mirror of
				https://github.com/karl0ss/homepage.git
				synced 2025-10-26 12:03:58 +00:00 
			
		
		
		
	Merge pull request #850 from benphelps/revert-644-feat/unprivileged-container
Revert "use unprivileged user in a container"
This commit is contained in:
		
						commit
						01eea51555
					
				
							
								
								
									
										32
									
								
								Dockerfile
									
									
									
									
									
								
							
							
						
						
									
										32
									
								
								Dockerfile
									
									
									
									
									
								
							| @ -7,10 +7,12 @@ WORKDIR /app | ||||
| 
 | ||||
| COPY --link package.json pnpm-lock.yaml* ./ | ||||
| 
 | ||||
| SHELL ["/bin/ash", "-xeo", "pipefail", "-c"] | ||||
| RUN apk add --no-cache libc6-compat \ | ||||
|  && apk add --no-cache --virtual .gyp python3 make g++ \ | ||||
|  && npm install -g pnpm | ||||
| RUN <<EOF | ||||
|     set -xe | ||||
|     apk add libc6-compat | ||||
|     apk add --virtual .gyp python3 make g++ | ||||
|     npm install -g pnpm | ||||
| EOF | ||||
| 
 | ||||
| RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store pnpm fetch | grep -v "cross-device link not permitted\|Falling back to copying packages from store" | ||||
| 
 | ||||
| @ -27,10 +29,12 @@ ARG REVISION | ||||
| COPY --link --from=deps /app/node_modules ./node_modules/ | ||||
| COPY . . | ||||
| 
 | ||||
| SHELL ["/bin/ash", "-xeo", "pipefail", "-c"] | ||||
| RUN npm run telemetry \ | ||||
|  && mkdir config && echo '---' > config/settings.yaml \ | ||||
|  && NEXT_PUBLIC_BUILDTIME=$BUILDTIME NEXT_PUBLIC_VERSION=$VERSION NEXT_PUBLIC_REVISION=$REVISION npm run build | ||||
| RUN <<EOF | ||||
|     set -xe | ||||
|     npm run telemetry | ||||
|     mkdir config && echo '-' > config/settings.yaml | ||||
|     NEXT_PUBLIC_BUILDTIME=$BUILDTIME NEXT_PUBLIC_VERSION=$VERSION NEXT_PUBLIC_REVISION=$REVISION npm run build | ||||
| EOF | ||||
| 
 | ||||
| # Production image, copy all the files and run next | ||||
| FROM docker.io/node:18-alpine AS runner | ||||
| @ -46,15 +50,12 @@ ENV NODE_ENV production | ||||
| WORKDIR /app | ||||
| 
 | ||||
| # Copy files from context (this allows the files to copy before the builder stage is done). | ||||
| COPY --link --chown=1000:1000 package.json next.config.js ./ | ||||
| COPY --link --chown=1000:1000 /public ./public/ | ||||
| COPY --link package.json next.config.js ./ | ||||
| COPY --link /public ./public | ||||
| 
 | ||||
| # Copy files from builder | ||||
| COPY --link --from=builder --chown=1000:1000 /app/.next/standalone ./ | ||||
| COPY --link --from=builder --chown=1000:1000 /app/.next/static/ ./.next/static/ | ||||
| COPY --link --chmod=755 docker-entrypoint.sh /usr/local/bin/ | ||||
| 
 | ||||
| RUN apk add --no-cache su-exec | ||||
| COPY --link --from=builder /app/.next/standalone ./ | ||||
| COPY --link --from=builder /app/.next/static/ ./.next/static/ | ||||
| 
 | ||||
| ENV PORT 3000 | ||||
| EXPOSE $PORT | ||||
| @ -62,5 +63,4 @@ EXPOSE $PORT | ||||
| HEALTHCHECK --interval=10s --timeout=3s --start-period=20s \ | ||||
|   CMD wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost:$PORT/api/healthcheck || exit 1 | ||||
| 
 | ||||
| ENTRYPOINT ["docker-entrypoint.sh"] | ||||
| CMD ["node", "server.js"] | ||||
|  | ||||
| @ -2,22 +2,8 @@ | ||||
| 
 | ||||
| set -e | ||||
| 
 | ||||
| # Default to root, so old installations won't break | ||||
| export PUID=${PUID:-0} | ||||
| export PGID=${PGID:-0} | ||||
| 
 | ||||
| # This is in attempt to preserve the original behavior of the Dockerfile, | ||||
| # while also supporting the lscr.io /config directory | ||||
| [ ! -d "/app/config" ] && ln -s /config /app/config | ||||
| 
 | ||||
| # Set privileges for /app but only if pid 1 user is root and we are dropping privileges. | ||||
| # If container is run as an unprivileged user, it means owner already handled ownership setup on their own. | ||||
| # Running chown in that case (as non-root) will cause error | ||||
| [ "$(id -u)" == "0" ] && [ "${PUID}" != "0" ] && chown -R ${PUID}:${PGID} /app | ||||
| 
 | ||||
| # Drop privileges (when asked to) if root, otherwise run as current user | ||||
| if [ "$(id -u)" == "0" ] && [ "${PUID}" != "0" ]; then | ||||
|   su-exec ${PUID}:${PGID} "$@" | ||||
| else | ||||
|   exec "$@" | ||||
| fi | ||||
| node server.js | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 shamoon
						shamoon