mirrors
/
AdGuardHome
mirror of https://github.com/AdguardTeam/AdGuardHome.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docker: Remove CAP_NET_BIND_SERVICE capability 

The capability was added in commit 58868b7, but since then, the USER
instruction was removed from the Dockerfile, so that Adguard Home runs
as root by default.

Even if it is run as non-root user, the capability is not required in
docker versions >= 20.10.0 (released on Dec 9, 2020), because of commit
888da28[1], which sets `net.ipv4.ip_unprivileged_port_start` to `0` by
default. Users running older docker versions or using the `host` network
mode can still configure this sysctl manually.

[1] 888da28d42
This commit is contained in:
Cedric Staniewski 2023-04-05 22:18:05 +02:00
parent 195300f56e
commit 9ef9ccaf23
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docker/Dockerfile
View File

@ -21,7 +21,7 @@ LABEL\
org.opencontainers.image.version=$VERSION org.opencontainers.image.version=$VERSION
# Update certificates. # Update certificates.
RUN apk --no-cache add ca-certificates libcap tzdata && \ RUN apk --no-cache add ca-certificates tzdata && \
mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \ mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \
chown -R nobody: /opt/adguardhome chown -R nobody: /opt/adguardhome
@ -36,8 +36,6 @@ COPY --chown=nobody:nogroup\
./${DIST_DIR}/docker/AdGuardHome_${TARGETOS}_${TARGETARCH}_${TARGETVARIANT}\ ./${DIST_DIR}/docker/AdGuardHome_${TARGETOS}_${TARGETARCH}_${TARGETVARIANT}\
/opt/adguardhome/AdGuardHome /opt/adguardhome/AdGuardHome
RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome
# 53 : TCP, UDP : DNS # 53 : TCP, UDP : DNS
# 67 : UDP : DHCP (server) # 67 : UDP : DHCP (server)
# 68 : UDP : DHCP (client) # 68 : UDP : DHCP (client)