You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current process runs under root and the primary reason is a need to access /var/run/docker.sock to allow containers discovery. Technically it can be done with any user added to the docker group, however, I'm not really sure if such users are any better from the security point of view.
In case if reproxy runs inside a container but doesn't use docker provider, running the reproxy process without root privilege makes perfect sense. I'm not sure yet how to make a universal image to address both cases unless we add an additional entrypoint checking provider and run reproxy under root or non-root. Not sure how this can be done as we don't have anything in the image (scratch). Maybe the process itself should drop privileges somehow after the start?
Another idea is to isolate docker event listener to a separate privileged process and make reproxy communicate with this process. Sort of "provider plugin" idea I guess
Open for better ideas, feel free to propose.
The text was updated successfully, but these errors were encountered:
The current process runs under root and the primary reason is a need to access
/var/run/docker.sockto allow containers discovery. Technically it can be done with any user added to thedockergroup, however, I'm not really sure if such users are any better from the security point of view.In case if reproxy runs inside a container but doesn't use docker provider, running the reproxy process without root privilege makes perfect sense. I'm not sure yet how to make a universal image to address both cases unless we add an additional entrypoint checking provider and run reproxy under root or non-root. Not sure how this can be done as we don't have anything in the image (scratch). Maybe the process itself should drop privileges somehow after the start?
Another idea is to isolate docker event listener to a separate privileged process and make reproxy communicate with this process. Sort of "provider plugin" idea I guess
Open for better ideas, feel free to propose.
The text was updated successfully, but these errors were encountered: