Run server as non-root via docker

[shizunge]

Thank you for providing a docker image to ease the deployment.

When I run the server via docker with client_mode=off, I want to run it as a non-root user.

However it failed due to permission deny.

I think it is due to some config files used by the server binary are owned by root.

Could you update the image file to allow user run server as non-root, when we turn off the client mode?

Maybe run as non-root by default, and let user set running as root when client mode is on, like other additional configs required by the client mode including cap_add, network_mode, privileged and volumes

[afeiszli]

@shizunge Going forward we will likely require client mode in order to run the netmaker server (will likely take out the option to set this variable). This is because a new set of features will require having a wireguard client on the server in order to function correctly.

Because of this, I am going to close this as out of scope.

[shizunge]

I still prefer decouple the server and client and let then communicate via grpc. After I start server, I manually connect clients to the server, even they are running on the same machine. The server is not associate with a node, while client is usually to tie to a node. I think it is a better architecture to separate them than glue them together, though it cost a little to setup. The server does not need to use the host network. Although I am not professional in security, I feel it is more security to let it have less permission and in a separate namespace.

[shizunge]

Instead of having wireguard client on the server, we should update the grpc protocol, to control the function needed on a server. As I mentioned in the previous comment, we can run server and client separately on the same machine. Again separating node associated things, and node independent things, will make it easier to scale IHMO.