librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

docs - add infos about Docker in rootless mode

This commit is contained in:
bunkerity 2022-07-07 10:36:22 +02:00
parent fc925ccb11
commit e880b7d598
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
1 changed files with 33 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
docs/integrations.md
View File

@ -63,7 +63,7 @@ A volume is used to share data with BunkerWeb and store persistent data like cer
The easiest way of managing the volume is by using a named one. You will first need to create it :
```shell
docker volume create bw-data
docker volume create bw_data
```
Once it's created, you can mount it on `/data` when running the container :
@ -71,7 +71,7 @@ Once it's created, you can mount it on `/data` when running the container :
```shell
docker run \
...
-v "${PWD}/bw-data:/data" \
-v bw_data:/data \
...
bunkerity/bunkerweb:1.4.2
```
@ -84,13 +84,14 @@ services:
mybunker:
image: bunkerity/bunkerweb:1.4.2
volumes:
- bw-data:/data
- bw_data:/data
...
volumes:
bw-data:
bw_data:
```
!!! warning
!!! warning "Using local folder for persistent data"
BunkerWeb runs as an **unprivileged user with UID 101 and GID 101** inside the container. The reason behind this is the security : in case a vulnerability is exploited, the attacker won't have full root (UID/GID 0) privileges.
But there is a downside : if you use a **local folder for the persistent data**, you will need to **set the correct permissions** so the unprivileged user can write data to it. Something like that should do the trick :
```shell
@ -99,37 +100,38 @@ volumes:
chmod 770 bw-data
```
Alternatively, if the folder already exists :
Alternatively, if the folder already exists :
```shell
chown -R root:101 bw-data && \
chmod -R 770 bw-data
```
```shell
chown -R root:101 bw-data && \
chmod -R 770 bw-data
```
If you are using [Docker in rootless mode](https://docs.docker.com/engine/security/rootless), UIDs and GIDs in the container will be mapped to different ones in the host. You will first need to check your initial subuid and subgid :
```shell
grep ^$(whoami): /etc/subuid && \
grep ^$(whoami): /etc/subgid
```
Mounting the folder :
```shell
docker run \
...
-v ./bw-data:/data \
...
bunkerity/bunkerweb:1.4.2
```
Here is the docker-compose equivalent :
```yaml
...
services:
mybunker:
image: bunkerity/bunkerweb:1.4.2
volumes:
- ./bw-data:/data
```
For example, if you have a value of **100000**, the mapped UID/GID will be **100100** (100000 + 100) :
```shell
mkdir bw-data && \
sudo chgrp 100100 bw-data && \
chmod 770 bw-data
```
Or if the folder already exists :
```shell
sudo chgrp -R 100100 bw-data && \
chmod -R 770 bw-data
```
### Networks
By default, BunkerWeb container is listening (inside the container) on **8080/tcp** for **HTTP** and **8443/tcp** for **HTTPS**.
!!! warning "Privileged ports in rootless mode"
If you are using [Docker in rootless mode](https://docs.docker.com/engine/security/rootless) and want to redirect privileged ports (< 1024) like 80 and 443 to BunkerWeb, please refer to the prerequisites [here](https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports).
The easiest way to connect BunkerWeb to web applications is by using Docker networks.
First of all, you will need to create a network :