mirror of
https://github.com/dani-garcia/vaultwarden.wiki.git
synced 2026-03-27 07:28:31 +07:00
36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
By default `vaultwarden/server` is using root user to run service inside the container. There are few things you need to set to run the container as non-root user if you wish to do so:
|
|
|
|
1. Make sure that the directory, you're mounting inside the container will be writable by the user. For example if you decide to run as `nobody`, the directory needs to be writable by user with id 65534. For other ways to specify user inside the container, see the [docker documentation](https://docs.docker.com/engine/reference/run/#user), in our examples here we will use `nobody`.
|
|
|
|
```bash
|
|
# Make the directory on the host, change this to you preferred path
|
|
sudo mkdir /vw-data
|
|
|
|
# Set the owner using user id.
|
|
# Note that the ownership must match user in /etc/passwd *inside* the container, not on your host
|
|
sudo chown 65534 /vw-data
|
|
|
|
# Give the owner full rights to the folder
|
|
sudo chmod u+rwx /vw-data
|
|
```
|
|
|
|
2. Start the container with proper parameters. Define the user and make sure to start with port set to `1024` or higher.
|
|
|
|
```bash
|
|
docker run -d \
|
|
--name vaultwarden \
|
|
--user nobody \
|
|
-e ROCKET_PORT=1024 \
|
|
-v /vw-data/:/data/ \
|
|
-p 80:1024 \
|
|
vaultwarden/server:latest
|
|
```
|
|
|
|
Notice that the port mapping (`-p 80:1024`) reflects the `ROCKET_PORT` setting.
|
|
|
|
Another way may be CAP_NET_BIND_SERVICE, which allows to bind to ports below 1024 as non-root user.
|
|
|
|
cap_add:
|
|
- CAP_NET_BIND_SERVICE
|
|
user: nobody
|