Allow listening on privileged ports (below 1024) as non-root

This is done by running `setcap cap_net_bind_service=+ep` on the executable
in the build phase (doing it in the runtime phase creates an extra copy of
the executable that bloats the image). This only works when using the
BuildKit-based builder, since the `COPY` instruction doesn't copy
capabilities on the legacy builder.

Author: jjlin

docker/Dockerfile.j2

@@ -83,8 +83,6 @@ FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault
 ########################## BUILD IMAGE  ##########################
 FROM {{ build_stage_base_image }} as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -93,31 +91,33 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
 {% if "alpine" in target_file %}
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 {%   if "armv6" in target_file %}
+
 # To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
 ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a'
 {%   endif %}
 {% elif "arm" in target_file %}
-#
-# Install required build libs for {{ package_arch_name }} architecture.
+# Install build dependencies for the {{ package_arch_name }} architecture
 RUN dpkg --add-architecture {{ package_arch_name }} \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev{{ package_arch_prefix }} \
+        gcc-{{ package_cross_compiler }} \
         libc6-dev{{ package_arch_prefix }} \
-        libpq5{{ package_arch_prefix }} \
-        libpq-dev{{ package_arch_prefix }} \
-        libmariadb3{{ package_arch_prefix }} \
+        libcap2-bin \
         libmariadb-dev{{ package_arch_prefix }} \
         libmariadb-dev-compat{{ package_arch_prefix }} \
-        gcc-{{ package_cross_compiler }} \
+        libmariadb3{{ package_arch_prefix }} \
+        libpq-dev{{ package_arch_prefix }} \
+        libpq5{{ package_arch_prefix }} \
+        libssl-dev{{ package_arch_prefix }} \
     #
     # Make sure cargo has the right target config
     && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \
@@ -129,16 +129,14 @@ ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_
     CROSS_COMPILE="1" \
     OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \
     OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
-
 {% elif "amd64" in target_file %}
-# Install DB packages
+# Install build dependencies
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libmariadb-dev{{ package_arch_prefix }} \
-        libpq-dev{{ package_arch_prefix }} \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+        libcap2-bin \
+        libmariadb-dev \
+        libpq-dev
 {% endif %}
 
 # Creates a dummy project used to grab dependencies
@@ -179,6 +177,18 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
 
+{% if "buildkit" in target_file %}
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+{%   if package_arch_target is defined %}
+RUN setcap cap_net_bind_service=+ep target/{{ package_arch_target }}/release/vaultwarden
+{%   else %}
+RUN setcap cap_net_bind_service=+ep target/release/vaultwarden
+{%   endif %}
+{% endif %}
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -200,18 +210,18 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
 {% if "alpine" in runtime_stage_base_image %}
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 {% else %}
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 {% endif %}

docker/amd64/Dockerfile

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-# Install DB packages
+# Install build dependencies
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
+        libcap2-bin \
         libmariadb-dev \
-        libpq-dev \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+        libpq-dev
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -83,6 +79,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -97,11 +94,11 @@ ENV ROCKET_PROFILE="release" \
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/amd64/Dockerfile.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -77,6 +76,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -92,10 +92,10 @@ ENV ROCKET_PROFILE="release" \
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 
 VOLUME /data

docker/amd64/Dockerfile.buildkit

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-# Install DB packages
+# Install build dependencies
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
+        libcap2-bin \
         libmariadb-dev \
-        libpq-dev \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+        libpq-dev
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -83,6 +79,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -97,11 +99,11 @@ ENV ROCKET_PROFILE="release" \
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/amd64/Dockerfile.buildkit.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -77,6 +76,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/x86_64-unknown-linux-musl/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -92,10 +97,10 @@ ENV ROCKET_PROFILE="release" \
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 
 VOLUME /data

docker/arm64/Dockerfile

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for arm64 architecture.
+# Install build dependencies for the arm64 architecture
 RUN dpkg --add-architecture arm64 \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:arm64 \
+        gcc-aarch64-linux-gnu \
         libc6-dev:arm64 \
-        libpq5:arm64 \
-        libpq-dev:arm64 \
-        libmariadb3:arm64 \
+        libcap2-bin \
         libmariadb-dev:arm64 \
         libmariadb-dev-compat:arm64 \
-        gcc-aarch64-linux-gnu \
+        libmariadb3:arm64 \
+        libpq-dev:arm64 \
+        libpq5:arm64 \
+        libssl-dev:arm64 \
     #
     # Make sure cargo has the right target config
     && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
     OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +114,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/arm64/Dockerfile.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -77,6 +76,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -93,10 +93,10 @@ RUN [ "cross-build-start" ]
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 RUN [ "cross-build-end" ]
 

docker/arm64/Dockerfile.buildkit

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for arm64 architecture.
+# Install build dependencies for the arm64 architecture
 RUN dpkg --add-architecture arm64 \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:arm64 \
+        gcc-aarch64-linux-gnu \
         libc6-dev:arm64 \
-        libpq5:arm64 \
-        libpq-dev:arm64 \
-        libmariadb3:arm64 \
+        libcap2-bin \
         libmariadb-dev:arm64 \
         libmariadb-dev-compat:arm64 \
-        gcc-aarch64-linux-gnu \
+        libmariadb3:arm64 \
+        libpq-dev:arm64 \
+        libpq5:arm64 \
+        libssl-dev:arm64 \
     #
     # Make sure cargo has the right target config
     && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
     OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-gnu/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +119,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/arm64/Dockerfile.buildkit.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -77,6 +76,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-musl/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -93,10 +98,10 @@ RUN [ "cross-build-start" ]
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 RUN [ "cross-build-end" ]
 

docker/armv6/Dockerfile

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for armel architecture.
+# Install build dependencies for the armel architecture
 RUN dpkg --add-architecture armel \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:armel \
+        gcc-arm-linux-gnueabi \
         libc6-dev:armel \
-        libpq5:armel \
-        libpq-dev:armel \
-        libmariadb3:armel \
+        libcap2-bin \
         libmariadb-dev:armel \
         libmariadb-dev-compat:armel \
-        gcc-arm-linux-gnueabi \
+        libmariadb3:armel \
+        libpq-dev:armel \
+        libpq5:armel \
+        libssl-dev:armel \
     #
     # Make sure cargo has the right target config
     && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +114,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/armv6/Dockerfile.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,13 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
+
 # To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
 ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
 
@@ -79,6 +79,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -95,10 +96,10 @@ RUN [ "cross-build-start" ]
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 RUN [ "cross-build-end" ]
 

docker/armv6/Dockerfile.buildkit

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for armel architecture.
+# Install build dependencies for the armel architecture
 RUN dpkg --add-architecture armel \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:armel \
+        gcc-arm-linux-gnueabi \
         libc6-dev:armel \
-        libpq5:armel \
-        libpq-dev:armel \
-        libmariadb3:armel \
+        libcap2-bin \
         libmariadb-dev:armel \
         libmariadb-dev-compat:armel \
-        gcc-arm-linux-gnueabi \
+        libmariadb3:armel \
+        libpq-dev:armel \
+        libpq5:armel \
+        libssl-dev:armel \
     #
     # Make sure cargo has the right target config
     && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-gnueabi/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +119,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/armv6/Dockerfile.buildkit.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,13 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
+
 # To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
 ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
 
@@ -79,6 +79,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-musleabi/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -95,10 +101,10 @@ RUN [ "cross-build-start" ]
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 RUN [ "cross-build-end" ]
 

docker/armv7/Dockerfile

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for armhf architecture.
+# Install build dependencies for the armhf architecture
 RUN dpkg --add-architecture armhf \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:armhf \
+        gcc-arm-linux-gnueabihf \
         libc6-dev:armhf \
-        libpq5:armhf \
-        libpq-dev:armhf \
-        libmariadb3:armhf \
+        libcap2-bin \
         libmariadb-dev:armhf \
         libmariadb-dev-compat:armhf \
-        gcc-arm-linux-gnueabihf \
+        libmariadb3:armhf \
+        libpq-dev:armhf \
+        libpq5:armhf \
+        libssl-dev:armhf \
     #
     # Make sure cargo has the right target config
     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +114,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/armv7/Dockerfile.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -77,6 +76,7 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
 
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -93,10 +93,10 @@ RUN [ "cross-build-start" ]
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 RUN [ "cross-build-end" ]
 

docker/armv7/Dockerfile.buildkit

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM rust:1.66-bullseye as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
-#
-# Install required build libs for armhf architecture.
+# Install build dependencies for the armhf architecture
 RUN dpkg --add-architecture armhf \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        libssl-dev:armhf \
+        gcc-arm-linux-gnueabihf \
         libc6-dev:armhf \
-        libpq5:armhf \
-        libpq-dev:armhf \
-        libmariadb3:armhf \
+        libcap2-bin \
         libmariadb-dev:armhf \
         libmariadb-dev-compat:armhf \
-        gcc-arm-linux-gnueabihf \
+        libmariadb3:armhf \
+        libpq-dev:armhf \
+        libpq5:armhf \
+        libssl-dev:armhf \
     #
     # Make sure cargo has the right target config
     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
@@ -70,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
 
-
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
 WORKDIR /app
@@ -102,6 +98,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-gnueabihf/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -117,11 +119,11 @@ RUN [ "cross-build-start" ]
 RUN mkdir /data \
     && apt-get update && apt-get install -y \
     --no-install-recommends \
-    openssl \
     ca-certificates \
     curl \
     libmariadb-dev-compat \
     libpq5 \
+    openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

docker/armv7/Dockerfile.buildkit.alpine

@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
 ########################## BUILD IMAGE  ##########################
 FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
 
-
-
 # Build time options to avoid dpkg warnings and help with reproducible builds.
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8 \
@@ -39,11 +37,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     CARGO_HOME="/root/.cargo" \
     USER="root"
 
-
 # Create CARGO_HOME folder and don't download rust docs
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
     && rustup set profile minimal
 
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -77,6 +76,12 @@ RUN touch src/main.rs
 # your actual source files being built
 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
 
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-musleabihf/release/vaultwarden
+
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
@@ -93,10 +98,10 @@ RUN [ "cross-build-start" ]
 # Create data folder and Install needed libraries
 RUN mkdir /data \
     && apk add --no-cache \
-        openssl \
-        tzdata \
+        ca-certificates \
         curl \
-        ca-certificates
+        openssl \
+        tzdata
 
 RUN [ "cross-build-end" ]