Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden Traefik systemd service #4302

Merged
merged 2 commits into from
Jan 7, 2019
Merged

Harden Traefik systemd service #4302

merged 2 commits into from
Jan 7, 2019

Conversation

jacksgt
Copy link
Contributor

@jacksgt jacksgt commented Dec 17, 2018

Since Traefik is running as root on the system, it makes sense to
apply various lock down measures to keep the system as safe as possible.

Includes mounting most of the directories as read-only or even making them
inaccessible, restricting kernel modifications and limiting the number of
processes the unit may spawn.

Also add checks at service startup to ensure all required files are present.

@jacksgt

This comment has been minimized.

Sign in to view
@mmatur mmatur added this to the 1.7 milestone Dec 17, 2018
@jacksgt jacksgt requested review from a team as code owners December 17, 2018 15:34
@mmatur mmatur changed the base branch from master to v1.7 December 17, 2018 15:34
@mmatur mmatur removed request for a team December 17, 2018 15:34
@ldez ldez requested a review from mmatur December 18, 2018 16:04
@alemairebe
Copy link

it could also be run by a standard user with these 2 under [Service]
User=traefik
AmbientCapabilities=CAP_NET_BIND_SERVICE

@jacksgt
Copy link
Contributor Author

jacksgt commented Dec 22, 2018

@alemairebe I thought about adding that too, but then again it requires setting up a user for traefik and assigning appropriate permissions to /etc/traefik.toml and /etc/acme.json.
Nothing complicated, but at least its not documented anywhere.

Maybe we can add that as a comment to the service file?

[Service]
# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
#User=traefik
#AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=...

@alemairebe
Copy link

@jacksgt I guess that would be a good first step :-)
I have no idea how useful it can be to the whole community and users.

@jacksgt
Copy link
Contributor Author

jacksgt commented Jan 2, 2019

@mmatur Could you please review this PR?

mmatur
mmatur requested changes Jan 2, 2019
View reviewed changes
Copy link
Member

@mmatur mmatur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jacksgt,

First of all thanks for your interest in the project. In this contribution all new params should be commented because there are not mandatory.

Only few comments

contrib/systemd/traefik.service Outdated Show resolved Hide resolved
contrib/systemd/traefik.service Outdated Show resolved Hide resolved
@jacksgt jacksgt requested review from a team as code owners January 4, 2019 16:00
@jacksgt
Copy link
Contributor Author

jacksgt commented Jan 4, 2019

I added brief comment for all new parameters (for more in-depth information the systemd man page should be consulted).

@ldez ldez removed the request for review from a team January 4, 2019 16:08
@ldez ldez removed the request for review from a team January 4, 2019 16:08
mmatur
mmatur approved these changes Jan 4, 2019
View reviewed changes
Copy link
Member

@mmatur mmatur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

dtomcej
dtomcej approved these changes Jan 7, 2019
View reviewed changes
Copy link
Contributor

@dtomcej dtomcej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
:shipit:

ldez
ldez approved these changes Jan 7, 2019
View reviewed changes
Copy link
Contributor

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jacksgt and others added 2 commits January 7, 2019 17:54
@jacksgt @traefiker
Harden Traefik systemd service
9384f3a 
Since Traefik is directly connected to the internet, it makes sense to
apply various lock down measures to keep the system as safe as possible.

Includes mounting most of the directories as read-only or even making them
inaccessible, restricting kernel modifications and limiting the number of
processes the unit may spawn.

Also add checks at service startup to ensure all required files are present.

Additionally documents how to set up a separate user for traefik and run the
service as that user.
@mmatur @traefiker
comment new params
c311a12
@traefiker traefiker merged commit 13c32de into traefik:v1.7 Jan 7, 2019
@ldez ldez mentioned this pull request Jan 8, 2019
Merged
16 tasks
@thaJeztah thaJeztah mentioned this pull request Jan 17, 2019
Open
@jacksgt jacksgt deleted the harden-systemd-service branch April 3, 2020 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtomcej dtomcej dtomcej approved these changes

@ldez ldez ldez approved these changes

@mmatur mmatur mmatur approved these changes

Assignees
No one assigned
Labels
area/documentation size/S
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.
6 participants
@jacksgt @alemairebe @mmatur @ldez @dtomcej @traefiker