299a8c4c7c
This makes all containers (except mautrix-telegram and mautrix-whatsapp), start as a non-root user. We do this, because we don't trust some of the images. In any case, we'd rather not trust ALL images and avoid giving `root` access at all. We can't be sure they would drop privileges or what they might do before they do it. Because Postfix doesn't support running as non-root, it had to be replaced by an Exim mail server. The matrix-nginx-proxy nginx container image is patched up (by replacing its main configuration) so that it can work as non-root. It seems like there's no other good image that we can use and that is up-to-date (https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated). Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/), we patch it up ourselves when starting (replacing the main nginx configuration). Ideally, it would be fixed upstream so we can simplify. |
||
---|---|---|
.. | ||
ansible.md | ||
configuring-dns.md | ||
configuring-playbook-bridge-mautrix-telegram.md | ||
configuring-playbook-bridge-mautrix-whatsapp.md | ||
configuring-playbook-email.md | ||
configuring-playbook-external-postgres.md | ||
configuring-playbook-federation.md | ||
configuring-playbook-ldap-auth.md | ||
configuring-playbook-matrix-corporal.md | ||
configuring-playbook-mxisd.md | ||
configuring-playbook-own-webserver.md | ||
configuring-playbook-rest-auth.md | ||
configuring-playbook-s3.md | ||
configuring-playbook-shared-secret-auth.md | ||
configuring-playbook-ssl-certificates.md | ||
configuring-playbook-telemetry.md | ||
configuring-playbook.md | ||
configuring-well-known.md | ||
importing-media-store.md | ||
importing-postgres.md | ||
importing-sqlite.md | ||
installing.md | ||
maintenance-and-troubleshooting.md | ||
maintenance-checking-services.md | ||
maintenance-upgrading-postgres.md | ||
maintenance-upgrading-services.md | ||
prerequisites.md | ||
README.md | ||
registering-users.md | ||
uninstalling.md |