From 5171c0ec20e5543fd989b66c7858a7184c5a0cbe Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 27 Feb 2015 22:31:03 -0800 Subject: [PATCH 1/2] Document use of `setuid` module and user `jetty` --- jetty/README.md | 11 ++++++++++- jetty/content.md | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/jetty/README.md b/jetty/README.md index ca0e678c5..230780dfa 100644 --- a/jetty/README.md +++ b/jetty/README.md @@ -28,13 +28,22 @@ You can then go to `http://localhost:8888` or `http://host-ip:8888` in a browser The default Jetty environment in the image is: JETTY_HOME = /usr/local/jetty + JETTY_BASE = /var/lib/jetty JETTY_CONF = /usr/local/jetty/etc/jetty.conf JETTY_STATE = /usr/local/jetty/jetty.state JETTY_ARGS = JAVA_OPTIONS = TMPDIR = /tmp -Webapps can be [deployed](https://wiki.eclipse.org/Jetty/Howto/Deploy_Web_Applications) in `/usr/local/jetty/webapps`. +Webapps can be [deployed](https://wiki.eclipse.org/Jetty/Howto/Deploy_Web_Applications) in `/var/lib/jetty/webapps`. + +# Security + +By default, this image starts as user `root` and uses Jetty's `setuid` module to drop privileges to user `jetty` after initialization. The `JETTY_BASE` directory at `/var/lib/jetty` is owned by `jetty:jetty` (uid 999, gid 999). + +If you would like the image to start immediately as user `jetty` instead of starting as `root`, you can start the container with `-u jetty`: + + docker run -d -u jetty jetty:9 # License diff --git a/jetty/content.md b/jetty/content.md index 7543c2ea0..4c16be148 100644 --- a/jetty/content.md +++ b/jetty/content.md @@ -21,10 +21,19 @@ You can then go to `http://localhost:8888` or `http://host-ip:8888` in a browser The default Jetty environment in the image is: JETTY_HOME = /usr/local/jetty + JETTY_BASE = /var/lib/jetty JETTY_CONF = /usr/local/jetty/etc/jetty.conf JETTY_STATE = /usr/local/jetty/jetty.state JETTY_ARGS = JAVA_OPTIONS = TMPDIR = /tmp -Webapps can be [deployed](https://wiki.eclipse.org/Jetty/Howto/Deploy_Web_Applications) in `/usr/local/jetty/webapps`. +Webapps can be [deployed](https://wiki.eclipse.org/Jetty/Howto/Deploy_Web_Applications) in `/var/lib/jetty/webapps`. + +# Security + +By default, this image starts as user `root` and uses Jetty's `setuid` module to drop privileges to user `jetty` after initialization. The `JETTY_BASE` directory at `/var/lib/jetty` is owned by `jetty:jetty` (uid 999, gid 999). + +If you would like the image to start immediately as user `jetty` instead of starting as `root`, you can start the container with `-u jetty`: + + docker run -d -u jetty jetty:9 From 57b29ca97ed10d450a6175410119da1a0777dae4 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 28 Feb 2015 00:10:14 -0800 Subject: [PATCH 2/2] Fix documentation of JETTY_STATE location --- jetty/README.md | 2 +- jetty/content.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jetty/README.md b/jetty/README.md index 230780dfa..ebbac1801 100644 --- a/jetty/README.md +++ b/jetty/README.md @@ -30,7 +30,7 @@ The default Jetty environment in the image is: JETTY_HOME = /usr/local/jetty JETTY_BASE = /var/lib/jetty JETTY_CONF = /usr/local/jetty/etc/jetty.conf - JETTY_STATE = /usr/local/jetty/jetty.state + JETTY_STATE = /var/lib/jetty/jetty.state JETTY_ARGS = JAVA_OPTIONS = TMPDIR = /tmp diff --git a/jetty/content.md b/jetty/content.md index 4c16be148..88d0f4fe0 100644 --- a/jetty/content.md +++ b/jetty/content.md @@ -23,7 +23,7 @@ The default Jetty environment in the image is: JETTY_HOME = /usr/local/jetty JETTY_BASE = /var/lib/jetty JETTY_CONF = /usr/local/jetty/etc/jetty.conf - JETTY_STATE = /usr/local/jetty/jetty.state + JETTY_STATE = /var/lib/jetty/jetty.state JETTY_ARGS = JAVA_OPTIONS = TMPDIR = /tmp