Using a Rootless Image in Traefik Enterprise¶
In certain cases it may be desirable to use a rootless image for security purposes.
A rootless version of the image is available, but it is not used by default due to limitations in certain environments.
The rootless image name is the same as the standard image with the additional suffix
-rootless on the tag.
When using this image, everything is started as a non-privileged user
non-root with the UID
65532 and GID
Using the Rootless Image¶
After generating your manifests, manually add the
-rootless suffix to the image name for the controllers and/or proxies.
Some Cloud Providers may mount persistent volumes inside your containers as
root, resulting in permission errors when starting a controller or proxy. The best way to fix this is to change ownership of the volume before starting the Traefik Enterprise containers, here are some specific examples:
# Specifying an additional init container to change volume ownership kind: StatefulSet #[...] spec: #[...] template: #[...] spec: securityContext: runAsUser: 65532 runAsGroup: 65532 initContainers: #[...] - name: volume-ownership image: busybox:1.31.1 command: ['sh', '-c', 'chown -R 65532:65532 /data'] resources: requests: memory: "10Mi" cpu: "100m" limits: memory: "100Mi" cpu: "1000m" volumeMounts: - name: "rootless-proxy-data" mountPath: "/data" #[...]
# Taking advantage of `fsGroup` security context to grant additional group permission on volumes kind: StatefulSet #[...] spec: #[...] template: #[...] spec: securityContext: runAsUser: 65532 runAsGroup: 65532 fsGroup: 65532 #[...] containers: - name: "rootless-controller" #[...]
# Change ownership of the volume(s) before deploying the Traefik Enterprise stack docker run -it --mount source=my-traefikee-volume,destination=/data busybox:1.31.1 chown -R 65532:65532 /data
# Change ownership of the source volume(s) before deploying the Traefik Enterprise stack chown -R 65532:65532 /my-traefikee-volume
Rootless Controllers in Docker Swarm
When using a rootless image in Docker Swarm, the Controller no longer has access to the Docker Socket which is required for the provider to work. In this case the Docker Socket should be exposed securely over the network. Instructions on how to do this are provided by Docker. Please refer to this guide.