Add support for running rootless and with readonly filesystem

kaysond · kaysond · commit 3578671d7004 · 2025-03-15T21:51:54.000-07:00
* Use supervisord's built in support for reading env vars
* Move all log files to /etc/bitwarden/logs
* Move all pid files and sockets to /tmp/bitwarden
* Move nginx temp files to /tmp/bitwarden
* Clean up some shellcheck errors in the entrypoint
* Only chown files that need it (when running root; report the list otherwise)
* Change the default PUID/PGID variables to 911 (using 1000 is a security risk as it's the default user for many distros and often isn't unprivileged)
* Use softlinks in the image to point to files generated in the entrypoint
* Update docker compose and settings examples to be more secure
* Add EXPOSE to Dockerfile
diff --git a/docker-unified/Dockerfile b/docker-unified/Dockerfile
@@ -222,16 +222,16 @@ RUN apt-get update && apt-get install -y \
 RUN mkdir -p /etc/bitwarden/attachments/send
 RUN mkdir -p /etc/bitwarden/data-protection
 RUN mkdir -p /etc/bitwarden/licenses
-RUN mkdir -p /etc/bitwarden/logs
 RUN mkdir -p /etc/supervisor
 RUN mkdir -p /etc/supervisor.d
-RUN mkdir -p /var/log/bitwarden
-RUN mkdir -p /var/log/nginx/logs
-RUN mkdir -p /etc/nginx/http.d
-RUN mkdir -p /var/run/nginx
-RUN mkdir -p /var/lib/nginx/tmp
-RUN touch /var/run/nginx/nginx.pid
-RUN mkdir -p /app
+RUN mkdir -p /app/Identity
+RUN mkdir -p /app/Sso
+RUN mkdir -p /app/Web
+
+# Create soft links for files generated in the entrypoint
+RUN ln -s /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
+RUN ln -s /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
+RUN ln -s /etc/bitwarden/app-id.json /app/Web/app-id.json
 
 # Copy all apps from dotnet-build stage
 WORKDIR /app
@@ -273,6 +273,7 @@ RUN chmod +x /usr/local/bin/hbs
 COPY docker-unified/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
+EXPOSE 8080 8443
 VOLUME ["/etc/bitwarden"]
 
 WORKDIR /app
diff --git a/docker-unified/docker-compose.yml b/docker-unified/docker-compose.yml
@@ -7,13 +7,19 @@ services:
     env_file:
       - settings.env
     image: ${REGISTRY:-ghcr.io/bitwarden}/self-host:${TAG:-beta}
+    user: 999:999
+    tmpfs: /tmp
+    read_only: true
+    security_opt:
+      - no-new-privileges
     restart: always
     ports:
       - "80:8080"
       - "443:8443"
     volumes:
-      - bitwarden:/etc/bitwarden
-      - logs:/var/log/bitwarden
+      # The user specified above must have permissions
+      # for the bind mount on the host
+      - ./bitwarden:/etc/bitwarden
 
   # MariaDB Example
   db:
@@ -50,6 +56,4 @@ services:
   #     - data:/var/opt/mssql
 
 volumes:
-  bitwarden:
-  logs:
   data:
diff --git a/docker-unified/entrypoint.sh b/docker-unified/entrypoint.sh
@@ -1,12 +1,14 @@
 #!/bin/bash
 
-# Set up user group
-PGID="${PGID:-1000}"
-addgroup --gid $PGID bitwarden
+if [[ "$(id -u)" == "0" ]]; then
+  # Set up user group
+  PGID="${PGID:-911}"
+  addgroup --gid "$PGID" bitwarden
 
-# Set up user
-PUID="${PUID:-1000}"
-adduser --no-create-home --shell /bin/bash --disabled-password --uid $PUID --gid $PGID --gecos "" bitwarden
+  # Set up user
+  PUID="${PUID:-911}"
+  adduser --no-create-home --shell /bin/bash --disabled-password --uid "$PUID" --gid "$PGID" --gecos "" bitwarden
+fi
 
 # Translate environment variables for application settings
 VAULT_SERVICE_URI=https://$BW_DOMAIN
@@ -49,60 +51,55 @@ if [ ! -f /etc/bitwarden/identity.pfx ]; then
   -subj "/CN=Bitwarden IdentityServer" \
   -days 36500
   
+  # identity.pfx is soft linked to the necessary locations in the Dockerfile
   openssl pkcs12 \
   -export \
   -out /etc/bitwarden/identity.pfx \
   -inkey /etc/bitwarden/identity.key \
   -in /etc/bitwarden/identity.crt \
-  -passout pass:$globalSettings__identityServer__certificatePassword
+  -passout "pass:$globalSettings__identityServer__certificatePassword"
   
   rm /etc/bitwarden/identity.crt
   rm /etc/bitwarden/identity.key
 fi
 
-cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
-cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
-
 # Generate SSL certificates
-if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
+if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f "/etc/bitwarden/${BW_SSL_KEY:-ssl.key}" ]; then
   openssl req \
   -x509 \
   -newkey rsa:4096 \
   -sha256 \
   -nodes \
   -days 36500 \
-  -keyout /etc/bitwarden/${BW_SSL_KEY:-ssl.key} \
-  -out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \
+  -keyout /etc/bitwarden/"${BW_SSL_KEY:-ssl.key}" \
+  -out /etc/bitwarden/"${BW_SSL_CERT:-ssl.crt}" \
   -reqexts SAN \
   -extensions SAN \
-  -config <(cat /usr/lib/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true")) \
+  -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:%s\nbasicConstraints=CA:true' "${BW_DOMAIN:-localhost}")) \
   -subj "/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN=${BW_DOMAIN:-localhost}"
 fi
 
 # Launch a loop to rotate nginx logs on a daily basis
 /bin/sh -c "/logrotate.sh loop >/dev/null 2>&1 &"
 
-/usr/local/bin/hbs
+# Create necessary directories
+mkdir -p /etc/bitwarden/logs/supervisord
+mkdir -p /etc/bitwarden/logs/nginx
+mkdir -p /etc/bitwarden/nginx
+mkdir -p /tmp/bitwarden
 
-# Enable/Disable services
-sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_API}/" /etc/supervisor.d/api.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_EVENTS}/" /etc/supervisor.d/events.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_ICONS}/" /etc/supervisor.d/icons.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_IDENTITY}/" /etc/supervisor.d/identity.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_NOTIFICATIONS}/" /etc/supervisor.d/notifications.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_SCIM}/" /etc/supervisor.d/scim.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini
+/usr/local/bin/hbs
 
-chown -R $PUID:$PGID \
-    /app \
-    /etc/bitwarden \
-    /etc/nginx/http.d \
-    /etc/supervisor \
-    /etc/supervisor.d \
-    /var/lib/nginx \
-    /var/log \
-    /var/run/nginx \
-    /run
+if [[ "$(id -u)" == 0 ]]; then
+  find /etc/bitwarden ! -xtype l \( ! -gid "$PGID" -o ! -uid "$PUID" \) -exec chown "${PUID}:${PGID}" {} +
+      
+  exec setpriv --reuid="$PUID" --regid="$PGID" --init-groups /usr/bin/supervisord
+else
+  FILES="$(find /etc/bitwarden ! -xtype l \( ! -gid "$(id -g)" -o ! -uid "$(id -u)" \))"
+  if [[ -n "$FILES" ]]; then
+    echo "The following files are not owned by the running user and may cause errors:" >&2
+    echo "$FILES" >&2
+  fi
 
-exec setpriv --reuid=$PUID --regid=$PGID --init-groups /usr/bin/supervisord
+  exec /usr/bin/supervisord
+fi
diff --git a/docker-unified/hbs/config.yaml b/docker-unified/hbs/config.yaml
@@ -2,6 +2,6 @@ helper_categories:
   - String
 templates:
   - src: /etc/hbs/app-id.hbs
-    dest: /app/Web/app-id.json
+    dest: /etc/bitwarden/app-id.json
   - src: /etc/hbs/nginx-config.hbs
-    dest: /etc/nginx/http.d/bitwarden.conf
+    dest: /etc/bitwarden/nginx/bitwarden.conf
diff --git a/docker-unified/hbs/nginx-config.hbs b/docker-unified/hbs/nginx-config.hbs
@@ -1,3 +1,5 @@
+# THIS FILE IS AUTOMATICALLY GENERATED BY BITWARDEN!
+# CHANGES WILL BE OVERWRITTEN ON CONTAINER STARTUP!
 server {
   listen {{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;
   #listen [::]:{{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;
diff --git a/docker-unified/nginx/nginx.conf b/docker-unified/nginx/nginx.conf
@@ -28,13 +28,20 @@ events {
 
 # Default error log file
 # (this is only used when you don't override error_log on a server{} level)
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx/nginx.pid;
+error_log  /etc/bitwarden/logs/nginx/error.log warn;
+pid        /tmp/bitwarden/nginx.pid;
 
 http {
   # Include proxy and server configuration.
   include /etc/nginx/proxy.conf;
-  include /etc/nginx/http.d/bitwarden.conf;
+  include /etc/bitwarden/nginx/bitwarden.conf;
+
+  # Use /tmp/bitwarden for (or disable) nginx temp files
+  client_body_temp_path /tmp/bitwarden/nginx 1 2;
+  fastcgi_temp_path /tmp/bitwarden/nginx-fastcgi;
+  proxy_temp_path /tmp/bitwarden/nginx-proxy;
+  uwsgi_temp_path /tmp/bitwarden/nginx-uwsgi;
+  scgi_temp_path /tmp/bitwarden/nginx-scgi;
 
   # Hide nginx version information.
   server_tokens off;
@@ -62,7 +69,7 @@ http {
 
   # Default log file
   # (this is only used when you don't override access_log on a server{} level)
-  access_log /var/log/nginx/access.log main;
+  access_log /etc/bitwarden/logs/nginx/access.log main;
 
   # How long to allow each connection to stay idle; longer values are better
   # for each individual client, particularly for SSL, but means that worker
diff --git a/docker-unified/settings.env b/docker-unified/settings.env
@@ -23,10 +23,6 @@ BW_INSTALLATION_KEY=xxxxxxxxxxxx
 #####################
 # Learn more here: https://bitwarden.com/help/environment-variables/
 
-# Container user ID/group ID
-#PUID=1000
-#PGID=1000
-
 # Webserver ports
 #BW_PORT_HTTP=8080
 #BW_PORT_HTTPS=8443
diff --git a/docker-unified/supervisord/admin.ini b/docker-unified/supervisord/admin.ini
@@ -1,9 +1,9 @@
 [program:admin]
-autostart=true
+autostart=%(ENV_BW_ENABLE_ADMIN)s
 autorestart=true
 command=/usr/bin/dotnet "Admin.dll"
 directory=/app/Admin
 environment=ASPNETCORE_URLS="http://+:5000"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/admin.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/admin.log
diff --git a/docker-unified/supervisord/api.ini b/docker-unified/supervisord/api.ini
@@ -1,9 +1,9 @@
 [program:api]
-autostart=true
+autostart=%(ENV_BW_ENABLE_API)s
 autorestart=true
 command=/usr/bin/dotnet "Api.dll"
 directory=/app/Api
 environment=ASPNETCORE_URLS="http://+:5001"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/api.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/api.log
diff --git a/docker-unified/supervisord/events.ini b/docker-unified/supervisord/events.ini
@@ -1,9 +1,9 @@
 [program:events]
-autostart=true
+autostart=%(ENV_BW_ENABLE_EVENTS)s
 autorestart=true
 command=/usr/bin/dotnet "Events.dll"
 directory=/app/Events
 environment=ASPNETCORE_URLS="http://+:5003"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/events.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/events.log
diff --git a/docker-unified/supervisord/icons.ini b/docker-unified/supervisord/icons.ini
@@ -1,9 +1,9 @@
 [program:icons]
-autostart=true
+autostart=%(ENV_BW_ENABLE_ICONS)s
 autorestart=true
 command=/usr/bin/dotnet "Icons.dll"
 directory=/app/Icons
 environment=ASPNETCORE_URLS="http://+:5004"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/icons.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/icons.log
diff --git a/docker-unified/supervisord/identity.ini b/docker-unified/supervisord/identity.ini
@@ -1,10 +1,10 @@
 [program:identity]
-autostart=true
+autostart=%(ENV_BW_ENABLE_IDENTITY)s
 autorestart=true
 command=/usr/bin/dotnet "Identity.dll"
 directory=/app/Identity
 environment=ASPNETCORE_URLS="http://+:5005"
 priority=1
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/identity.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/identity.log
diff --git a/docker-unified/supervisord/nginx.ini b/docker-unified/supervisord/nginx.ini
@@ -4,4 +4,4 @@ autorestart=true
 command=nginx
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/nginx.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/nginx.log
diff --git a/docker-unified/supervisord/notifications.ini b/docker-unified/supervisord/notifications.ini
@@ -1,9 +1,9 @@
 [program:notifications]
-autostart=true
+autostart=%(ENV_BW_ENABLE_NOTIFICATIONS)s
 autorestart=true
 command=/usr/bin/dotnet "Notifications.dll"
 directory=/app/Notifications
 environment=ASPNETCORE_URLS="http://+:5006"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/notifications.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/notifications.log
diff --git a/docker-unified/supervisord/scim.ini b/docker-unified/supervisord/scim.ini
@@ -1,9 +1,9 @@
 [program:scim]
-autostart=true
+autostart=%(ENV_BW_ENABLE_SCIM)s
 autorestart=true
 command=/usr/bin/dotnet "Scim.dll"
 directory=/app/Scim
 environment=ASPNETCORE_URLS="http://+:5002"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/scim.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/scim.log
diff --git a/docker-unified/supervisord/sso.ini b/docker-unified/supervisord/sso.ini
@@ -1,9 +1,9 @@
 [program:sso]
-autostart=true
+autostart=%(ENV_BW_ENABLE_SSO)s
 autorestart=true
 command=/usr/bin/dotnet "Sso.dll"
 directory=/app/Sso
 environment=ASPNETCORE_URLS="http://+:5007"
 redirect_stderr=true
 startsecs=15
-stdout_logfile=/var/log/bitwarden/sso.log
+stdout_logfile=/etc/bitwarden/logs/supervisord/sso.log
diff --git a/docker-unified/supervisord/supervisord.conf b/docker-unified/supervisord/supervisord.conf
@@ -1,15 +1,16 @@
 [unix_http_server]
-file=/run/supervisord.sock  ; the path to the socket file
+file=/tmp/bitwarden/supervisord.sock  ; the path to the socket file
 
 [supervisord]
-logfile=/var/log/supervisord.log ; main log file; default $CWD/supervisord.log
-nodaemon=true                    ; start in foreground if true; default false
+logfile=/etc/bitwarden/logs/supervisord/supervisord.log ; main log file; default $CWD/supervisord.log
+nodaemon=true      
+pidfile=/tmp/bitwarden/supervisord.pid              ; start in foreground if true; default false
 
 [rpcinterface:supervisor]
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
 
 [supervisorctl]
-serverurl=unix:///run/supervisord.sock ; use a unix:// URL for a unix socket
+serverurl=unix:///tmp/bitwarden/supervisord.sock ; use a unix:// URL for a unix socket
 
 [include]
 files = /etc/supervisor.d/*.ini

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+# THIS FILE IS AUTOMATICALLY GENERATED BY BITWARDEN!`
	`2`	`+# CHANGES WILL BE OVERWRITTEN ON CONTAINER STARTUP!`
`1`	`3`	`server {`
`2`	`4`	`listen {{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;`
`3`	`5`	`#listen [::]:{{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;`