Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a non-root user to limit root access in docker #411

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use a non-root user to limit root access in docker #411

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 37 additions & 3 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,26 @@ RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
nginx curl supervisor certbot-nginx && \
rm -rf /var/cache/apk/* && mkdir -p /run/nginx

ENV USER=netbird
ENV GROUPNAME=$USER
ENV UID=1000
ENV GID=1000

RUN addgroup \
--gid "$GID" \
"$GROUPNAME" \
&& adduser \
--disabled-password \
--gecos "" \
--home "$(pwd)" \
--ingroup "$GROUPNAME" \
--no-create-home \
--uid "$UID" \
$USER \

STOPSIGNAL SIGINT
EXPOSE 80
EXPOSE 443
EXPOSE 8080
EXPOSE 8443
ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]

WORKDIR /usr/share/nginx/html
Expand All @@ -21,4 +38,21 @@ RUN chmod +x /usr/local/init_react_envs.sh
# configure supervisor
COPY docker/supervisord.conf /etc/supervisord.conf
# copy build files
COPY out/ /usr/share/nginx/html/
COPY out/ /usr/share/nginx/html/

# Set permissions for Nginx
RUN chown -R netbird:netbird /var/lib/nginx \
&& chown -R netbird:netbird /var/log/nginx \
&& chown -R netbird:netbird /usr/share/nginx \
&& chown -R netbird:netbird /run/nginx \
&& chown -R netbird:netbird /etc/nginx

# Set permissions for directories used by letsencrypt certbot
# Set permissions for crontab which will be modified by init_cert.sh
RUN mkdir -p /etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt \
&& chown -R netbird:netbird /etc/crontabs/ \
&& chown -R netbird:netbird /var/lib/letsencrypt \
&& chown -R netbird:netbird /var/log/letsencrypt \
&& chown -R netbird:netbird /etc/letsencrypt

USER netbird
4 changes: 2 additions & 2 deletions docker/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ NetBird Dashboard is NetBirds Management server UI. It allows users to signin, v
## How to use this image
HTTP run:
```shell
docker run -d --rm -p 80:80 wiretrustee/dashboard:main
docker run -d --rm -p 80:8080 netbirdio/dashboard:main
```
Using SSL certificate from Let's Encrypt®:
```shell
docker run -d --rm -p 80:80 -p 443:443 \
docker run -d --rm -p 80:8080 -p 443:8443 \
-e LETSENCRYPT_DOMAIN=app.mydomain.com \
-e [email protected] \
netbirdio/dashboard:main
Expand Down
4 changes: 2 additions & 2 deletions docker/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 8080 default_server;
listen [::]:8080 default_server;

root /usr/share/nginx/html;

Expand Down
2 changes: 1 addition & 1 deletion docker/init_cert.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
set -ex
LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN:-"none"}
LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL:-"example@local"}
NGINX_SSL_PORT=${NGINX_SSL_PORT:-443}
NGINX_SSL_PORT=${NGINX_SSL_PORT:-8443}

# If no domain is provided, skip certbot execution and configuration
if [ "${LETSENCRYPT_DOMAIN}-x" == "none-x" ]; then
Expand Down
2 changes: 1 addition & 1 deletion docker/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# /etc/nginx/nginx.conf
daemon off;

user nginx;
#user nginx;

# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;
Expand Down
17 changes: 9 additions & 8 deletions docker/supervisord.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,31 @@
[unix_http_server]
file=/var/run/supervisor.sock
file=/tmp/supervisor.sock
chmod=0700
chown=netbird:netbird
username = dummy
password = dummy

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=unix:///var/run/supervisor.sock
serverurl=unix:///tmp/supervisor.sock
username = dummy
password = dummy

[supervisord]
nodaemon=true
user=root
user=netbird

pidfile=/run/supervisord.pid
pidfile=/tmp/supervisord.pid

logfile=/proc/self/fd/1
logfile_maxbytes=0
loglevel=warn

[program:cron]
command=crond -f -d 8
user=root
user=netbird
priority=101
numprocs=1
autostart=0
Expand All @@ -37,7 +38,7 @@ stderr_logfile_maxbytes=0

[program:nginx]
command=/usr/sbin/nginx
user=root
user=netbird
priority=100
numprocs=1
autostart=1
Expand All @@ -50,7 +51,7 @@ stderr_logfile_maxbytes=0

[program:init_cert]
command=/usr/local/init_cert.sh
user=root
user=netbird

numprocs=1
autostart=1
Expand All @@ -64,7 +65,7 @@ stderr_logfile_maxbytes=0

[program:init_react_envs]
command=/usr/local/init_react_envs.sh
user=root
user=netbird

numprocs=1
autostart=1
Expand Down