Merge pull request #644 from ajgon/feat/unprivileged-container

use unprivileged user in a container

Dockerfile

@@ -7,12 +7,10 @@ WORKDIR /app
 
 COPY --link package.json pnpm-lock.yaml* ./
 
-RUN <<EOF
+SHELL ["/bin/ash", "-xeo", "pipefail", "-c"]
-    set -xe
+RUN apk add --no-cache libc6-compat \
-    apk add libc6-compat
+ && apk add --no-cache --virtual .gyp python3 make g++ \
-    apk add --virtual .gyp python3 make g++
+ && npm install -g pnpm
-    npm install -g pnpm
-EOF
 
 RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store pnpm fetch | grep -v "cross-device link not permitted\|Falling back to copying packages from store"
 
@@ -29,12 +27,10 @@ ARG REVISION
 COPY --link --from=deps /app/node_modules ./node_modules/
 COPY . .
 
-RUN <<EOF
+SHELL ["/bin/ash", "-xeo", "pipefail", "-c"]
-    set -xe
+RUN npm run telemetry \
-    npm run telemetry
+ && mkdir config && echo '---' > config/settings.yaml \
-    mkdir config && echo '-' > config/settings.yaml
+ && NEXT_PUBLIC_BUILDTIME=$BUILDTIME NEXT_PUBLIC_VERSION=$VERSION NEXT_PUBLIC_REVISION=$REVISION npm run build
-    NEXT_PUBLIC_BUILDTIME=$BUILDTIME NEXT_PUBLIC_VERSION=$VERSION NEXT_PUBLIC_REVISION=$REVISION npm run build
-EOF
 
 # Production image, copy all the files and run next
 FROM docker.io/node:18-alpine AS runner
@@ -50,12 +46,15 @@ ENV NODE_ENV production
 WORKDIR /app
 
 # Copy files from context (this allows the files to copy before the builder stage is done).
-COPY --link package.json next.config.js ./
+COPY --link --chown=1000:1000 package.json next.config.js ./
-COPY --link /public ./public
+COPY --link --chown=1000:1000 /public ./public/
 
 # Copy files from builder
-COPY --link --from=builder /app/.next/standalone ./
+COPY --link --from=builder --chown=1000:1000 /app/.next/standalone ./
-COPY --link --from=builder /app/.next/static/ ./.next/static/
+COPY --link --from=builder --chown=1000:1000 /app/.next/static/ ./.next/static/
+COPY --link --chmod=755 docker-entrypoint.sh /usr/local/bin/
+
+RUN apk add --no-cache su-exec
 
 ENV PORT 3000
 EXPOSE $PORT
@@ -63,4 +62,5 @@ EXPOSE $PORT
 HEALTHCHECK --interval=10s --timeout=3s --start-period=20s \
   CMD wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost:$PORT/api/healthcheck || exit 1
 
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["node", "server.js"]

docker-entrypoint.sh

@@ -2,8 +2,22 @@
 
 set -e
 
+# Default to root, so old installations won't break
+export PUID=${PUID:-0}
+export PGID=${PGID:-0}
+
 # This is in attempt to preserve the original behavior of the Dockerfile,
 # while also supporting the lscr.io /config directory
 [ ! -d "/app/config" ] && ln -s /config /app/config
 
-node server.js
+# Set privileges for /app but only if pid 1 user is root and we are dropping privileges.
+# If container is run as an unprivileged user, it means owner already handled ownership setup on their own.
+# Running chown in that case (as non-root) will cause error
+[ "$(id -u)" == "0" ] && [ "${PUID}" != "0" ] && chown -R ${PUID}:${PGID} /app
+
+# Drop privileges (when asked to) if root, otherwise run as current user
+if [ "$(id -u)" == "0" ] && [ "${PUID}" != "0" ]; then
+  su-exec ${PUID}:${PGID} "$@"
+else
+  exec "$@"
+fi