Update container definitions to run all services as a non-root user.

2026-03-06 15:03:22 +00:00
parent 7b2081b94c
commit 496424982e
5 changed files with 21 additions and 1 deletions
--- a/vars/containers/nats.yml
+++ b/vars/containers/nats.yml
@@ -7,6 +7,9 @@ nats:
  # Define the docker image to be used for this container.
  image: "{{ feedstack_nats_container_image }}:{{ feedstack_nats_container_tag }}"

+  # Define the user that the container should be run as.
+  user: "{{ docker_user_id }}:{{ docker_group_id }}"
+
  # Define the path where application data for this container will be stored.
  appdata_directory: "{{ docker_appdata_directory }}/nats"

--- a/vars/containers/watchtower.yml
+++ b/vars/containers/watchtower.yml
@@ -7,10 +7,20 @@ watchtower:
  # Define the docker image to be used for this container.
  image: "{{ feedstack_watchtower_container_image }}:{{ feedstack_watchtower_container_tag }}"

+  # Define the user that the container should be run as.
+  user: "{{ docker_user_id }}:{{ docker_group_id }}"
+
  # Define the path where application data for this container will be stored.
  appdata_directory: "{{ docker_appdata_directory }}/watchtower"

  # Define the volumes that should be mounted into the container.
  volumes:
    - "/var/run/docker.sock:/var/run/docker.sock"
+    - "{{ docker_home_directory }}/.docker:/config:ro"
+
+  # Define environment variables to be passed to the container.
+  environment_variables:
+    - "WATCHTOWER_CLEANUP=true"
+    - "DOCKER_CONFIG=/config"
+
 ...
--- a/vars/containers/weatherfeeder.yml
+++ b/vars/containers/weatherfeeder.yml
@@ -7,6 +7,9 @@ weatherfeeder:
  # Define the docker image to be used for this container.
  image: "{{ feedstack_weatherfeeder_container_image }}:{{ feedstack_weatherfeeder_container_tag }}"

+  # Define the user that the container should be run as.
+  user: "{{ docker_user_id }}:{{ docker_group_id }}"
+
  # Define the path where application data for this container will be stored.
  appdata_directory: "{{ docker_appdata_directory }}/weatherfeeder"

--- a/vars/containers/weatherprocessor.yml
+++ b/vars/containers/weatherprocessor.yml
@@ -7,6 +7,9 @@ weatherprocessor:
  # Define the docker image to be used for this container.
  image: "{{ feedstack_weatherprocessor_container_image }}:{{ feedstack_weatherprocessor_container_tag }}"

+  # Define the user that the container should be run as.
+  user: "{{ docker_user_id }}:{{ docker_group_id }}"
+
  # Define the path where application data for this container will be stored.
  appdata_directory: "{{ docker_appdata_directory }}/weatherprocessor"