non-root run - Githubissues

wemake-services / caddy-gen

Automated Caddy reverse proxy for docker containers

https://hub.docker.com/r/wemakeservices/caddy-gen

MIT License

250 stars 24 forks source link

non-root run #98

Open casperdcl opened 4 weeks ago

casperdcl commented 4 weeks ago

potentially worth documenting how to run as non-root users (related: https://github.com/caddyserver/caddy-docker/issues/104)?

I had to do:

FROM wemakeservices/caddy-gen:latest
ARG CADDY_UID=1000
ARG CADDY_GID=1000
RUN chown -R $CADDY_UID:$CADDY_GID /etc/caddy /config/caddy /code/docker-gen/templates/Caddyfile.tmpl
RUN chmod a+x /usr/bin/forego
USER $CADDY_UID:$CADDY_GID

which allows building using e.g. --arg CADDY_GID=$(getent group docker | cut -d: -f3) --arg CADDY_UID=$(id -u)

sobolevn commented 4 weeks ago

I think that we can try adding this to the base image 🤔

casperdcl commented 4 weeks ago

apart from chmod a+x /usr/bin/forego, this won't really affect the base image... the CADDY_UID, CADDY_GID must be overridden by the user.

Alternatively, I suppose the "correct" way is to have:

ENV not ARG for CADDY_UID & CADDY_GID
modify entrypoint (similar to https://github.com/jupyter/docker-stacks/blob/main/images/docker-stacks-foundation/start.sh)
- chown -R ${CADDY_UID:-0}:${CADDY_GID:-0}
- create user caddy with ${CADDY_UID:-0}:${CADDY_GID:-0}
- su caddy -c $@