How to run Træfik as a non-root user ? Part 1

  1. Running your process as non-privileged user within the containers. Docker lets you do this easily even though it carries constraints.
  2. Running a Docker engine with User namespaces: the userns-remap option in the Docker daemon. Just a little note about User namespaces: they were introduced as early as Linux 3.5 and are considered stable since Linux 4.3, so be sure to have an updated kernel.
  3. Stripping the container of all potentially dangerous system capabilities (Docker does this automatically to some degree) or running an hardened Linux with SELinux, AppArmor…
  1. Create a traefik user in the Dockerfile to run Træfik.
  2. Create an host user traefik with the same userid/groupid as the container, bearing in mind that this breaks portability.
  3. Configure Træfik to open ports > 1024 and use Docker to map the host ports 80/443 to container ports.
  4. Configure Træfik to use TLS certificates.
groupadd traefik
useradd -g traefik -m traefik
# Add traefik to Docker group
usermod -G docker traefik
FROM traefik:raclette-alpineRUN addgroup -S traefik && adduser -S -g traefik traefikUSER traefik
# Build your own image withdocker build -t zepouet/traefik .
DOCKER_OPTS=”--bip 172.17.42.1/16 \
--tlsverify lscacert=/root/.docker/ca.pem \
--tlscert=/root/.docker/server.pem \
--tlskey=/root/.docker/server-key.pem \
-H tcp://0.0.0.0:2376 \
-H unix:///var/run/docker.sock \
-s aufs"
docker --tlscacert=/home/traefik/.docker/ca.pem \
--tlscert=/home/traefik/.docker/cert.pem \
--tlskey=/home/traefik/.docker/key.pem \
-—tlsverify \
ps
defaultEntryPoints = [“http”]
[entryPoints]
[entryPoints.http]
address = “:2048”
##################################
# Docker configuration backend
##################################
[docker]endpoint = “tcp://172.17.42.1:2376”
watch = true
exposedbydefault = true
# ca.pem server-key.pem server.pem
[docker.tls]
ca = “/docker-certs/ca.pem”
cert = “/docker-certs/cert.pem”
key = “/docker-certs/key.pem”
insecureskipverify = true
version: “2”services:  traefik:
container_name: traefik
image: zepouet/traefik
user: traefik
command: — web — logLevel=DEBUG
ports:
— “80:2048
— “9090:8080”
volumes:
— ./traefik.toml:/etc/traefik/
— /home/traefik/.docker:/docker-certs
labels:
— “traefik.enable=false”
tomcat:
container_name: tomcat
image: tomcat
labels:
— “traefik.backend=tomcat”
— “traefik.port=8080”
— “traefik.frontend.rule=Host:tomcat.127.0.0.1.xip.io”
docker-compose up -d
docker exec -it traefik ps
PID  USER    TIME COMMAND
1 traefik 0:00 traefik traefik — web — logLevel=DEBUG
33 traefik 0:00 ps

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store