From 8bdc4615aadb6cfa0b3d2ef43d9047834d42759a Mon Sep 17 00:00:00 2001 From: Luke Jolly Date: Thu, 30 Jun 2022 23:17:52 -0600 Subject: [PATCH] Add user to container to support running as non-root --- Dockerfile | 5 +++++ README.md | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/Dockerfile b/Dockerfile index 25d80540..6dc64c64 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,11 @@ RUN apk update \ && rm -f /var/cache/apk/* \ && rm -rf /go/src /go/pkg +# Hardcode gid and uid so that it never changes. This changing will break +# users running this as nonroot in production as you run it with the uid directly, +# not the user name. +RUN addgroup -g 1000 hound && adduser -u 1000 -G hound -D hound + VOLUME ["/data"] EXPOSE 6080 diff --git a/README.md b/README.md index ffcee310..396f2c61 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,12 @@ You should be able to navigate to [http://localhost:6080/](http://localhost:6080 There are no special flags to run Hound in production. You can use the `--addr=:6880` flag to control the port to which the server binds. Currently, Hound does not support TLS as most users simply run Hound behind either Apache or nginx. However, we are open to contributions to add TLS support. +If you are running the container, it is best security practice to run containers as non-root users in production. There is a hound user and group in the container with the uid/guid of 1000/1000. For example, utilizing this user with docker would look like: + +``` +docker run -d -u 1000 -p 6080:6080 --name hound -v $(pwd):/data ghcr.io/hound-search/hound:latest +``` + ## Why Another Code Search Tool? We've used many similar tools in the past, and most of them are either too slow, too hard to configure, or require too much software to be installed.