and allows access to other services on the host if the container gets compromised, so it is generally only advised if performance is absolutely critical (avoids aditional NAT).

Also changed the monitoring address inside the config file, instead the user can choose whether to even expose the port at all (if they don't specify -p 1099:1099 it won't be accessible), or only allow access on the host localhost (-p 127.0.0.1:1099:1099 means it is exposed only on the host localhost), or to expose to everyone (not recommended, but they can if they really want). This change is necessary to be able to access the monitoring at all outside within the container.

Also replaced --mount otpions with -v (--volume) which is specifically made for volumes and is much easier to use.

Edit: Having monitoring address be 127.0.0.1:1099 means that those using the recommended bridge instead of host network are unable to use monitoring at all. ~Would you be interested in having an environmental variable that a user can use to change this value from the entry point script?~ On second thought, I really don't see a good reason to use host network. Added a variable to enable/disable monitoring, since the user may not want it anyway. Currently it is opt-in to enable, though, we could make it the opposite.

Edit: And if we use the bridge network, there's no need to bind to privileged ports, so we can drop the line that gives the users inside the container that capability. We just bind to some fixed port, e.g. 1025 instead of 25, and it's up to the user what this port maps to on the host. Since Docker daemon runs as root by default, they can use privileged ports, e.g. 25:1025, or if they are already using that port or don't want to use a privileged port, the bridge network allows them to use any port they wish, e.g. 1234:1025, so it is much more flexible. We just got to agree which ports to use inside the container, e.g. 1025 or 2525 or something else? Let me know if you'd prefer different numbers. Also, will test later today, just in case.

Edit: Also made some README improvements:

  • When running the container specify a name, so it's easier to find it later in the docker ps list, but also to not have to get the container ID to operate on it, those operations, like getting a shell into the container, can be done using this name instead, making it much simpler for the user.
  • Run the container as a daemon and added instruction to view the status of the container, stop it, and view its logs (with timestamps and follow).
  • Added instructions to view dovecot logs.

Guiorgy avatar Aug 03 '25 22:08 Guiorgy

Thanks for reporting this and sending these patches!

On a cursory look this seems fine, but it is a busy week and I'm afraid it will take me a bit of time to go through it. I'll post another update once I had a chance to look in more depth and hopefully merged it.

Thank you!

albertito avatar Aug 07 '25 22:08 albertito

Please, feel absolutely no pressure to have to look at this PR within any timeframe. I'm in no hurry! 😁

Guiorgy avatar Aug 07 '25 23:08 Guiorgy