Make Docker image immutable on runtime #248
Conversation
|
No New Or Fixed Issues Found |
|
Will this be approved / merged? Very much needed to be able to host on Azure App Service or Azure Container Apps |
|
The changes in this PR are very welcome, especially when running BW in Kubernetes and settings the UID/GID is a security best-practice. Why is this PR not moving forward? |
|
|
|
Hi, @shaman007 Thanks for your work on this! I'll be giving this a review. Right now, the build is failing for me when building locally, mostly due to references to |
| exec setpriv --reuid=1000--regid=1000 --init-groups /usr/bin/supervisord |
There was a problem hiding this comment.
| exec setpriv --reuid=1000--regid=1000 --init-groups /usr/bin/supervisord | |
| exec setpriv --reuid=1000 --regid=1000 --init-groups /usr/bin/supervisord | |
| #Set up user and group | ||
| RUN addgroup --gid 1000 bitwarden |
There was a problem hiding this comment.
| #Set up user and group | |
| RUN addgroup --gid 1000 bitwarden | |
| # Set up user and group | |
| RUN addgroup --gid $PGID bitwarden |
There was a problem hiding this comment.
We'll also need to set the following in the final stage:
ENV PUID=1000
ENV PGID=1000There was a problem hiding this comment.
We also need to consider the impact of hard-coding the user and group ID in the image. Since they're currently set at runtime (in the entrypoint script), it's possible to provide custom IDs. Setting them in the Dockerfile removes this capability, and could potentially impact other deployments.
| #Create symlincs for the identity files: | ||
| RUN ln -s /app/Identity/identity.pfx /etc/bitwarden/identity.pfx | ||
| RUN ln -s /app/Sso/identity.pfx /etc/bitwarden/identity.pfx |
There was a problem hiding this comment.
| #Create symlincs for the identity files: | |
| RUN ln -s /app/Identity/identity.pfx /etc/bitwarden/identity.pfx | |
| RUN ln -s /app/Sso/identity.pfx /etc/bitwarden/identity.pfx | |
| # Create symlinks for the identity files: | |
| RUN ln -sf /app/Identity/identity.pfx /etc/bitwarden/identity.pfx | |
| RUN ln -sf /app/Sso/identity.pfx /etc/bitwarden/identity.pfx |
I ran into some issues when building this locally, were the existing files where getting cached in the docker build, so I had to force-create the symlinks.
| sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini | ||
|
|
||
| # Set desired ownership: | ||
| RUN chown -R 1000:1000 \ |
There was a problem hiding this comment.
| RUN chown -R 1000:1000 \ | |
| RUN chown -R $PUID:$PGID \ |
|
Thinking more about this, I don't think we can merge this. This will cause issues for people running on systems where the host UID and GID don't match what's hard-coded in the image. While this specific PR will be closed, we are looking into similar functionality in an internal ticket. |
|
@tangowithfoxtrot, I cannot understand why security related software with personal data and secrects and direct access from the internet needs to be explicitly run as a super user and only as a superuser. |
#247