Running as non-root user in docker

Help
1

Hey guys,

I’m trying to run BW as non-root in docker, but not quite sure if I’m missing something?

################
##Bitwarden_rs##
################

bitwarden:
container_name: Bitwarden
image: bitwardenrs/server
restart: always
volumes:
# - $USERDIR/Bitwarden/Data:/data
# - $USERDIR/Bitwarden/SSL:/ssl
- $USERDIR/Bitwarden2/Data:/data
- $USERDIR/Bitwarden2/SSL:/ssl
networks:
pihole:
ipv4_address: ‘172.22.0.109’
ports:
- 8089:8089
- 3012:3012
environment:
- DUO_IKEY=$DUO_IKEY
- DUO_SKEY=$DUO_SKEY
- DUO_HOST=$DUO_HOST
- LOG_FILE=/data/bitwarden.log
- PUID=$PUID
- PGID=$PGID
- TZ=$TZ
#- SIGNUPS_ALLOWED=true
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=true
- USER=‘$PUID:$PGID’
- LOG_LEVEL=warn
- EXTENDED_LOGGING=true
- DOMAIN=‘https://bitwarden.$DOMAINNAME
- ROCKET_WORKERS=20
- ROCKET_PORT=8089
- WEBSOCKET_ENABLE=true
- ADMIN_TOKEN=$BW_ADMIN_TOKEN
- SMTP_HOST=$BW_SMTP_HOST
- SMTP_FROM=$BW_SMTP_FROM
- SMTP_PORT=$BW_SMTP_PORT
- SMTP_SSL=true
- SMTP_USERNAME=$BW_SMTP_USERNAME
- SMTP_PASSWORD=$BW_SMTP_PASSWORD
labels:
- autoheal=true
- “traefik.enable=true”
## HTTP Routers
- “traefik.http.routers.bitwarden-rtr.entrypoints=https”
- “traefik.http.routers.bitwarden-websocket.entrypoints=https”
- “traefik.http.routers.bitwarden-admin.entrypoints=https”
- “traefik.http.routers.bitwarden-rtr.rule=Host(bitwarden.$DOMAINNAME)”
- “traefik.http.routers.bitwarden-websocket.rule=Host(bitwarden.$DOMAINNAME) && Path(/notifications/hub)”
- “traefik.http.routers.bitwarden-admin.rule=Host(bitwarden.$DOMAINNAME) && Path(/admin)”
- “traefik.http.routers.bitwarden-rtr.tls=true”
- “traefik.http.routers.bitwarden-admin.tls=true”
- “traefik.http.routers.bitwarden-websocket.tls=true”
## Middlewares
# - “traefik.http.routers.bitwarden-rtr.middlewares=chain-oauth@file”
# - “traefik.http.routers.bitwarden-rtr.middlewares=chain-authelia@file” # Authelia
- “traefik.http.routers.bitwarden-admin.middlewares=chain-authelia@file” # Authelia
- “traefik.http.routers.bitwarden-rtr.middlewares=chain-no-auth@file”
- “traefik.http.routers.bitwarden-websocket.middlewares=chain-no-auth@file”
## HTTP Services
- “traefik.http.routers.bitwarden-rtr.service=bitwarden-svc”
- “traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket-svc”
- “traefik.http.routers.bitwarden-admin.service=bitwarden-admin-svc”
- “traefik.http.services.bitwarden-svc.loadbalancer.server.port=8089”
- “traefik.http.services.bitwarden-admin-svc.loadbalancer.server.port=8089”
- “traefik.http.services.bitwarden-websocket-svc.loadbalancer.server.port=3012”
# Healthcheck
- “traefik.http.services.bitwarden-svc.loadbalancer.healthcheck.interval=5s”
- “traefik.http.services.bitwarden-svc.loadbalancer.healthcheck.timeout=3s”
- “traefik.http.services.bitwarden-svc.loadbalancer.healthcheck.path=/”
restart: always

image
image1932×192 7.22 KB

The PUID and PGID are correct in the .env file as well (have checked by replacing the variables with static values just in case it wasn’t picking up the variables.

$USERDIR/Bitwarden2 is a clone of the data + SSL directories chowned with the correct UID and GID.

Have I missed something and am I being a muppet?

Thanks!

2

PUID and PGID are not standard, and only supported by some Docker images. See https://github.com/dani-garcia/bitwarden_rs/wiki/Hardening-Guide#run-as-a-non-root-user.

3

Heya, I understand that.

That’s why in “- USER=’$PUID:$PGID’” they are variables which translate to (e.g.) 1003:1059

4

USER doesn’t control what user a container process runs as. Read the link.

5

Ah!

I see where I went wrong.

I put “user” under environment, not under its own heading.

All sorted now, cheers for the heads up!