Added code

Signed-off-by: pentago <[email protected]>

.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "default": true,
+  "MD013": false, // Disable line length rule
+}

.yamllint

@@ -0,0 +1,5 @@
+extends: default
+
+rules:
+  document-start: disable
+  line-length: disable

Dockerfile

@@ -0,0 +1,32 @@
+# https://github.com/traefik/traefik/releases
+ARG TRAEFIK_VERSION=v3.1.1
+
+# https://hub.docker.com/_/alpine
+ARG ALPINE_VERSION=3.20.2
+
+# Official image
+FROM traefik:$TRAEFIK_VERSION AS source
+
+# Rootless customization
+FROM alpine:$ALPINE_VERSION AS build
+COPY --from=source /usr/local/bin/traefik /
+
+# Modification to allow running rootless while listening on low ports
+# RUN apk --no-cache add libcap
+# RUN setcap cap_net_bind_service=+ep /traefik
+
+# Final minimal image
+FROM scratch
+
+LABEL org.opencontainers.image.source="https://github.com/pentago/traefik-rootless"
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL org.opencontainers.image.base.name="scratch"
+
+COPY --from=source /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=source /usr/share/zoneinfo /usr/share/
+COPY --from=build /traefik /
+
+USER 1000:1000
+EXPOSE 8080 8443
+VOLUME ["/tmp"]
+ENTRYPOINT ["/traefik"]

README.md

@@ -0,0 +1,18 @@
+# Unprivileged Traefik Container Image
+
+[![Main CI](https://github.com/pentago/traefik-rootless/actions/workflows/main.yaml/badge.svg)](https://github.com/pentago/traefik-rootless/actions/workflows/main.yaml)
+
+To be able to run this critical component as unprivileged and secure as possible, it needs to be built as a custom image.
+
+Approach here is to fetch the official image binary, and copy over the binary to a `scratch` based image with bare minimum of additions (*root certificates and zoneinfo* files from official image), running as unprivileged user (`1000:1000`) by default, all making it smaller and more secure.
+
+Considering official image simplicity, this unprivileged image can be used across at least entire 3.x branch lifetime, hopefully even longer.
+
+## Features
+
+* Official, untouched binary
+* Rootless
+* Listens on high ports
+* Bare-bones scratch image
+* Multiple architectures
+* Free

tests/compose.yaml

@@ -0,0 +1,68 @@
+services:
+
+  socket_proxy:
+    container_name: socket_proxy
+    hostname: socket_proxy
+    image: lscr.io/linuxserver/socket-proxy:latest
+    environment:
+      VERSION: 1
+      CONTAINERS: 1
+      EVENTS: 1
+      ALLOW_START: 0
+      ALLOW_STOP: 0
+      ALLOW_RESTARTS: 0
+      AUTH: 0
+      BUILD: 0
+      COMMIT: 0
+      CONFIGS: 0
+      DISABLE_IPV6: 0
+      DISTRIBUTION: 0
+      EXEC: 0
+      IMAGES: 0
+      INFO: 0
+      NETWORKS: 0
+      NODES: 0
+      PING: 0
+      POST: 0
+      PLUGINS: 0
+      SECRETS: 0
+      SERVICES: 0
+      SESSION: 0
+      SWARM: 0
+      SYSTEM: 0
+      TASKS: 0
+      VOLUMES: 0
+    expose:
+      - 2375
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    read_only: true
+    tmpfs:
+      - /run
+
+  traefik:
+    container_name: traefik
+    hostname: traefik
+    image: TRAEFIK_ROOTLES_IMAGE:latest
+    command:
+      - --log.level=DEBUG
+      - --api.insecure=true
+      - --providers.docker=true
+      - --providers.docker.endpoint=tcp://socket_proxy:2375
+      - --providers.docker.exposedbydefault=false
+      - --entryPoints.web.address=:80
+    ports:
+      - "8080:80"
+    depends_on:
+      - socket_proxy
+
+  whoami:
+    container_name: whoami
+    hostname: whoami
+    image: traefik/whoami:latest
+    depends_on:
+      - traefik
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.whoami.rule=Host(`localhost`) && PathPrefix(`/whoami`)
+      - traefik.http.routers.whoami.entrypoints=web