From 496424982e83876d422cca4aecc6bf2216e9c8a1 Mon Sep 17 00:00:00 2001 From: Eric Rakestraw Date: Fri, 6 Mar 2026 15:03:22 +0000 Subject: [PATCH] Update container definitions to run all services as a non-root user. --- tasks/main.yml | 3 ++- vars/containers/nats.yml | 3 +++ vars/containers/watchtower.yml | 10 ++++++++++ vars/containers/weatherfeeder.yml | 3 +++ vars/containers/weatherprocessor.yml | 3 +++ 5 files changed, 21 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1ea32b0..3e7a89d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,4 +34,5 @@ - name: Run the docker-compose role to apply the docker-compose.yml file. import_role: name: "docker-compose" -... + +... \ No newline at end of file diff --git a/vars/containers/nats.yml b/vars/containers/nats.yml index 4bd2750..4fa8ddf 100644 --- a/vars/containers/nats.yml +++ b/vars/containers/nats.yml @@ -7,6 +7,9 @@ nats: # Define the docker image to be used for this container. image: "{{ feedstack_nats_container_image }}:{{ feedstack_nats_container_tag }}" + # Define the user that the container should be run as. + user: "{{ docker_user_id }}:{{ docker_group_id }}" + # Define the path where application data for this container will be stored. appdata_directory: "{{ docker_appdata_directory }}/nats" diff --git a/vars/containers/watchtower.yml b/vars/containers/watchtower.yml index 96fbe29..4d2c9b9 100644 --- a/vars/containers/watchtower.yml +++ b/vars/containers/watchtower.yml @@ -7,10 +7,20 @@ watchtower: # Define the docker image to be used for this container. image: "{{ feedstack_watchtower_container_image }}:{{ feedstack_watchtower_container_tag }}" + # Define the user that the container should be run as. + user: "{{ docker_user_id }}:{{ docker_group_id }}" + # Define the path where application data for this container will be stored. appdata_directory: "{{ docker_appdata_directory }}/watchtower" # Define the volumes that should be mounted into the container. volumes: - "/var/run/docker.sock:/var/run/docker.sock" + - "{{ docker_home_directory }}/.docker:/config:ro" + + # Define environment variables to be passed to the container. + environment_variables: + - "WATCHTOWER_CLEANUP=true" + - "DOCKER_CONFIG=/config" + ... diff --git a/vars/containers/weatherfeeder.yml b/vars/containers/weatherfeeder.yml index 82b9959..1ffcc31 100644 --- a/vars/containers/weatherfeeder.yml +++ b/vars/containers/weatherfeeder.yml @@ -7,6 +7,9 @@ weatherfeeder: # Define the docker image to be used for this container. image: "{{ feedstack_weatherfeeder_container_image }}:{{ feedstack_weatherfeeder_container_tag }}" + # Define the user that the container should be run as. + user: "{{ docker_user_id }}:{{ docker_group_id }}" + # Define the path where application data for this container will be stored. appdata_directory: "{{ docker_appdata_directory }}/weatherfeeder" diff --git a/vars/containers/weatherprocessor.yml b/vars/containers/weatherprocessor.yml index 3627a49..f15b7a6 100644 --- a/vars/containers/weatherprocessor.yml +++ b/vars/containers/weatherprocessor.yml @@ -7,6 +7,9 @@ weatherprocessor: # Define the docker image to be used for this container. image: "{{ feedstack_weatherprocessor_container_image }}:{{ feedstack_weatherprocessor_container_tag }}" + # Define the user that the container should be run as. + user: "{{ docker_user_id }}:{{ docker_group_id }}" + # Define the path where application data for this container will be stored. appdata_directory: "{{ docker_appdata_directory }}/weatherprocessor"