From 46eef1fcb7f5ffacc708e0ebcefdd4cf5692a6f3 Mon Sep 17 00:00:00 2001 From: Elias Schneider Date: Thu, 21 Nov 2024 18:44:43 +0100 Subject: [PATCH] chore: make Docker image run without root user (#67) --- Dockerfile | 9 ++++-- README.md | 1 + scripts/docker/create-user.sh | 28 +++++++++++++++++++ .../entrypoint.sh} | 0 4 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 scripts/docker/create-user.sh rename scripts/{docker-entrypoint.sh => docker/entrypoint.sh} (100%) diff --git a/Dockerfile b/Dockerfile index d43f89b..1c162ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,10 @@ RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend . # Stage 3: Production Image FROM node:20-alpine -RUN apk add --no-cache caddy +# Delete default node user +RUN deluser --remove-home node + +RUN apk add --no-cache caddy su-exec COPY ./reverse-proxy /etc/caddy/ WORKDIR /app @@ -41,5 +44,5 @@ RUN chmod +x ./scripts/*.sh EXPOSE 80 ENV APP_ENV=production -# Use a shell form to run both the frontend and backend -CMD ["sh", "./scripts/docker-entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"] +CMD ["sh", "./scripts/docker/entrypoint.sh"] \ No newline at end of file diff --git a/README.md b/README.md index 848f184..1458b50 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,7 @@ docker compose up -d | ---------------------- | ----------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `PUBLIC_APP_URL` | `http://localhost` | yes | The URL where you will access the app. | | `TRUST_PROXY` | `false` | yes | Whether the app is behind a reverse proxy. | +| `PUID` and `PGID` | `1000` | yes | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). | | `DB_PATH` | `data/pocket-id.db` | no | The path to the SQLite database. | | `UPLOAD_PATH` | `data/uploads` | no | The path where the uploaded files are stored. | | `INTERNAL_BACKEND_URL` | `http://localhost:8080` | no | The URL where the backend is accessible. | diff --git a/scripts/docker/create-user.sh b/scripts/docker/create-user.sh new file mode 100644 index 0000000..60c391d --- /dev/null +++ b/scripts/docker/create-user.sh @@ -0,0 +1,28 @@ + +echo "Creating user and group..." + +PUID=${PUID:-1000} +PGID=${PGID:-1000} + +# Check if the group with PGID exists; if not, create it +if ! getent group pocket-id-group > /dev/null 2>&1; then + addgroup -g "$PGID" pocket-id-group +fi + +# Check if a user with PUID exists; if not, create it +if ! id -u pocket-id > /dev/null 2>&1; then + if ! getent passwd "$PUID" > /dev/null 2>&1; then + adduser -u "$PUID" -G pocket-id-group pocket-id + else + # If a user with the PUID already exists, use that user + existing_user=$(getent passwd "$PUID" | cut -d: -f1) + echo "Using existing user: $existing_user" + fi +fi + +# Change ownership of the /app directory +mkdir -p /app/backend/data +find /app/backend/data \( ! -group "${PGID}" -o ! -user "${PUID}" \) -exec chown "${PUID}:${PGID}" {} + + +# Switch to the non-root user +exec su-exec "$PUID:$PGID" "$@" \ No newline at end of file diff --git a/scripts/docker-entrypoint.sh b/scripts/docker/entrypoint.sh similarity index 100% rename from scripts/docker-entrypoint.sh rename to scripts/docker/entrypoint.sh