Support rootless and/or read-only docker?

[Herve-M]

Describe the feature you would like to see

It would be nice to follow Linux FHS and set temporary files under either /tmp/dozzle/ or /run/dozzle/ or /var/run/dozzle/.

Example of compose ansible template:

services:
  dozzle:
    image: ghcr.io/amir20/dozzle:latest
    container_name: dozzle
    read_only: true
    user: "{{ dozzle_user.uid }}:{{ dozzle_user.group }}"
    group_add:
      - "{{ dozzle_user.group }}"
      - "{{ ansible_facts.getent_group["docker"][1] }}"
    restart: unless-stopped
    command: agent
    environment:
      - PUID={{ dozzle_user.uid }}
      - PGID={{ dozzle_user.group }}
      - DOZZLE_ENABLE_ACTIONS=false
      - DOZZLE_HOSTNAME={{ dozzle_agent_hostname }}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    tmpfs:
      - /tmp:uid={{ dozzle_user.uid }},gid={{ dozzle_user.group }},rw
    ports:
      - 7007:7007
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

Ends into this error:

dozzle  | {"level":"fatal","version":"v8.11.9","error":"failed to create temp file: open ./agent-3133852894.addr: permission denied","time":"2025-03-17T16:03:10Z","message":"Failed to run command"}

Describe how you would like to see this feature implemented

Update

dozzle/internal/support/cli/agent_command.go

Line 40 in 9c2e037

tempFile, err := os.CreateTemp("./", "agent-*.addr")

to use OS's tempdir or have per OS adaption.

Describe any alternatives you've considered

No response

[amir20]

Can you explain what's happening here? I am not following.

Dozzle doesn't have a user. It's based on scratch image. So it doesn't actually do anything when you set user.

Maybe you can be more specific by sending a PR.

[amir20]

I just saw your update:

tempFile, err := os.CreateTemp("./", "agent-*.addr")

That is using the OS temp dir through Go. What is it supposed to do instead?

[amir20]

I am not sure what to do with this issue. Won't have time to look at it. If it's an easy fix, then send a PR please.

[Herve-M]

Can you explain what's happening here? I am not following.

Dozzle doesn't have a user. It's based on scratch image. So it doesn't actually do anything when you set user.

Maybe you can be more specific by sending a PR.

The idea is to possibly follow Linux FHS (Filesystem Hierarchy Standard) and allow docker image to be read-only by putting generated files into places that can be mapped to TMPFS or alike.

It seems that today temporary file, or socket?, is created somewhere but not in a temp folder; making the agent crash if set to read-only or under a specific user & group. (non root user).

[amir20]

@Herve-M, I have moved this to a discussion because I receive this question frequently. My understanding may be limited since I haven't spent much time considering it.

As far as I know, this is not possible today because Dozzle uses scratch. There are no user groups, and setting PUID has no effect. This is what I was trying to explain earlier. This issue was discussed in #3364 and is also linked to Portainer, which can be found at portainer/portainer#1535.

I did some research, and one option is to use a different base. I am hesitant to use alpine because I don't believe Dozzle should include a shell. I find that unnecessary, and it feels bloated. If someone hacks the container, they could gain access to the entire network.

Another idea is to use distroless. That was discussed in this article. I am not familiar with it at all.

So if someone wants to use distroless and test it then I am OK with it. But I won't be pursuing it myself.

[amir20]

I think I am going to revisit this. It seems to actually work with scratch.

fmt.Printf("Current user id: %d and group id: %d\n", os.Getuid(), os.Getgid())

❯ docker run --user 1000 amir20/test  
Current user id: 1000 and group id: 0

So it seems as if --user is respected.

[amir20]

@Herve-M could you try #3797? amir20/dozzle:pr-3797 should work. I have moved the temporary file to /tmp dir. This file is used to do healthcheck. So nothing should really break.

[amir20]

@Herve-M did it work? I am releasing a new version now. But you never confirmed if it works.

[Herve-M]

Got into holidays and jobs stuff, my bad. Tested v8.12.15 / sha256:f0859a33bc19ec54c65be302f9407936a355ba994aa79f2fd123691d0a74856a with just using user: {uid}{gid} & /tmp over tmpfs and it works! 👍🏻

Thanks a lot!

[amir20]

This is fixed now in master. #3797