Skip to content

Implement rootless Docker container with enhanced security and preserved TFTP logging #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 12, 2025
Merged

Implement rootless Docker container with enhanced security and preserved TFTP logging #87

merged 3 commits into from
Jun 12, 2025

Conversation

antonym
Copy link
Member

@antonym antonym commented Jun 8, 2025

Summary

  • Converts docker-netbootxyz container to run all processes as non-root user for enhanced security
  • Preserves TFTP logging functionality for PXE boot debugging
  • Adds customizable PUID/PGID support for volume permission management

Key Security Improvements

  • ✅ All application processes (nginx, webapp, dnsmasq) run as nbxyz user (UID 1000)
  • ✅ Privilege dropping using gosu for secure initialization
  • ✅ Only supervisord initialization runs as root, then drops privileges
  • ✅ Configurable user/group IDs via PUID/PGID environment variables
  • ✅ Proper permission management for all service directories

Performance Optimizations

  • ✅ Multi-stage Docker build reduces image size and improves caching
  • ✅ Optimized package installation and cleanup
  • ✅ Better layer organization for faster rebuilds

TFTP Logging Preservation

  • ✅ TFTP request logs appear in docker logs output for debugging
  • ✅ dnsmasq configured with --log-dhcp --log-queries --log-facility=-
  • ✅ Wrapper script ensures proper log forwarding to container stdout
  • ✅ Users can monitor PXE boot requests in real-time

Breaking Changes

None - fully backward compatible

Test Plan

  • Container builds successfully
  • All services start and run as non-root user
  • Web interface accessible on ports 80 and 3000
  • TFTP server listening on port 69/udp
  • TFTP transaction logs visible in docker logs
  • PUID/PGID customization works correctly
  • Volume permissions handled properly

Files Changed

  • Dockerfile - Multi-stage build optimization and security enhancements
  • root/init.sh - Dynamic user creation with PUID/PGID support
  • root/start.sh - Privilege dropping with gosu
  • root/etc/supervisor.conf - Rootless process management
  • root/usr/local/bin/dnsmasq-wrapper.sh - TFTP logging wrapper (new file)
  • root/defaults/nginx.conf - Non-root nginx configuration

🤖 Generated with Claude Code

@antonym antonym force-pushed the feature/rootless-container-security branch from df42e57 to 96b0afc Compare June 8, 2025 14:05
@antonym @claude
Implement rootless Docker container with preserved TFTP logging
0a9993a 
- Convert all processes to run as non-root user (nbxyz) for enhanced security
- Add customizable PUID/PGID environment variables for volume permission management
- Implement privilege dropping using gosu for secure initialization
- Optimize Dockerfile with multi-stage build and better caching
- Create dnsmasq wrapper script to ensure TFTP logs appear in docker logs
- Configure supervisord to properly forward dnsmasq output to container stdout
- Maintain full TFTP/PXE boot debugging functionality for users

Security improvements:
- All application processes (nginx, webapp, dnsmasq) run as nbxyz user
- Only supervisord initialization runs as root, then drops privileges
- Proper permission management for all service directories
- Configurable user/group IDs via PUID/PGID environment variables

Performance optimizations:
- Multi-stage Docker build reduces final image size
- Better layer caching for faster rebuilds
- Optimized package installation and cleanup

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@antonym antonym force-pushed the feature/rootless-container-security branch from 96b0afc to 0a9993a Compare June 8, 2025 14:12
@antonym antonym requested a review from Copilot June 12, 2025 05:13
Copilot
Copilot AI reviewed Jun 12, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances container security by converting processes to run as a non-root user while preserving TFTP logging and enabling configurable user/group IDs. Key changes include:

  • Converting process execution to use the nbxyz user via gosu in supervisor.conf and start.sh.
  • Adding dynamic user creation and permission management with PUID/PGID support in init.sh.
  • Optimizing the Dockerfile with a multi-stage build and improved image metadata.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
root/start.sh Updates to clarify root-level configuration and use exec with supervisord via gosu.
root/init.sh Adds dynamic user/group creation and configures directory permissions.
root/etc/supervisor.conf Updates to run services as nbxyz using gosu and configures log forwarding.
README.md Documents new PUID/PGID options and usage instructions.
Dockerfile Introduces a multi-stage build with improved dependency installation and metadata.
.dockerignore Adds standard ignore patterns for build-related files and directories.

antonym and others added 2 commits June 12, 2025 00:17
@antonym @Copilot
Update Dockerfile
84db3c6 
Co-authored-by: Copilot <[email protected]>
@antonym @Copilot
Update root/init.sh
741467c 
Co-authored-by: Copilot <[email protected]>
@antonym antonym merged commit ca7a339 into master Jun 12, 2025
3 checks passed
@antonym antonym deleted the feature/rootless-container-security branch June 12, 2025 05:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@antonym