rest-server icon indicating copy to clipboard operation
rest-server copied to clipboard
verified publisher icon restic

Support read-only root fs and non-root user

Open SchoolGuy opened this issue 1 year ago • 3 comments

Output of rest-server --version

restic/rest-server:0.12.1

What should rest-server do differently?

Run the rest-server binary as a non-root user and add integration tests that verify this image can be run with a read-only root file system.

What are you trying to do? What is your use case?

Modern container security policies require that containers run as non-root users and that the image is mounted read-only. One of the tools that verifies this is kubelint (for k8s). This tool is currently the one that complains in my environment.

Did rest-server help you today? Did it make you happy in any way?

rest-server reliably offers backups for me in conjunction with k8up. I was repeatedly able to restore files that my main server lost due to various reasons. Thanks to the use of HTTP as a transport protocol, the transport between sites is extremely easy to get through the firewall for me. Please keep up the good work!

SchoolGuy avatar Sep 15 '24 16:09 SchoolGuy

This should already work perfectly fine (at least the rest-server part) by setting the necessary options at the container.

MichaelEischer avatar Feb 07 '25 22:02 MichaelEischer

Could we then document the user uid/gid that can be utilized for this purpose?

SchoolGuy avatar Feb 08 '25 07:02 SchoolGuy

You should basically be able to pick any uid/gid. Just make sure that it matches what's used for the mounted volumes. If someone want to extend the docs, feel free to open a PR.

MichaelEischer avatar Apr 14 '25 19:04 MichaelEischer