[feat] Run Docker container as non-root user

[Laynezilla]

Is your feature request related to a problem? Please describe. The Docker container is currently running as root which is a security issue.

Describe the solution you'd like Have environmental variables specify UID and GID similar to this.

Describe alternatives you've considered Hardcode user 1001 or something similar to this.

Additional context Thanks for the great software!

[robertsLando]

@Laynezilla Would you like to submit a PR for this?

[Laynezilla]

@Laynezilla Would you like to submit a PR for this?

I don't have time at the moment to work on this but I can give it a shot at some point. Also, I don't have any coding background, only tinkering, so if anyone else wants to attempt that might be better haha.

[ChrisRomp]

The way that linuxserver.io handles it is they run everything in their container as user:group abc:abc. When starting a container they look for the PUID and PGID to set the abc user/group to.

The Docker Node image, which is the base for this image, provides some guidance for running as non-root.

I'll play around with the Dockerfile locally and see if I can get it to run under the node user instead of root, and then assign a custom PUID/PGID to node. If I get that working I'll submit a PR, but additional testing should be done to ensure it won't break anything else.

[ChrisRomp]

There's a bit of overhead to how linuxserver.io does it. I've done some experimentation and without adding more "things" to the base image I haven't found a good way to do this.

In a nutshell, what needs to happen at container start is:

1. Modify user and group ID for the node user
2. chown -R node:node /usr/src/app
   • This takes too long - probably because of node_modules
3. Run node bin/www from the /usr/src/app directory

The fastest/easiest solution for this is to just run under the existing node user, which as a UID/GID of 1000. This can be handled in the Dockerfile by copying the files as node:node and then setting USER node before executing the app. I'll submit a PR referencing this issue.

I've run the container and it looks like it's ok, but I haven't tested it with a controller attached.

[scyto]

please don't do this by default, let it be configured if folks want, just not by default - its a PITA on many docker platforms (thinking synology here)

linuxserver:io containers are needlessly complex and fragile, i wouldn't hold them up as a good example of creating containers

an example of container that is like this is grafana - it is a absolute nightmare to get running

[scyto]

oh and only privileged containers are actually root, the security aspect of running as root insider a container is overblown outside of that mode

if folks are worried about vulnerabilities in docker they should mitigate using rootless mode of the docker daemon https://docs.docker.com/engine/security/rootless/

note, running in non-root in the container doesn't mitigate (i know everyone says it does, but it doesn;t)

[ChrisRomp]

@scyto This issue is long closed. I think you're safe. :)

[ChrisRomp]

Or I guess the PR is closed. Not sure why the issue is still open if the devs don't want to do it.

[scyto]

Or I guess the PR is closed. Not sure why the issue is still open if the devs don't want to do it.

it was closed by the bot due to inactivity, to be clear i think its fine to modify to let users run as any GID/UID they want, but to change default to non-root is my issue as it provides minimal protection to any actual threat but breaks a lot.