-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable running as non root #274
Enable running as non root #274
Conversation
I don't understand what CI is doing 🤔 it's erroring out on the nsswitch.conf thing, but we removed that. This will need @hairyhenderson's eyes on it I think. I opened my own PR #275 and I guess this one precludes that one since it makes the same fix. |
Yeah, very strange, that stage seems to be building using the latest commit on What's the purpose of this step that builds the old code? |
e8b8943
to
2449369
Compare
(No change, just added the #273 issue tag to the relevant commit) |
2449369
to
f0794c8
Compare
@francislavoie another thing to mention as well (didn't look like it was part of this repo otherwise I would have updated it myself), the documentation (https://hub.docker.com/_/caddy) for building your own caddy using the I've pushed another commit adding
|
Oh, really? It needs to be set on the binary before copying it over? Wow, that's really annoying. I thought I'd really hope not to have to add that to the recommended instructions. Is there anything we could do to make it smoother without needing to add that line? An idea, we could add an option to |
Having And no, the capability is set on the binary itself so it doesn't survive if you copy another binary over it. Another possible solution is to put a simple "loader" binary in the caddy image, then in the image we would It's less elegant but it requires zero changes to both the builder Dockerfile and |
We'd add it to here, maybe caddy-docker/Dockerfile.builder.tmpl Line 11 in aca93ae
Then users don't need to do anything, cause the builder image would just do it. Edit: See caddyserver/xcaddy#128 |
I tried doing something similar for another project a couple of years ago, and there are some big caveats. I haven't checked whether they still apply, but I wouldn't be surprised at all if they do.
This blog post is a couple of years old, but seems to cover most of what I observed, and more. |
69d9e73
to
f5fb008
Compare
Thanks @jjlin, that's a useful article.
That seems to have been true for the original Docker builder, but with Buildx/BuildKit, it is preserved. The article you linked mentions that. BuildKit is on by default now in latest versions of Docker, so it should work fine if users are keeping Docker up to date.
Yep, that's a good point, and that's why I'd like for This PR adds
🤔 yeah, I don't have experience with this. We'll raise it with the Docker Library team when we push it there, they can tell us what's up. |
f5fb008
to
205cf64
Compare
For what it's worth it works as we expect it to on my machine (Intel Mac running colima in vz), documented my experience in caddyserver/xcaddy#128 |
48f2a15
to
a781133
Compare
I tried implementing this again in my other project, and with While testing this, I noticed that executables running as non-root can (unexpectedly) bind to "privileged" ports even without setting Nevertheless, setting |
Oooh that's awesome, thanks for trying that and finding that new feature in Moby! I think buildkit might only be enabled by default in new installs, not in upgraded ones. That's what I read in the docs I think. |
a781133
to
4eefc92
Compare
@abjugard can you revert the changes to |
4eefc92
to
9c04c2b
Compare
@hairyhenderson Done! |
Opened a PR in |
Do we need caddyserver/xcaddy#129 to merge first? otherwise this LGTM (except that this needs to be rebased, and the Dockerfiles regenerated now that the errant |
Yeah, I think we should wait for xcaddy. This is only a half solution until we can make the builder also work correctly. Shouldn't take long, Matt was on vacation but will get back into thing soon. |
…g their own images to do it securely Mitigates caddyserver#104
9c04c2b
to
65f4102
Compare
Alright @abjugard, https://github.com/caddyserver/xcaddy/releases/tag/v0.3.2 is released! Got time to finish this up? 🎉 Caddy v2.6.3 is gonna release sometime this week, would be great to get this in for that version. |
Absolutely @francislavoie. Want me to bump xcaddy in this PR then? |
How's that @francislavoie? |
1655c41
to
30c363c
Compare
… output caddy binary when building
30c363c
to
a5a1dac
Compare
Sorry, copy-pasting hashes is hard 😅. Now it's all correct! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I'll let Dave do the final review and merge
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for doing this @abjugard
Addresses part of #104
Fixes #273