Docker containers should not run as root #6
Comments
|
Looks like otobo_db_1 can be run as mysql:mysql. This setting can be specied in docker-compose/otobo-base.yml. otobo_elastic_1 already runs as elasticsearch:root . The group root has no special privileges on CentOS. otobo_nginx_1: This is a bit more work, as only root has rights for ports below 1024. But according to http://pjdietz.com/2016/08/28/nginx-in-docker-without-root.html this can easily be handled. otobo_redis_1: Looks like the user already drops down to the used redis. Specifyin redis:redis in docker-compose/otobo-base.yml should work |
Issue #6: specify users for mysql and for redis
bschmalhofer
changed the title
|
otobo_nginx_1 can keep running as root. Nginx runs only the master process as root, and then switches to a non-root user. Running as non-root would require that the SSL private key is also readable as non-root. And this is not helping with security. |
Issue #6: internal port number are now greater 1024
Avoid the ports that can only be run as root.
…-nginx Issue RotherOSS/otobo-docker#6: run on high port number
|
Checked the containers. Closing this issue. |
|
Reopening as the feature should be backported to 10.0.4 |
…-nginx_config_port_8080 Issue RotherOSS/otobo-docker#6: grap changes from rel-10_1
|
Looks good so far. Closing this issue. |
The containers should not run as root.
TODO:
The text was updated successfully, but these errors were encountered: