Make (most) containers start as non-root

This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
parent 56d501679d
commit 299a8c4c7c
24 changed files with 265 additions and 96 deletions
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@ -1,5 +1,5 @@
 server {
-	listen 80;
+	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};

 	server_tokens off;
@ -8,7 +8,7 @@ server {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
-			set $backend "matrix-certbot:80";
+			set $backend "matrix-certbot:8080";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
@ -22,8 +22,8 @@ server {
 }

 server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
+	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

 	server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};

@ -43,7 +43,7 @@ server {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
-			set $backend "matrix-riot-web:80";
+			set $backend "matrix-riot-web:8080";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@ -1,5 +1,5 @@
 server {
-	listen 80;
+	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

 	server_tokens off;
@ -8,7 +8,7 @@ server {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
-			set $backend "matrix-certbot:80";
+			set $backend "matrix-certbot:8080";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
@ -22,8 +22,8 @@ server {
 }

 server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
+	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
--- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
@ -0,0 +1,45 @@
+# This is a custom nginx configuration file that we use in the container (instead of the default one),
+# because it allows us to run nginx with a non-root user.
+#
+# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
+#
+# The following changes have been done compared to a default nginx configuration file:
+# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
+# - the `user` directive was removed, as we don't want nginx to switch users
+
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /tmp/nginx.pid;
+
+
+events {
+	worker_connections 1024;
+}
+
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+					'$status $body_bytes_sent "$http_referer" '
+					'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+	sendfile on;
+	#tcp_nopush on;
+
+	keepalive_timeout 65;
+
+	#gzip on;
+
+	include /etc/nginx/conf.d/*.conf;
+}
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@ -14,9 +14,11 @@ ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
 ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--network={{ matrix_docker_network }} \
-			-p 80:80 \
-			-p 443:443 \
+			-p 80:8080 \
+			-p 443:8443 \
+			-v {{ matrix_nginx_proxy_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
 			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \
 			-v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \
 			-v {{ matrix_static_files_base_path }}:{{ matrix_static_files_base_path }}:ro \
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@ -3,19 +3,22 @@
 # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled)
 # need to forward requests for `/.well-known/acme-challenge` to the certbot container.
 #
-# This can happen inside the container network by proxying to `http://matrix-certbot:80`
+# This can happen inside the container network by proxying to `http://matrix-certbot:8080`
 # or outside (on the host) by proxying to `http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`.

 docker run \
 	--rm \
 	--name=matrix-certbot \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 	--network="{{ matrix_docker_network }}" \
-	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:80 \
+	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
 	-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
 	-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt \
 	{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \
 	renew \
 		--non-interactive \
+		--work-dir=/tmp \
+		--http-01-port 8080
 		{% if matrix_ssl_lets_encrypt_staging %}
 			--staging \
 		{% endif %}