-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Docker image immutable on runtime #248
Conversation
No New Or Fixed Issues Found |
Will this be approved / merged? Very much needed to be able to host on Azure App Service or Azure Container Apps |
The changes in this PR are very welcome, especially when running BW in Kubernetes and settings the UID/GID is a security best-practice. Why is this PR not moving forward? |
Hi, @shaman007 Thanks for your work on this! I'll be giving this a review. Right now, the build is failing for me when building locally, mostly due to references to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for your work on this! I made a few suggestions:
exec setpriv --reuid=1000--regid=1000 --init-groups /usr/bin/supervisord |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exec setpriv --reuid=1000--regid=1000 --init-groups /usr/bin/supervisord | |
exec setpriv --reuid=1000 --regid=1000 --init-groups /usr/bin/supervisord | |
#Set up user and group | ||
RUN addgroup --gid 1000 bitwarden |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#Set up user and group | |
RUN addgroup --gid 1000 bitwarden | |
# Set up user and group | |
RUN addgroup --gid $PGID bitwarden |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll also need to set the following in the final stage:
ENV PUID=1000
ENV PGID=1000
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need to consider the impact of hard-coding the user and group ID in the image. Since they're currently set at runtime (in the entrypoint script), it's possible to provide custom IDs. Setting them in the Dockerfile removes this capability, and could potentially impact other deployments.
#Create symlincs for the identity files: | ||
RUN ln -s /app/Identity/identity.pfx /etc/bitwarden/identity.pfx | ||
RUN ln -s /app/Sso/identity.pfx /etc/bitwarden/identity.pfx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#Create symlincs for the identity files: | |
RUN ln -s /app/Identity/identity.pfx /etc/bitwarden/identity.pfx | |
RUN ln -s /app/Sso/identity.pfx /etc/bitwarden/identity.pfx | |
# Create symlinks for the identity files: | |
RUN ln -sf /app/Identity/identity.pfx /etc/bitwarden/identity.pfx | |
RUN ln -sf /app/Sso/identity.pfx /etc/bitwarden/identity.pfx |
I ran into some issues when building this locally, were the existing files where getting cached in the docker build, so I had to force-create the symlinks.
sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini | ||
|
||
# Set desired ownership: | ||
RUN chown -R 1000:1000 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RUN chown -R 1000:1000 \ | |
RUN chown -R $PUID:$PGID \ |
Thinking more about this, I don't think we can merge this. This will cause issues for people running on systems where the host UID and GID don't match what's hard-coded in the image. While this specific PR will be closed, we are looking into similar functionality in an internal ticket. |
@tangowithfoxtrot, I cannot understand why security related software with personal data and secrects and direct access from the internet needs to be explicitly run as a super user and only as a superuser. |
#247