Traefik as non-root should be default

It seems possible to run Traefik rootless as-is.

Why does enterprise edition support non-root while the open source version does not? Traefik Enterprise Rootless Image - Traefik Enterprise
The document says "it is not used by default due to limitations in certain environments." I've not been able to find these limitations - can they be added to the document?

This "new normal" where so many official images are running their services as root seems ridiculous - especially when it isn't very hard to achieve non-root:

FROM traefik:2.8.3
##RUN apk add libcap apk-file strace

# Set root's shell to nologin.
RUN sed -i -E s%:[^:]+$%:/sbin/nologin% /etc/passwd

# Create unprivileged user.
RUN adduser -h /nonexistent -s /sbin/nologin -DH -g Traefik traefik

# Initialize directories and permissions.
RUN mkdir -p /data
RUN chown -R traefik:traefik /data

# Run as unprivileged user.
USER traefik:traefik

If you do not agree, would you mind stating what the above change breaks or "limits in certain environments"?

Sounds like a great idea. I think this will get more attention as issue on Traefik Github.

I figured they didn't want it there because there were so many requesting this in the archived repo... Do you think it is reasonable to link this thread into here: unprivileged images for Kubernetes · Issue #7 · traefik/traefik-library-image · GitHub

My feeling is that very little is happening here, especially towards „feature requests“.

Maybe it’s a political product decision, they earn their living by selling 3000€+/year enterprise subscriptions.

Multi-Node-Traefik-LetsEncrypt for Docker Swarm is only available in the enterprise edition.

But I am totally with you, basic security belongs into the community edition. Elasticsearch also had simple user/pass auth only available in their paid-for extension packs - for many many years. I think that was really stupid.

1 Like

Yes, but in terms of maximizing business and sales funnel, it would make no sense to only have a secure EE and not open source version. It would make sense to set traefik apart from caddy by having an official docker image that does not run as root. Whereas if there is any security report of exploits due to the root permission, they would end up having fewer people converting to the EE. So it doesn't seem to make any business sense - and it also makes business sense to state (in the EE docs) which "certain limitations" the rootless configuration creates. Additionally rootless is something you'd want the community to be testing, not just your enterprise users - which are probably in the minority; free testing.