mirror of
https://github.com/dani-garcia/bitwarden_rs
synced 2024-12-17 22:40:55 +01:00
Page:
Running docker container with non root user
Pages
Audits
Backing up your vault
Building binary
Building your own docker image
Caddy 2.x with Cloudflare DNS
Changing persistent data location
Changing the API request size limit
Changing the number of workers
Configuration overview
Customize Vaultwarden CSS
Deployment examples
Differences from the upstream API implementation
Disable admin token
Disable invitations
Disable registration of new users
Disabling or overriding the Vault interface hosting
Docker Traefik ModSecurity Setup
Enable admin page
Enabling HTTPS
Enabling Mobile Client push notification
Enabling U2F (and FIDO2 WebAuthn) authentication
Enabling U2F authentication
Enabling WebSocket notifications
Enabling Yubikey OTP authentication
Enabling admin page secure the admin_token
Enabling admin page
FAQs
Fail2Ban Setup
General (not docker)
Hardening Guide
Home
Importing data from Keepass or KeepassX
Kubernetes deployment
Logging
Logrotate example
Migrating from MariaDB (MySQL) to SQLite
Other configuration
Password hint display
Pre built binaries
Private CA and self signed certs that work with Chrome
Proxy examples
Running a private vaultwarden instance with Let's Encrypt certs
Running docker container with non root user
Running without WAL enabled
SMTP Configuration
Setup as a systemd service
Starting a Container
Supporting upstream
Syncing users from LDAP
Testing SSO
Third party packages
Translating the email templates
Updating the vaultwarden image
Using Docker Compose
Using Podman
Using an alternate base dir
Using the MariaDB (MySQL) Backend
Using the MySQL Backend
Using the PostgreSQL Backend
Which container image to use
5
Running docker container with non root user
St. Veit edited this page 2023-09-23 08:01:33 +02:00
By default vaultwarden/server
is using root user to run service inside the container. There are few things you need to set to run the container as non-root user if you wish to do so:
- Make sure that the directory, you're mounting inside the container will be writable by the user. For example if you decide to run as
nobody
, the directory needs to be writable by user with id 65534. For other ways to specify user inside the container, see the docker documentation, in our examples here we will usenobody
.
# Make the directory on the host, change this to you preferred path
sudo mkdir /vw-data
# Set the owner using user id.
# Note that the ownership must match user in /etc/passwd *inside* the container, not on your host
sudo chown 65534 /vw-data
# Give the owner full rights to the folder
sudo chmod u+rwx /vw-data
- Start the container with proper parameters. Define the user and make sure to start with port set to
1024
or higher.
docker run -d \
--name vaultwarden \
--user nobody \
-e ROCKET_PORT=1024 \
-v /vw-data/:/data/ \
-p 80:1024 \
vaultwarden/server:latest
Notice that the port mapping (-p 80:1024
) reflects the ROCKET_PORT
setting.
Another way may be CAP_NET_BIND_SERVICE, which allows to bind to ports below 1024 as non-root user.
cap_add:
- CAP_NET_BIND_SERVICE
user: nobody
FAQs
Container Image Usage
- Which container image to use
- Starting a container
- Updating the vaultwarden image
- Using Docker Compose
- Using Podman
Deployment
- Building your own docker image
- Building binary
- Pre-built binaries
- Third-party packages
- Deployment examples
- Proxy examples
- Logrotate example
HTTPS
Configuration
- Overview
- Disable registration of new users
- Disable invitations
- Enabling admin page
- Disable the admin token
- Enabling WebSocket notifications
- Enabling Mobile Client push notification
- Enabling U2F and FIDO2 WebAuthn authentication
- Enabling YubiKey OTP authentication
- Changing persistent data location
- Changing the API request size limit
- Changing the number of workers
- SMTP configuration
- Translating the email templates
- Password hint display
- Disabling or overriding the Vault interface hosting
- Logging
- Creating a systemd service
- Syncing users from LDAP
- Using an alternate base dir (subdir/subpath)
- Other configuration
Database
- Using the MariaDB (MySQL) Backend
- Using the PostgreSQL Backend
- Running without WAL enabled
- Migrating from MariaDB (MySQL) to SQLite