djoka/bentopdf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

feat: implement non-root user security for Docker container

Browse Source
This commit is contained in:
Lalit Sudhir
2025-10-22 19:10:33 -07:00
parent be6c15fef2
commit 8ac62b48a6
5 changed files with 148 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Dockerfile
View File

@@ -17,9 +17,22 @@ RUN npm run build -- --mode production
# Production stage # Production stage
FROM nginx:alpine FROM nginx:alpine
ARG APP_USER_ID=1001
ARG APP_GROUP_ID=1001
RUN addgroup -g $APP_GROUP_ID bentopdf && \
adduser -u $APP_USER_ID -G bentopdf -D -s /bin/sh bentopdf
COPY --from=builder /app/dist /usr/share/nginx/html COPY --from=builder /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf COPY nginx.conf /etc/nginx/nginx.conf
RUN mkdir -p /var/cache/nginx /var/log/nginx /var/run/nginx && \
chown -R bentopdf:bentopdf /usr/share/nginx/html /var/cache/nginx /var/log/nginx /var/run/nginx
RUN sed -i 's/user nginx;/user bentopdf;/' /etc/nginx/nginx.conf
EXPOSE 80 EXPOSE 80
USER bentopdf
CMD ["nginx", "-g", "daemon off;"] CMD ["nginx", "-g", "daemon off;"]

21
README.md
View File

@@ -149,6 +149,27 @@ For organizations that want a clean, distraction-free interface focused solely o
For more details, see [SIMPLE_MODE.md](SIMPLE_MODE.md). For more details, see [SIMPLE_MODE.md](SIMPLE_MODE.md).
### 🔒 Security Features
BentoPDF runs as a non-root user for enhanced security:
- **Non-Root Execution**: Container runs with minimal privileges
- **Configurable UID/GID**: Customize user/group IDs for your environment
- **Security Best Practices**: Follows Principle of Least Privilege
#### Custom User Configuration
```bash
docker build \
--build-arg APP_USER_ID=2000 \
--build-arg APP_GROUP_ID=2000 \
-t bentopdf .
docker run -p 8080:80 bentopdf
```
For detailed security configuration, see [SECURITY.md](SECURITY.md).
### 📦 Version Management ### 📦 Version Management
BentoPDF supports semantic versioning with multiple Docker tags: BentoPDF supports semantic versioning with multiple Docker tags:

108
SECURITY.md Normal file
View File

@@ -0,0 +1,108 @@
# Security Configuration
## Non-Root User Support
BentoPDF now supports running as a non-root user for enhanced security. This follows the Principle of Least Privilege and is essential for production environments.
### Security Benefits
- **Reduced Attack Surface**: If compromised, attackers won't have root privileges
- **Compliance**: Meets security standards like SOC 2, PCI DSS
- **Kubernetes/OpenShift Compatibility**: Works with security policies that require non-root execution
- **System Protection**: Prevents system-wide damage if the application is compromised
### Usage
#### Default Configuration (UID/GID 1001)
```bash
docker build -t bentopdf .
docker run -p 8080:80 bentopdf
```
#### Custom UID/GID
```bash
# Build with custom user/group IDs
docker build \
--build-arg APP_USER_ID=2000 \
--build-arg APP_GROUP_ID=2000 \
-t bentopdf .
# Run the container
docker run -p 8080:80 bentopdf
```
#### Kubernetes Example
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: bentopdf
spec:
template:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 2000
runAsGroup: 2000
containers:
- name: bentopdf
image: bentopdf:latest
ports:
- containerPort: 80
```
#### Docker Compose Example
```yaml
version: '3.8'
services:
bentopdf:
build:
context: .
dockerfile: Dockerfile
args:
APP_USER_ID: 2000
APP_GROUP_ID: 2000
ports:
- "8080:80"
security_opt:
- no-new-privileges:true
```
### Verification
To verify the container is running as non-root:
```bash
# Check the user inside the container
docker exec <container_id> whoami
# Should output: bentopdf
# Check the user ID
docker exec <container_id> id
# Should show UID/GID matching your configuration
```
### Security Best Practices
1. **Use specific UID/GID**: Don't use 0 (root) or common system UIDs
2. **Regular Updates**: Keep the base image updated
3. **Minimal Permissions**: Only grant necessary file permissions
4. **Security Scanning**: Regularly scan images for vulnerabilities
5. **Network Policies**: Implement network segmentation
### Troubleshooting
If you encounter permission issues:
1. **Check file ownership**: Ensure all application files are owned by the bentopdf user
2. **Verify UID/GID**: Make sure the configured IDs don't conflict with host system
3. **Directory permissions**: Ensure nginx can write to log and cache directories
### Migration from Root
If migrating from a root-based setup:
1. Update your Dockerfile to use the new non-root configuration
2. Rebuild your images with the new security settings
3. Update your deployment configurations (Kubernetes, Docker Compose, etc.)
4. Test thoroughly in a staging environment

4
docker-compose.dev.yml
View File

@@ -3,6 +3,10 @@ services:
build: build:
context: . context: .
dockerfile: Dockerfile dockerfile: Dockerfile
args:
APP_USER_ID: 1001 // default value is 1001 can be customized to any other value
APP_GROUP_ID: 1001 // default value is 1001 can be customized to any other value
SIMPLE_MODE: false // false for default mode, true for simple mode
container_name: bentopdf container_name: bentopdf
ports: ports:
- '3000:80' - '3000:80'

2
nginx.conf
View File

@@ -1,3 +1,5 @@
pid /var/run/nginx/nginx.pid;
events { events {
worker_connections 1024; worker_connections 1024;
} }