-BREAKING- Update base image to not run as root #43
Conversation
|
I propose to you, to discuss about that point into the issue #38. thank you for your time and interest 👍 |
|
Why did you close this as invalid? |
|
When I create a similar container (With USER specified before CMD) and change the http and https entrypoint ports to 8080 and 8443 and map those ports in the compose file (443:8443, 80:8080), redirects are broken because domain:80 -> domain:8443 instead of domain:80 -> domain:443. ACME also expects only 80 and 443. I can't just specify additional entrypoints for 80 and 443, because those can't bind without root. Does there need to be an additional config setting for when >1024 ports are mapped with docker -- so that redirects work -- or am I doing this wrong / did you ever get this to work with redirects and ACME? |
|
Having similar requirements for security reasons, we also investigate the non-root options. @westurner : Can you please clarify a bit more what breaks in your approach?
|
|
I propose to you, to discuss about that point into the issue #38. thank you for your time and interest 👍 |
Do you want to request a feature or report a bug?
Feature
What did you do?
Ran Traefik with a Kubernetes Pod Security Policy disallowing running containers as root. It did not start.
What did you expect to see?
Traefik would run without issue
What did you see instead?
Traffik would not start. The image runs as root - Running with a specified user does not work because it attempts to bind port 80. With a custom configuration that does not bind port 80, however, the image runs just fine.
This change alters the image to expose port 8080 instead, and adds a USER stanza to not run as root. This is a breaking change for many users, and would require significant announcement - I'm proposing it as a discussion topic rather than as an immediate merge target.