From 27dc687f5e109ac7e04139eb7aea1251641e7903 Mon Sep 17 00:00:00 2001 From: Chandrasekhar Gadde Date: Mon, 23 Mar 2026 15:01:47 +0530 Subject: [PATCH 1/2] Run Boundary containers as non-root user --- .release/docker/docker-entrypoint.sh | 33 +++++++++++++++++++--------- Dockerfile | 6 +++++ 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/.release/docker/docker-entrypoint.sh b/.release/docker/docker-entrypoint.sh index 9f9b6fbf28..28e44669c3 100755 --- a/.release/docker/docker-entrypoint.sh +++ b/.release/docker/docker-entrypoint.sh @@ -30,25 +30,38 @@ fi # If we are running Boundary, make sure it executes as the proper user. if [ "$1" = 'boundary' ]; then + is_root=0 + if [ "$(id -u)" = '0' ]; then + is_root=1 + fi + if [ -z "$SKIP_CHOWN" ]; then - # If the config dir is bind mounted then chown it - if [ "$(stat -c %u /boundary)" != "$(id -u boundary)" ]; then - chown -R boundary:boundary /boundary || echo "Could not chown /boundary (may not have appropriate permissions)" + if [ "$is_root" = '1' ]; then + # If the config dir is bind mounted then chown it + if [ "$(stat -c %u /boundary)" != "$(id -u boundary)" ]; then + chown -R boundary:boundary /boundary || echo "Could not chown /boundary (may not have appropriate permissions)" + fi + else + echo "SKIP_CHOWN not set but running non-root; skipping chown /boundary" fi fi if [ -z "$SKIP_SETCAP" ]; then - # Allow mlock to avoid swapping Boundary memory to disk - setcap cap_ipc_lock=+ep $(readlink -f $(which boundary)) + if [ "$is_root" = '1' ]; then + # Allow mlock to avoid swapping Boundary memory to disk + setcap cap_ipc_lock=+ep $(readlink -f $(which boundary)) - # In the case Boundary has been started in a container without IPC_LOCK privileges - if ! boundary -version 1>/dev/null 2>/dev/null; then - >&2 echo "Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK" - setcap cap_ipc_lock=-ep $(readlink -f $(which boundary)) + # In the case Boundary has been started in a container without IPC_LOCK privileges + if ! boundary -version 1>/dev/null 2>/dev/null; then + >&2 echo "Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK" + setcap cap_ipc_lock=-ep $(readlink -f $(which boundary)) + fi + else + echo "SKIP_SETCAP not set but running non-root; skipping setcap" fi fi - if [ "$(id -u)" = '0' ]; then + if [ "$is_root" = '1' ]; then set -- su-exec boundary "$@" fi fi diff --git a/Dockerfile b/Dockerfile index 60f81e5704..b4dd43c94f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,6 +22,7 @@ RUN set -eux && \ apk add --no-cache wget ca-certificates dumb-init gnupg libcap openssl su-exec iputils libc6-compat iptables ADD bin/boundary /bin/boundary +RUN setcap cap_ipc_lock=+ep /bin/boundary RUN mkdir /boundary/ ADD .release/docker/config.hcl /boundary/config.hcl @@ -36,6 +37,7 @@ LABEL org.opencontainers.image.licenses="BUSL-1.1" COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY bin/LICENSE.txt /usr/share/doc/boundary/LICENSE.txt +USER boundary ENTRYPOINT ["docker-entrypoint.sh"] CMD ["server", "-config", "/boundary/config.hcl"] @@ -75,6 +77,7 @@ RUN set -eux && \ grep boundary_${PRODUCT_VERSION}_linux_${boundaryArch}.zip boundary_${PRODUCT_VERSION}_SHA256SUMS | sha256sum -c && \ unzip -d /bin boundary_${PRODUCT_VERSION}_linux_${boundaryArch}.zip && \ rm boundary_${PRODUCT_VERSION}_linux_${boundaryArch}.zip boundary_${PRODUCT_VERSION}_SHA256SUMS boundary_${PRODUCT_VERSION}_SHA256SUMS.sig && \ + setcap cap_ipc_lock=+ep /bin/boundary && \ cp /bin/LICENSE.txt /usr/share/doc/boundary/LICENSE.txt && \ mkdir /boundary @@ -88,6 +91,7 @@ VOLUME /boundary/ COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +USER boundary ENTRYPOINT ["docker-entrypoint.sh"] CMD ["server", "-config", "/boundary/config.hcl"] @@ -126,6 +130,7 @@ COPY .release/docker/config.hcl /boundary/config.hcl COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ COPY dist/$TARGETOS/$TARGETARCH/LICENSE.txt /usr/share/doc/boundary/LICENSE.txt +RUN setcap cap_ipc_lock=+ep /bin/$BIN_NAME RUN chown -R ${NAME}:${NAME} /boundary RUN chmod -R 640 /boundary/* @@ -135,5 +140,6 @@ VOLUME /boundary/ COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +USER ${NAME} ENTRYPOINT ["docker-entrypoint.sh"] CMD ["server", "-config", "/boundary/config.hcl"] From 7e6d56051f23384999e585feea8cd885de3f39ca Mon Sep 17 00:00:00 2001 From: Chandrasekhar Gadde Date: Mon, 23 Mar 2026 19:49:43 +0530 Subject: [PATCH 2/2] redirect output to stderr --- .release/docker/docker-entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.release/docker/docker-entrypoint.sh b/.release/docker/docker-entrypoint.sh index 28e44669c3..a5123c107c 100755 --- a/.release/docker/docker-entrypoint.sh +++ b/.release/docker/docker-entrypoint.sh @@ -42,7 +42,7 @@ if [ "$1" = 'boundary' ]; then chown -R boundary:boundary /boundary || echo "Could not chown /boundary (may not have appropriate permissions)" fi else - echo "SKIP_CHOWN not set but running non-root; skipping chown /boundary" + >&2 echo "SKIP_CHOWN not set but running non-root; skipping chown /boundary" fi fi @@ -57,7 +57,7 @@ if [ "$1" = 'boundary' ]; then setcap cap_ipc_lock=-ep $(readlink -f $(which boundary)) fi else - echo "SKIP_SETCAP not set but running non-root; skipping setcap" + >&2 echo "SKIP_SETCAP not set but running non-root; skipping setcap" fi fi