docker-dmarc-report icon indicating copy to clipboard operation
docker-dmarc-report copied to clipboard
verified publisher icon gutmensch

Please consider changes to run without root.

Open gav- opened this issue 1 year ago • 3 comments

Overall your docker image makes running dmarcts-report-viewer and dmarcts-report-parser a neat solution.

You might consider changes to your build to run the services as a non-root user however.

For anyone who wants to do this immediately, the following Dockerfile makes this possible for the current gutmensch/dmarc-report:latest image:

FROM gutmensch/dmarc-report:latest

ARG BUID=1000
ARG BGID=1000

USER root

RUN addgroup -g ${BGID} dmarc && \
    adduser -D -u ${BUID} -G dmarc -h /home/dmarc dmarc && \
    sed -i 's%.*listen [::]:80 default_server;%        listen [::]:8080 default_server;%g' /etc/nginx/nginx.conf && \
    sed -i 's%.*listen 80 default_server;%        listen 8080 default_server;%g' /etc/nginx/nginx.conf && \
    sed -i "s%echo 'user%#echo 'user%" /entrypoint.sh && \
    sed -i "s%echo 'group%#echo 'group%" /entrypoint.sh && \
    sed -i "s%echo 'listen.owner%#echo 'listen.owner%" /entrypoint.sh && \
    sed -i "s%echo 'listen.group%#echo 'listen.group%" /entrypoint.sh && \
    chown -R dmarc:dmarc /etc/php* /etc/nginx /var/lib/nginx /var/log /var/www /run /etc/supervisor*

USER dmarc

HEALTHCHECK --interval=1m --timeout=3s CMD curl --silent --fail http://127.0.0.1:8080/fpm-ping

EXPOSE 8080

gav- avatar Oct 18 '24 05:10 gav-

Hi @gav- , thanks for the input, much appreciated! Did you check that crond actually works this way in the image too? Could you provide a supervisorctl status ? All open for changing the default image to unprivileged if it works, feel free to create a PR - your glory as contributor in this repo will be eternal. :)

gutmensch avatar Jan 20 '25 17:01 gutmensch

Unfortunately crond does not work in a non-root container. I have worked around this by using cron on the host instead, by creating the file /etc/cron.d/dmarc-report-parser:

17 * * * * username docker exec dmarc-report sh -c '/usr/bin/dmarcts-report-parser.pl -i -d -r 1>>/var/log/nginx/dmarc-reports.log 2>&1'

If it were imperative that the scheduled report parsing be handled in the container, a simple bash function with a sleep loop and executed in the background via entrypoint.sh would probably suffice.

gav- avatar Jan 21 '25 00:01 gav-

Yeah, other solutions possible (even with supervisor these days I think), but since I was planning to replace the whole parser part with a golang port anyway, which resolves all of this and gives benefit of user privileges, I'll keep this issue here open until the replacement is there and with this resolved then.

gutmensch avatar Jan 21 '25 20:01 gutmensch