Merge pull request #436 from nbvcxz/running_non-root_user
Docker entrypoint to run the application as non-root user
This commit is contained in:
commit
3fc2ba3d76
26
dockerfile
26
dockerfile
|
@ -5,25 +5,26 @@ WORKDIR /app
|
||||||
# split the sqlite install here, so that it can caches the arm prebuilt
|
# split the sqlite install here, so that it can caches the arm prebuilt
|
||||||
# do not modify it, since we don't want to re-compile the arm prebuilt again
|
# do not modify it, since we don't want to re-compile the arm prebuilt again
|
||||||
RUN apt update && \
|
RUN apt update && \
|
||||||
apt --yes install python3 python3-pip python3-dev git g++ make && \
|
apt --yes install python3 python3-pip python3-dev git g++ make && \
|
||||||
ln -s /usr/bin/python3 /usr/bin/python && \
|
ln -s /usr/bin/python3 /usr/bin/python && \
|
||||||
npm install mapbox/node-sqlite3#593c9d --build-from-source
|
npm install mapbox/node-sqlite3#593c9d --build-from-source
|
||||||
|
|
||||||
COPY . .
|
COPY . .
|
||||||
RUN npm install --legacy-peer-deps && npm run build && npm prune --production
|
RUN npm install --legacy-peer-deps && \
|
||||||
|
npm run build && \
|
||||||
|
npm prune --production && \
|
||||||
|
chmod +x /app/extra/entrypoint.sh
|
||||||
|
|
||||||
|
|
||||||
FROM node:14-bullseye-slim AS release
|
FROM node:14-bullseye-slim AS release
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Install Apprise,
|
# Install Apprise, add sqlite3 cli for debugging in the future, iputils-ping for ping, util-linux for setpriv
|
||||||
# add sqlite3 cli for debugging in the future
|
|
||||||
# iputils-ping for ping
|
|
||||||
RUN apt update && \
|
RUN apt update && \
|
||||||
apt --yes install python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \
|
apt --yes install python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \
|
||||||
sqlite3 \
|
sqlite3 iputils-ping util-linux && \
|
||||||
iputils-ping && \
|
pip3 --no-cache-dir install apprise && \
|
||||||
pip3 --no-cache-dir install apprise && \
|
rm -rf /var/lib/apt/lists/*
|
||||||
rm -rf /var/lib/apt/lists/*
|
|
||||||
|
|
||||||
# Copy app files from build layer
|
# Copy app files from build layer
|
||||||
COPY --from=build /app /app
|
COPY --from=build /app /app
|
||||||
|
@ -31,6 +32,7 @@ COPY --from=build /app /app
|
||||||
EXPOSE 3001
|
EXPOSE 3001
|
||||||
VOLUME ["/app/data"]
|
VOLUME ["/app/data"]
|
||||||
HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js
|
HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js
|
||||||
|
ENTRYPOINT ["extra/entrypoint.sh"]
|
||||||
CMD ["node", "server/server.js"]
|
CMD ["node", "server/server.js"]
|
||||||
|
|
||||||
FROM release AS nightly
|
FROM release AS nightly
|
||||||
|
|
|
@ -4,22 +4,25 @@ WORKDIR /app
|
||||||
|
|
||||||
# split the sqlite install here, so that it can caches the arm prebuilt
|
# split the sqlite install here, so that it can caches the arm prebuilt
|
||||||
RUN apk add --no-cache --virtual .build-deps make g++ python3 python3-dev git && \
|
RUN apk add --no-cache --virtual .build-deps make g++ python3 python3-dev git && \
|
||||||
ln -s /usr/bin/python3 /usr/bin/python && \
|
ln -s /usr/bin/python3 /usr/bin/python && \
|
||||||
npm install mapbox/node-sqlite3#593c9d && \
|
npm install mapbox/node-sqlite3#593c9d && \
|
||||||
apk del .build-deps && \
|
apk del .build-deps && \
|
||||||
rm -f /usr/bin/python
|
rm -f /usr/bin/python
|
||||||
|
|
||||||
COPY . .
|
COPY . .
|
||||||
RUN npm install --legacy-peer-deps && npm run build && npm prune --production
|
RUN npm install --legacy-peer-deps && \
|
||||||
|
npm run build && \
|
||||||
|
npm prune --production && \
|
||||||
|
chmod +x /app/extra/entrypoint.sh
|
||||||
|
|
||||||
|
|
||||||
FROM node:14-alpine3.12 AS release
|
FROM node:14-alpine3.12 AS release
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Install apprise
|
# Install apprise, iputils for non-root ping, setpriv
|
||||||
RUN apk add --no-cache python3 py3-cryptography py3-pip py3-six py3-yaml py3-click py3-markdown py3-requests py3-requests-oauthlib && \
|
RUN apk add --no-cache iputils setpriv python3 py3-cryptography py3-pip py3-six py3-yaml py3-click py3-markdown py3-requests py3-requests-oauthlib && \
|
||||||
pip3 --no-cache-dir install apprise && \
|
pip3 --no-cache-dir install apprise && \
|
||||||
rm -rf /root/.cache
|
rm -rf /root/.cache
|
||||||
|
|
||||||
# Copy app files from build layer
|
# Copy app files from build layer
|
||||||
COPY --from=build /app /app
|
COPY --from=build /app /app
|
||||||
|
@ -27,6 +30,7 @@ COPY --from=build /app /app
|
||||||
EXPOSE 3001
|
EXPOSE 3001
|
||||||
VOLUME ["/app/data"]
|
VOLUME ["/app/data"]
|
||||||
HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js
|
HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js
|
||||||
|
ENTRYPOINT ["extra/entrypoint.sh"]
|
||||||
CMD ["node", "server/server.js"]
|
CMD ["node", "server/server.js"]
|
||||||
|
|
||||||
FROM release AS nightly
|
FROM release AS nightly
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
# set -e Exit the script if an error happens
|
||||||
|
set -e
|
||||||
|
PUID=${PUID=1000}
|
||||||
|
PGID=${PGID=1000}
|
||||||
|
|
||||||
|
files_ownership () {
|
||||||
|
# -h Changes the ownership of an encountered symbolic link and not that of the file or directory pointed to by the symbolic link.
|
||||||
|
# -R Recursively descends the specified directories
|
||||||
|
# -c Like verbose but report only when a change is made
|
||||||
|
chown -hRc "$PUID":"$PGID" /app/data
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "==> Performing startup jobs and maintenance tasks"
|
||||||
|
files_ownership
|
||||||
|
|
||||||
|
echo "==> Starting application with user $PUID group $PGID"
|
||||||
|
|
||||||
|
# --clear-groups Clear supplementary groups.
|
||||||
|
exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@"
|
Loading…
Reference in New Issue