[PR #87] [MERGED] Implement rootless Docker container with enhanced security and preserved TFTP logging #215

New issue

Closed

opened 2026-03-01 18:33:49 +03:00 by kerem · 0 comments

kerem commented 2026-03-01 18:33:49 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/netbootxyz/docker-netbootxyz/pull/87
Author: @antonym
Created: 6/8/2025
Status: ✅ Merged
Merged: 6/12/2025
Merged by: @antonym

Base: master ← Head: feature/rootless-container-security

---

📝 Commits (3)

• 0a9993a Implement rootless Docker container with preserved TFTP logging
• 84db3c6 Update Dockerfile
• 741467c Update root/init.sh

📊 Changes

7 files changed (+203 additions, -51 deletions)

View changed files

➕ .dockerignore (+59 -0)
📝 Dockerfile (+67 -30)
📝 README.md (+21 -0)
📝 root/etc/supervisor.conf (+12 -16)
📝 root/init.sh (+29 -3)
📝 root/start.sh (+5 -2)
➕ root/usr/local/bin/dnsmasq-wrapper.sh (+10 -0)

📄 Description

Summary

• Converts docker-netbootxyz container to run all processes as non-root user for enhanced security
• Preserves TFTP logging functionality for PXE boot debugging
• Adds customizable PUID/PGID support for volume permission management

Key Security Improvements

• ✅ All application processes (nginx, webapp, dnsmasq) run as nbxyz user (UID 1000)
• ✅ Privilege dropping using gosu for secure initialization
• ✅ Only supervisord initialization runs as root, then drops privileges
• ✅ Configurable user/group IDs via PUID/PGID environment variables
• ✅ Proper permission management for all service directories

Performance Optimizations

• ✅ Multi-stage Docker build reduces image size and improves caching
• ✅ Optimized package installation and cleanup
• ✅ Better layer organization for faster rebuilds

TFTP Logging Preservation

• ✅ TFTP request logs appear in docker logs output for debugging
• ✅ dnsmasq configured with --log-dhcp --log-queries --log-facility=-
• ✅ Wrapper script ensures proper log forwarding to container stdout
• ✅ Users can monitor PXE boot requests in real-time

Breaking Changes

None - fully backward compatible

Test Plan

• Container builds successfully
• All services start and run as non-root user
• Web interface accessible on ports 80 and 3000
• TFTP server listening on port 69/udp
• TFTP transaction logs visible in docker logs
• PUID/PGID customization works correctly
• Volume permissions handled properly

Files Changed

• Dockerfile - Multi-stage build optimization and security enhancements
• root/init.sh - Dynamic user creation with PUID/PGID support
• root/start.sh - Privilege dropping with gosu
• root/etc/supervisor.conf - Rootless process management
• root/usr/local/bin/dnsmasq-wrapper.sh - TFTP logging wrapper (new file)
• root/defaults/nginx.conf - Non-root nginx configuration

🤖 Generated with Claude Code

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netbootxyz/docker-netbootxyz/pull/87 **Author:** [@antonym](https://github.com/antonym) **Created:** 6/8/2025 **Status:** ✅ Merged **Merged:** 6/12/2025 **Merged by:** [@antonym](https://github.com/antonym) **Base:** `master` ← **Head:** `feature/rootless-container-security` --- ### 📝 Commits (3) - [`0a9993a`](https://github.com/netbootxyz/docker-netbootxyz/commit/0a9993a767f57a63964f8b2cfe67a4fd59644e4b) Implement rootless Docker container with preserved TFTP logging - [`84db3c6`](https://github.com/netbootxyz/docker-netbootxyz/commit/84db3c67cbd5d22b638129ad6ccf0598df3ed8a4) Update Dockerfile - [`741467c`](https://github.com/netbootxyz/docker-netbootxyz/commit/741467c6d0f758ece39871b4912e99e23d8e09e2) Update root/init.sh ### 📊 Changes **7 files changed** (+203 additions, -51 deletions) <details> <summary>View changed files</summary> ➕ `.dockerignore` (+59 -0) 📝 `Dockerfile` (+67 -30) 📝 `README.md` (+21 -0) 📝 `root/etc/supervisor.conf` (+12 -16) 📝 `root/init.sh` (+29 -3) 📝 `root/start.sh` (+5 -2) ➕ `root/usr/local/bin/dnsmasq-wrapper.sh` (+10 -0) </details> ### 📄 Description ## Summary - Converts docker-netbootxyz container to run all processes as non-root user for enhanced security - Preserves TFTP logging functionality for PXE boot debugging - Adds customizable PUID/PGID support for volume permission management ## Key Security Improvements - ✅ All application processes (nginx, webapp, dnsmasq) run as `nbxyz` user (UID 1000) - ✅ Privilege dropping using `gosu` for secure initialization - ✅ Only supervisord initialization runs as root, then drops privileges - ✅ Configurable user/group IDs via `PUID`/`PGID` environment variables - ✅ Proper permission management for all service directories ## Performance Optimizations - ✅ Multi-stage Docker build reduces image size and improves caching - ✅ Optimized package installation and cleanup - ✅ Better layer organization for faster rebuilds ## TFTP Logging Preservation - ✅ TFTP request logs appear in `docker logs` output for debugging - ✅ dnsmasq configured with `--log-dhcp --log-queries --log-facility=-` - ✅ Wrapper script ensures proper log forwarding to container stdout - ✅ Users can monitor PXE boot requests in real-time ## Breaking Changes None - fully backward compatible ## Test Plan - [x] Container builds successfully - [x] All services start and run as non-root user - [x] Web interface accessible on ports 80 and 3000 - [x] TFTP server listening on port 69/udp - [x] TFTP transaction logs visible in `docker logs` - [x] PUID/PGID customization works correctly - [x] Volume permissions handled properly ## Files Changed - `Dockerfile` - Multi-stage build optimization and security enhancements - `root/init.sh` - Dynamic user creation with PUID/PGID support - `root/start.sh` - Privilege dropping with gosu - `root/etc/supervisor.conf` - Rootless process management - `root/usr/local/bin/dnsmasq-wrapper.sh` - TFTP logging wrapper (new file) - `root/defaults/nginx.conf` - Non-root nginx configuration 🤖 Generated with [Claude Code](https://claude.ai/code) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-01 18:33:49 +03:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/alpine-3.x

renovate/actions-github-script-9.x

feature/secureboot-support

ci/native-arm64-builds

ci-workflow-fix

0.7.6-nbxyz18

0.7.6-nbxyz17

0.7.6-nbxyz16

0.7.6-nbxyz13

0.7.6-nbxyz12

0.7.6-nbxyz11

0.7.6-nbxyz10

0.7.6-nbxyz9

0.7.6-nbxyz7

0.7.6-nbxyz6

0.7.6-nbxyz4

0.7.6-nbxyz3

0.7.6-nbxyz2

0.7.6-nbxyz1

0.7.5-nbxyz9

0.7.5-nbxyz8

0.7.5-nbxyz7

0.7.5-nbxyz6

0.7.5-nbxyz5

0.7.5-nbxyz4

0.7.5-nbxyz3

0.7.5-nbxyz2

0.7.4-nbxyz5

0.7.5-nbxyz1

0.7.4-nbxyz4

0.7.4-nbxyz3

0.7.4-nbxyz2

0.7.3-nbxyz5

0.7.4-nbxyz1

0.7.3-nbxyz4

0.7.3-nbxyz3

0.7.3-nbxyz2

0.7.1-nbxyz5

0.7.3-nbxyz1

0.7.2-nbxyz1

0.7.1-nbxyz4

0.7.1-nbxyz3

0.7.1-nbxyz2

0.7.1-nbxyz1

0.7.0-nbxyz6

0.7.0-nbxyz5

0.7.0-nbxyz4

0.7.0-nbxyz3

0.7.0-nbxyz2

0.7.0-nbxyz1

0.6.9-nbxyz2

0.6.9-nbxyz1

0.6.8-nbxyz6

0.6.8-nbxyz5

0.6.8-nbxyz4

0.6.8-nbxyz3

0.6.8-nbxyz2

0.6.8-nbxyz1

0.6.7-nbxyz31

0.6.7-nbxyz25

0.6.7-nbxyz24

0.6.7-nbxyz23

0.6.7-nbxyz22

0.6.7-nbxyz21

0.6.7-nbxyz20

0.6.7-nbxyz19

0.6.7-nbxyz18

0.6.7-nbxyz17

0.6.7-nbxyz16

0.6.7-nbxyz15

0.6.7-nbxyz14

0.6.7-nbxyz13

0.6.7-nbxyz12

0.6.7-nbxyz11

0.6.7-nbxyz10

0.6.7-nbxyz9

0.6.7-nbxyz8

0.6.7-nbxyz7

0.6.7-nbxyz6

0.6.7-nbxyz5

0.6.7-nbxyz4

0.6.7-nbxyz3

0.6.7-nbxyz2

0.6.7-nbxyz1

0.6.6-nbxyz15

0.6.6-nbxyz14

0.6.6-nbxyz13

0.6.6-nbxyz12

0.6.6-nbxyz11

0.6.6-nbxyz10

0.6.6-nbxyz9

0.6.6-nbxyz8

0.6.6-nbxyz7

0.6.6-nbxyz6

0.6.6-nbxyz4

0.6.6-nbxyz3

0.6.6-nbxyz2

0.6.6-nbxyz5

0.6.5-nbxyz5

0.6.6-nbxyz1

0.6.5-nbxyz4

0.6.5-nbxyz3

0.6.5-nbxyz2

0.6.5-nbxyz1

0.6.4-nbxyz13

0.6.4-nbxyz12

0.6.4-nbxyz11

0.6.4-nbxyz10

0.6.4-nbxyz9

0.6.4-nbxyz8

0.6.4-nbxyz7

0.6.4-nbxyz6

0.6.4-nbxyz5

0.6.4-nbxyz4

0.6.4-nbxyz3

0.6.4-nbxyz2

0.6.4-nbxyz1

Labels

Clear labels   

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-netbootxyz#215

No description provided.