security enforcement: run docker as normal user and preferably in a RO container

[MdreW]

Hi All!
Work as root expose the container to many problem, uWSGI specifically in his docs say:

do not run uWSGI instances as root. You can start your uWSGIs as root, but be sure to drop privileges with the uid and gid options.

Another best docker practice is ran the container without write permission and limit temp file in tmpfs mount.

Proposal

• make a satosa user with his home (/home/satosa)
• move the venv directory in the user home (/home/satosa/.venv)
• move the proxy in a user home subdirectory (/home/satosa/proxy)
• make a tmp filesystem for satosa pid (/hoe/satosa/run)
• make a environments for set the service as read only in the compose

@peppelinux what do you think?

[peppelinux]

I'm not in favour of changing the path of the proxy installation to an user home

uwsgi prints that messages because it didnt know that's executed in a container

if we want to run uwsgi as normal user we can create it without creating the home and also give privileges to the installation folders to that user and gid/uid in the uwsgi configuration

we had this previously, we decided therefore to run it as root because we didn't find any risks within docker

[MdreW]

Ok, @peppelinux , I follow your advices and try to add only a user creation and set uwsgi to start as user from root.

I'm a creature of habit and limit the right is a good habit. If someone gain an access on a container have a complete virtual system for run many bad things. If I can limit this risk I think that is good.

I try to add also an optional config to set as read-only the nginx and satosa containers, this can limit many abuse action.

I make a pull request.... if will be good we can merge this, otherwise is anyway a good study work 👍