fix(container): update security settings of favonia/cloudflare-ddns #2418
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thanks for using my DDNS updater. Since version 1.13.0 (released on 16 July), the updater has stopped dropping superuser privileges by itself, instead relying on Docker's built-in mechanism to drop those privileges. The new way is safer, cleaner, and more reliable; but it requires an update to the configuration. In particular, the environment variables
PUID=uid
andPGID=gid
should be replaced byuser: "uid:gid"
or--user uid:gid
. I am on a mission to eliminate the old template from the internet. Please help me promote security best practices!For more information about this design change, please read the CHANGELOG. If copyright ever matters, this PR itself is licensed under CC0, which should allow you to do whatever you want. Thank you again for your interest in the updater.
PS: I know you are using an older version of the updater, but the template works even for older ones. (An upgrade is recommended, though.)
PPS: I do not have a VyOS to test the script. Please let me know whether it works or not. BTW, it’s sad that VyOS does not seem to provide many other useful protections such as “dropping all Linux capabilities” or “making the filesystem read-only”.