topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Run bitwarden-rs as non-root user 

Updated the Dockerfiles to switch to UID 999 before running. Because
non-root users cannot bind to ports below 1024, I also updated the
ROCKET_PORT to 8080.
pull/1014/head
Cameron Cordes 5 years ago
parent
1aa5e0d4dc
commit
514ecea36b
15 changed files with 42 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      README.md
  2. 5
      docker/Dockerfile.j2
  3. 5
      docker/aarch64/mysql/Dockerfile
  4. 5
      docker/aarch64/sqlite/Dockerfile
  5. 5
      docker/amd64/mysql/Dockerfile
  6. 5
      docker/amd64/mysql/Dockerfile.alpine
  7. 5
      docker/amd64/postgresql/Dockerfile
  8. 5
      docker/amd64/postgresql/Dockerfile.alpine
  9. 5
      docker/amd64/sqlite/Dockerfile
  10. 5
      docker/amd64/sqlite/Dockerfile.alpine
  11. 5
      docker/armv6/mysql/Dockerfile
  12. 5
      docker/armv6/sqlite/Dockerfile
  13. 5
      docker/armv7/mysql/Dockerfile
  14. 5
      docker/armv7/sqlite/Dockerfile
  15. 2
      docker/healthcheck.sh

3
README.md
View File

@ -35,9 +35,10 @@ Pull the docker image and mount a volume from the host for persistent storage:
```sh ```sh
docker pull bitwardenrs/server:latest docker pull bitwardenrs/server:latest
docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest docker run -d --name bitwarden -v /bw-data/:/data/ -p 8080:80 bitwardenrs/server:latest
``` ```
This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you. This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
By default the container will run with `UID=999`, you may want to add `-u some_user` to the run command above, as well as make sure that user has read/write access to `/data`.
**IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. **IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS.

5
docker/Dockerfile.j2
View File

@ -222,7 +222,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
FROM {{ runtime_stage_base_image }} FROM {{ runtime_stage_base_image }}
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
{% if "alpine" in runtime_stage_base_image %} {% if "alpine" in runtime_stage_base_image %}
ENV SSL_CERT_DIR=/etc/ssl/certs ENV SSL_CERT_DIR=/etc/ssl/certs
@ -268,8 +268,9 @@ RUN [ "cross-build-end" ]
{% endif %} {% endif %}
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/aarch64/mysql/Dockerfile
View File

@ -96,7 +96,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
FROM balenalib/aarch64-debian:buster FROM balenalib/aarch64-debian:buster
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
@ -115,8 +115,9 @@ RUN mkdir /data
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/aarch64/sqlite/Dockerfile
View File

@ -90,7 +90,7 @@ RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
FROM balenalib/aarch64-debian:buster FROM balenalib/aarch64-debian:buster
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
@ -109,8 +109,9 @@ RUN mkdir /data
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/amd64/mysql/Dockerfile
View File

@ -69,7 +69,7 @@ RUN cargo build --features ${DB} --release
FROM debian:buster-slim FROM debian:buster-slim
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
# Install needed libraries # Install needed libraries
@ -83,8 +83,9 @@ RUN apt-get update && apt-get install -y \
RUN mkdir /data RUN mkdir /data
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/amd64/mysql/Dockerfile.alpine
View File

@ -73,7 +73,7 @@ RUN cargo build --features ${DB} --release
FROM alpine:3.11 FROM alpine:3.11
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
ENV SSL_CERT_DIR=/etc/ssl/certs ENV SSL_CERT_DIR=/etc/ssl/certs
@ -86,8 +86,9 @@ RUN apk add --no-cache \
RUN mkdir /data RUN mkdir /data
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/amd64/postgresql/Dockerfile
View File

@ -69,7 +69,7 @@ RUN cargo build --features ${DB} --release
FROM debian:buster-slim FROM debian:buster-slim
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
# Install needed libraries # Install needed libraries
@ -83,8 +83,9 @@ RUN apt-get update && apt-get install -y \
RUN mkdir /data RUN mkdir /data
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/amd64/postgresql/Dockerfile.alpine
View File

@ -73,7 +73,7 @@ RUN cargo build --features ${DB} --release
FROM alpine:3.11 FROM alpine:3.11
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
ENV SSL_CERT_DIR=/etc/ssl/certs ENV SSL_CERT_DIR=/etc/ssl/certs
@ -86,8 +86,9 @@ RUN apk add --no-cache \
RUN mkdir /data RUN mkdir /data
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/amd64/sqlite/Dockerfile
View File

@ -63,7 +63,7 @@ RUN cargo build --features ${DB} --release
FROM debian:buster-slim FROM debian:buster-slim
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
# Install needed libraries # Install needed libraries
@ -77,8 +77,9 @@ RUN apt-get update && apt-get install -y \
RUN mkdir /data RUN mkdir /data
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/amd64/sqlite/Dockerfile.alpine
View File

@ -67,7 +67,7 @@ RUN cargo build --features ${DB} --release
FROM alpine:3.11 FROM alpine:3.11
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
ENV SSL_CERT_DIR=/etc/ssl/certs ENV SSL_CERT_DIR=/etc/ssl/certs
@ -80,8 +80,9 @@ RUN apk add --no-cache \
RUN mkdir /data RUN mkdir /data
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/armv6/mysql/Dockerfile
View File

@ -96,7 +96,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
FROM balenalib/rpi-debian:buster FROM balenalib/rpi-debian:buster
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
@ -115,8 +115,9 @@ RUN mkdir /data
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/armv6/sqlite/Dockerfile
View File

@ -90,7 +90,7 @@ RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
FROM balenalib/rpi-debian:buster FROM balenalib/rpi-debian:buster
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
@ -109,8 +109,9 @@ RUN mkdir /data
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/armv7/mysql/Dockerfile
View File

@ -95,7 +95,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
FROM balenalib/armv7hf-debian:buster FROM balenalib/armv7hf-debian:buster
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
@ -114,8 +114,9 @@ RUN mkdir /data
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

5
docker/armv7/sqlite/Dockerfile
View File

@ -89,7 +89,7 @@ RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabih
FROM balenalib/armv7hf-debian:buster FROM balenalib/armv7hf-debian:buster
ENV ROCKET_ENV "staging" ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=80 ENV ROCKET_PORT=8080
ENV ROCKET_WORKERS=10 ENV ROCKET_WORKERS=10
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
@ -108,8 +108,9 @@ RUN mkdir /data
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data
EXPOSE 80 EXPOSE 8080
EXPOSE 3012 EXPOSE 3012
USER 999
# Copies the files from the context (Rocket.toml file and web-vault) # Copies the files from the context (Rocket.toml file and web-vault)
# and the binary from the "build" stage to the current stage # and the binary from the "build" stage to the current stage

2
docker/healthcheck.sh
View File

@ -3,7 +3,7 @@
# Use the value of the corresponding env var (if present), # Use the value of the corresponding env var (if present),
# or a default value otherwise. # or a default value otherwise.
: ${DATA_FOLDER:="data"} : ${DATA_FOLDER:="data"}
: ${ROCKET_PORT:="80"} : ${ROCKET_PORT:="8080"}
CONFIG_FILE="${DATA_FOLDER}"/config.json CONFIG_FILE="${DATA_FOLDER}"/config.json

Write Preview
Loading…
Cancel
Save