Read container logs:
docker logs -f gemnasium
Enter running container:
docker exec -it gemnasium /bin/bash
Gemnasium Enterprise is using
setcap to allow our process running on port 80 and 443 (unless SSL is disabled via
REDIRECT_HTTP_TO_HTTPS to false).
Some kernels don’t support capacities operations inside containers, especially when AUFS is being used.
To avoid an error while running Gemnasium Enterprise, the api server will fallback to use a setuid bit on the server, meaning in the case the service is running as root inside the container.
While this is not a security issue for your host, it means the api has full control inside the container, including reading passwords and tokens.
If you are unsure your system is affected by this issue, check the logs of the api service in
setcap is failing, the message
Warning: setcap not available, falling back to setuid will be displayed at the top of the log file.
If you want to avoid this issue, you can bind your own ports, higher then 1024, using the env vars
GEMNASIUM_API_SSL_PORT_8443_TCP_PORT. If they are both above 1024, no setcap or setuid method will be used, and the webserver will run as a limited-rights user.