From 9eaa4ab846b5eda676a92c1d9862db93ff81f1ba Mon Sep 17 00:00:00 2001 From: Michal Ciania Date: Fri, 17 Sep 2021 22:57:27 +0200 Subject: [PATCH] Docker entrypoint for running the application as non-root user --- dockerfile | 26 ++++++++++++++------------ dockerfile-alpine | 22 +++++++++++++--------- extra/entrypoint.sh | 13 +++++++++++++ 3 files changed, 40 insertions(+), 21 deletions(-) create mode 100644 extra/entrypoint.sh diff --git a/dockerfile b/dockerfile index a10006369..891b03d5b 100644 --- a/dockerfile +++ b/dockerfile @@ -5,25 +5,26 @@ WORKDIR /app # split the sqlite install here, so that it can caches the arm prebuilt # do not modify it, since we don't want to re-compile the arm prebuilt again RUN apt update && \ - apt --yes install python3 python3-pip python3-dev git g++ make && \ - ln -s /usr/bin/python3 /usr/bin/python && \ - npm install mapbox/node-sqlite3#593c9d --build-from-source + apt --yes install python3 python3-pip python3-dev git g++ make && \ + ln -s /usr/bin/python3 /usr/bin/python && \ + npm install mapbox/node-sqlite3#593c9d --build-from-source COPY . . -RUN npm install --legacy-peer-deps && npm run build && npm prune --production +RUN npm install --legacy-peer-deps && \ + npm run build && \ + npm prune --production && \ + chmod +x /app/extra/entrypoint.sh + FROM node:14-bullseye-slim AS release WORKDIR /app -# Install Apprise, -# add sqlite3 cli for debugging in the future -# iputils-ping for ping +# Install Apprise, add sqlite3 cli for debugging in the future, iputils-ping for ping, util-linux for setpriv RUN apt update && \ - apt --yes install python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \ - sqlite3 \ - iputils-ping && \ - pip3 --no-cache-dir install apprise && \ - rm -rf /var/lib/apt/lists/* + apt --yes install python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \ + sqlite3 iputils-ping util-linux && \ + pip3 --no-cache-dir install apprise && \ + rm -rf /var/lib/apt/lists/* # Copy app files from build layer COPY --from=build /app /app @@ -31,6 +32,7 @@ COPY --from=build /app /app EXPOSE 3001 VOLUME ["/app/data"] HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js +ENTRYPOINT ["extra/entrypoint.sh"] CMD ["node", "server/server.js"] FROM release AS nightly diff --git a/dockerfile-alpine b/dockerfile-alpine index a9e85c37d..5e34d84a8 100644 --- a/dockerfile-alpine +++ b/dockerfile-alpine @@ -4,22 +4,25 @@ WORKDIR /app # split the sqlite install here, so that it can caches the arm prebuilt RUN apk add --no-cache --virtual .build-deps make g++ python3 python3-dev git && \ - ln -s /usr/bin/python3 /usr/bin/python && \ - npm install mapbox/node-sqlite3#593c9d && \ - apk del .build-deps && \ - rm -f /usr/bin/python + ln -s /usr/bin/python3 /usr/bin/python && \ + npm install mapbox/node-sqlite3#593c9d && \ + apk del .build-deps && \ + rm -f /usr/bin/python COPY . . -RUN npm install --legacy-peer-deps && npm run build && npm prune --production +RUN npm install --legacy-peer-deps && \ + npm run build && \ + npm prune --production && \ + chmod +x /app/extra/entrypoint.sh FROM node:14-alpine3.12 AS release WORKDIR /app -# Install apprise -RUN apk add --no-cache python3 py3-cryptography py3-pip py3-six py3-yaml py3-click py3-markdown py3-requests py3-requests-oauthlib && \ - pip3 --no-cache-dir install apprise && \ - rm -rf /root/.cache +# Install apprise, iputils for non-root ping, setpriv +RUN apk add --no-cache iputils setpriv python3 py3-cryptography py3-pip py3-six py3-yaml py3-click py3-markdown py3-requests py3-requests-oauthlib && \ + pip3 --no-cache-dir install apprise && \ + rm -rf /root/.cache # Copy app files from build layer COPY --from=build /app /app @@ -27,6 +30,7 @@ COPY --from=build /app /app EXPOSE 3001 VOLUME ["/app/data"] HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js +ENTRYPOINT ["extra/entrypoint.sh"] CMD ["node", "server/server.js"] FROM release AS nightly diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh new file mode 100644 index 000000000..159b0c810 --- /dev/null +++ b/extra/entrypoint.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env sh + +set -e + +files_ownership () { + chown -hRc "${PUID=1000}":"${PGID=1000}" /app/data +} + +echo "==> Performing startup jobs and maintenance tasks" +files_ownership + +echo "==> Starting application with user ${PUID=1000} group ${PGID=1000}" +exec setpriv --reuid "${PUID=1000}" --regid "${PGID=1000}" --clear-groups "$@"