Docker containers should not run as root

[bschmalhofer]

The containers should not run as root.

TODO:

• [x] otobo_db_1
• [x] otobo_elastic_1
• [x] otobo_nginx_1
• [x] otobo_redis_1

[bschmalhofer]

Looks like otobo_db_1 can be run as mysql:mysql. This setting can be specied in docker-compose/otobo-base.yml.

otobo_elastic_1 already runs as elasticsearch:root . The group root has no special privileges on CentOS.

otobo_nginx_1: This is a bit more work, as only root has rights for ports below 1024. But according to http://pjdietz.com/2016/08/28/nginx-in-docker-without-root.html this can easily be handled.

otobo_redis_1: Looks like the user already drops down to the used redis. Specifyin redis:redis in docker-compose/otobo-base.yml should work

[bschmalhofer]

otobo_nginx_1 can keep running as root. Nginx runs only the master process as root, and then switches to a non-root user. Running as non-root would require that the SSL private key is also readable as non-root. And this is not helping with security.

[bschmalhofer]

Checked the containers. Closing this issue.

[bschmalhofer]

Reopening as the feature should be backported to 10.0.4

[bschmalhofer]

Looks good so far. Closing this issue.