non-root run

[casperdcl]

potentially worth documenting how to run as non-root users (related: caddyserver/caddy-docker#104)?

I had to do:

FROM wemakeservices/caddy-gen:latest
ARG CADDY_UID=1000
ARG CADDY_GID=1000
RUN chown -R $CADDY_UID:$CADDY_GID /etc/caddy /config/caddy /code/docker-gen/templates/Caddyfile.tmpl
RUN chmod a+x /usr/bin/forego
USER $CADDY_UID:$CADDY_GID

which allows building using e.g. --arg CADDY_GID=$(getent group docker | cut -d: -f3) --arg CADDY_UID=$(id -u)

[sobolevn]

I think that we can try adding this to the base image 🤔

[casperdcl]

apart from chmod a+x /usr/bin/forego, this won't really affect the base image... the CADDY_UID, CADDY_GID must be overridden by the user.

Alternatively, I suppose the "correct" way is to have:

• ENV not ARG for CADDY_UID & CADDY_GID
• modify entrypoint (similar to https://github.com/jupyter/docker-stacks/blob/main/images/docker-stacks-foundation/start.sh)
  • chown -R ${CADDY_UID:-0}:${CADDY_GID:-0}
  • create user caddy with ${CADDY_UID:-0}:${CADDY_GID:-0}
  • su caddy -c $@

[polarathene]

You should prefer to run as non-root via rootless containers instead, or when supported via --user should you need rootful containers and the convenience of running as your host user (--user in this way has the same caveat as described below).

If you're choosing to run a rootful container as non-root for security reasons, and some exploit did permit a container escape... should that host user have permission to use the CLI to docker daemon without credentials (as is often a convenience done), you would be avoiding the non-root security benefit since the attacker could become root and own the system anyway 🤷‍♂ (similar to access to the docker socket in the container)

The non-root in container practice is meant to avoid that by not sharing an ID with the host that has such privilege.

[sobolevn]

PR is welcome