As part of hardening deployments to not require things they don't really need, I'd like to use this image in a privileged stripped mode. It currently works well, besides for a single line causing an issue:
|
setcap cap_net_bind_service=+ep /usr/bin/caddy; \ |
That line makes me unable to strip away the NET_BIND_SERVICE capability even if its not used (when caddy is lsitening to a port number 1024+).
I propose a quite limited breaking change and removing that line.
Usage examples
With negative impact
The change would be breaking for someone that does all of these things:
- runs the container as a non-root user (but root is the default)
- makes caddy listen on a port numbered less than 1024
- doesn't explicitly allow NET_BIND_SERVICE
# the adjustment required is to add `--cap-add NET_BIND_SERVICE`
# or to have caddy listen to a higher numbered port like 8080
docker run --rm \
--user 65532:65532 \
-p 8080:80 \
docker.io/library/caddy:2-alpine \
caddy file-server --listen :80 --browse
With positive impact
# when you need no permissions, and want to drop them
# now it fails, but if we make the change and drop the setcap line
# this also works fine
docker run --rm \
--user 65532:65532 \
--cap-drop ALL \
-p 8080:8080 \
docker.io/library/caddy:2-alpine \
caddy file-server --listen :8080 --browse
Not impacted
# since you are root, its fine anyhow
docker run --rm \
-p 8080:80 \
docker.io/library/caddy:2-alpine \
caddy file-server --listen :80 --browse
# since you listen to a port like 1024+, its fine to be non-root
docker run --rm \
--user 65532:65532 \
-p 8080:8080 \
docker.io/library/caddy:2-alpine \
caddy file-server --listen :8080 --browse
# since you explicitly allow the capability for the container user, its fine to be non-root
docker run --rm \
--user 65532:65532 \
--cap-add NET_BIND_SERVICE \
-p 8080:80 \
docker.io/library/caddy:2-alpine \
caddy file-server --listen :80 --browse
Related
As a maintainer I would lean towards this change proposal by itself and not adding the complexity of a dedicated rootless image as proposed in #428. A followup to this change could be to go further and make this image rootless by default, which would be more breaking though.
As part of hardening deployments to not require things they don't really need, I'd like to use this image in a privileged stripped mode. It currently works well, besides for a single line causing an issue:
caddy-docker/Dockerfile.tmpl
Line 39 in 7035032
That line makes me unable to strip away the
NET_BIND_SERVICEcapability even if its not used (when caddy is lsitening to a port number 1024+).I propose a quite limited breaking change and removing that line.
Usage examples
With negative impact
The change would be breaking for someone that does all of these things:
With positive impact
Not impacted
# since you are root, its fine anyhow docker run --rm \ -p 8080:80 \ docker.io/library/caddy:2-alpine \ caddy file-server --listen :80 --browse# since you listen to a port like 1024+, its fine to be non-root docker run --rm \ --user 65532:65532 \ -p 8080:8080 \ docker.io/library/caddy:2-alpine \ caddy file-server --listen :8080 --browse# since you explicitly allow the capability for the container user, its fine to be non-root docker run --rm \ --user 65532:65532 \ --cap-add NET_BIND_SERVICE \ -p 8080:80 \ docker.io/library/caddy:2-alpine \ caddy file-server --listen :80 --browseRelated
As a maintainer I would lean towards this change proposal by itself and not adding the complexity of a dedicated rootless image as proposed in #428. A followup to this change could be to go further and make this image rootless by default, which would be more breaking though.