From 25ce96f84f11f10822cbaff6ec38d3a16ea1ba9a Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Sun, 14 Jan 2024 15:39:43 -0600 Subject: [PATCH 1/9] non-root users for Dockerfiles --- Dockerfile | 17 +++++++++++++---- docker/stable-alpine.Dockerfile | 16 ++++++++++++---- docker/stable-ubuntu.Dockerfile | 17 +++++++++++++---- 3 files changed, 38 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1f9cee474..77816cacf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,20 @@ RUN yarn workspaces focus --all --production FROM node:18-bullseye-slim as prod RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/* + +ARG USERNAME=appuser +ARG USER_UID=1001 +ARG USER_GID=$USER_UID +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME +RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data + WORKDIR /app -COPY --from=base /app/node_modules /app/node_modules -ADD package.json app.js ./ -ADD src ./src -ADD migrations ./migrations +COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules +ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ +ADD --chown=${USER_UID}:${USER_GID} src ./src +ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +USER ${USERNAME} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile index 39212df6c..2ac7d58b1 100644 --- a/docker/stable-alpine.Dockerfile +++ b/docker/stable-alpine.Dockerfile @@ -8,11 +8,19 @@ RUN if [ "$(uname -m)" = "armv7l" ]; then npm install bcrypt better-sqlite3 --bu FROM alpine:3.17 as prod RUN apk add --no-cache nodejs tini + +ARG USERNAME=appuser +ARG USER_UID=1001 +ARG USER_GID=$USER_UID +RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID} +RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data + WORKDIR /app -COPY --from=base /app/node_modules /app/node_modules -ADD package.json app.js ./ -ADD src ./src -ADD migrations ./migrations +COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules +ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ +ADD --chown=${USER_UID}:${USER_GID} src ./src +ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +USER ${USERNAME} ENTRYPOINT ["/sbin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile index 1f9cee474..77816cacf 100644 --- a/docker/stable-ubuntu.Dockerfile +++ b/docker/stable-ubuntu.Dockerfile @@ -7,11 +7,20 @@ RUN yarn workspaces focus --all --production FROM node:18-bullseye-slim as prod RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/* + +ARG USERNAME=appuser +ARG USER_UID=1001 +ARG USER_GID=$USER_UID +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME +RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data + WORKDIR /app -COPY --from=base /app/node_modules /app/node_modules -ADD package.json app.js ./ -ADD src ./src -ADD migrations ./migrations +COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules +ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ +ADD --chown=${USER_UID}:${USER_GID} src ./src +ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +USER ${USERNAME} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] From f96eef0f9d401ffcc0e7195d394b80cb7a082d1b Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Mon, 15 Jan 2024 13:04:14 -0600 Subject: [PATCH 2/9] release notes --- upcoming-release-notes/300.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 upcoming-release-notes/300.md diff --git a/upcoming-release-notes/300.md b/upcoming-release-notes/300.md new file mode 100644 index 000000000..3ffa2f8a3 --- /dev/null +++ b/upcoming-release-notes/300.md @@ -0,0 +1,6 @@ +--- +category: Maintenance +authors: [hkiang01] +--- + +Non-root users for stable Dockerfiles \ No newline at end of file From de326b5a666d14a1fc2bdec82e27abb9c11c59bd Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Mon, 15 Jan 2024 13:15:27 -0600 Subject: [PATCH 3/9] non-root users for edge images --- docker/edge-alpine.Dockerfile | 18 +++++++++++++----- docker/edge-ubuntu.Dockerfile | 19 ++++++++++++++----- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile index 96c5bd18b..48c93605a 100644 --- a/docker/edge-alpine.Dockerfile +++ b/docker/edge-alpine.Dockerfile @@ -16,12 +16,20 @@ RUN unzip /tmp/desktop-client.zip -d /public FROM alpine:3.17 as prod RUN apk add --no-cache nodejs tini + +ARG USERNAME=appuser +ARG USER_UID=1001 +ARG USER_GID=$USER_UID +RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID} +RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data + WORKDIR /app -COPY --from=base /app/node_modules /app/node_modules -COPY --from=base /public /public -ADD package.json app.js ./ -ADD src ./src -ADD migrations ./migrations +COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules +COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public +ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ +ADD --chown=${USER_UID}:${USER_GID} src ./src +ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +USER ${USERNAME} ENTRYPOINT ["/sbin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public EXPOSE 5006 diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile index 679843de8..6b43d3c7f 100644 --- a/docker/edge-ubuntu.Dockerfile +++ b/docker/edge-ubuntu.Dockerfile @@ -15,12 +15,21 @@ RUN unzip /tmp/desktop-client.zip -d /public FROM node:18-bullseye-slim as prod RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/* + +ARG USERNAME=appuser +ARG USER_UID=1001 +ARG USER_GID=$USER_UID +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME +RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data + WORKDIR /app -COPY --from=base /app/node_modules /app/node_modules -COPY --from=base /public /public -ADD package.json app.js ./ -ADD src ./src -ADD migrations ./migrations +COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules +COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public +ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ +ADD --chown=${USER_UID}:${USER_GID} src ./src +ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +USER ${USERNAME} ENTRYPOINT ["/usr/bin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public EXPOSE 5006 From 65875c13730717a3db16b67f91d6055f2505b52a Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Mon, 15 Jan 2024 13:16:13 -0600 Subject: [PATCH 4/9] all Dockerfiles updated --- upcoming-release-notes/300.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upcoming-release-notes/300.md b/upcoming-release-notes/300.md index 3ffa2f8a3..b86889f74 100644 --- a/upcoming-release-notes/300.md +++ b/upcoming-release-notes/300.md @@ -3,4 +3,4 @@ category: Maintenance authors: [hkiang01] --- -Non-root users for stable Dockerfiles \ No newline at end of file +Non-root users for Dockerfiles \ No newline at end of file From 8dddd84dbbf379b4da2c83fe68d6eae2ed3a9dde Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Mon, 15 Jan 2024 16:53:21 -0600 Subject: [PATCH 5/9] kubernetes expects numeric users --- Dockerfile | 2 +- docker/edge-alpine.Dockerfile | 2 +- docker/edge-ubuntu.Dockerfile | 2 +- docker/stable-alpine.Dockerfile | 2 +- docker/stable-ubuntu.Dockerfile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 77816cacf..1416e0d73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_mod ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ ADD --chown=${USER_UID}:${USER_GID} src ./src ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations -USER ${USERNAME} +USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile index 48c93605a..fc563ec4e 100644 --- a/docker/edge-alpine.Dockerfile +++ b/docker/edge-alpine.Dockerfile @@ -29,7 +29,7 @@ COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ ADD --chown=${USER_UID}:${USER_GID} src ./src ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations -USER ${USERNAME} +USER ${USER_UID} ENTRYPOINT ["/sbin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public EXPOSE 5006 diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile index 6b43d3c7f..43984572b 100644 --- a/docker/edge-ubuntu.Dockerfile +++ b/docker/edge-ubuntu.Dockerfile @@ -29,7 +29,7 @@ COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ ADD --chown=${USER_UID}:${USER_GID} src ./src ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations -USER ${USERNAME} +USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public EXPOSE 5006 diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile index 2ac7d58b1..a820818c2 100644 --- a/docker/stable-alpine.Dockerfile +++ b/docker/stable-alpine.Dockerfile @@ -20,7 +20,7 @@ COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_mod ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ ADD --chown=${USER_UID}:${USER_GID} src ./src ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations -USER ${USERNAME} +USER ${USER_UID} ENTRYPOINT ["/sbin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile index 77816cacf..1416e0d73 100644 --- a/docker/stable-ubuntu.Dockerfile +++ b/docker/stable-ubuntu.Dockerfile @@ -20,7 +20,7 @@ COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_mod ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ ADD --chown=${USER_UID}:${USER_GID} src ./src ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations -USER ${USERNAME} +USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] From 2159c879bacbd866f804fbed93f83b2252064d41 Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Tue, 16 Jan 2024 17:27:26 -0600 Subject: [PATCH 6/9] appuser shouldn't be able to modify app files --- Dockerfile | 8 ++++---- docker/edge-alpine.Dockerfile | 10 +++++----- docker/edge-ubuntu.Dockerfile | 10 +++++----- docker/stable-alpine.Dockerfile | 8 ++++---- docker/stable-ubuntu.Dockerfile | 8 ++++---- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1416e0d73..6ccae8f55 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,10 +16,10 @@ RUN groupadd --gid $USER_GID $USERNAME \ RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data WORKDIR /app -COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules -ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ -ADD --chown=${USER_UID}:${USER_GID} src ./src -ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +COPY --from=base /app/node_modules /app/node_modules +ADD package.json app.js ./ +ADD src ./src +ADD migrations ./migrations USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile index fc563ec4e..70ab820be 100644 --- a/docker/edge-alpine.Dockerfile +++ b/docker/edge-alpine.Dockerfile @@ -24,11 +24,11 @@ RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNA RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data WORKDIR /app -COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules -COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public -ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ -ADD --chown=${USER_UID}:${USER_GID} src ./src -ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +COPY --from=base /app/node_modules /app/node_modules +COPY --from=base /public /public +ADD package.json app.js ./ +ADD src ./src +ADD migrations ./migrations USER ${USER_UID} ENTRYPOINT ["/sbin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile index 43984572b..de3966500 100644 --- a/docker/edge-ubuntu.Dockerfile +++ b/docker/edge-ubuntu.Dockerfile @@ -24,11 +24,11 @@ RUN groupadd --gid $USER_GID $USERNAME \ RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data WORKDIR /app -COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules -COPY --from=base --chown=${USER_UID}:${USER_GID} /public /public -ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ -ADD --chown=${USER_UID}:${USER_GID} src ./src -ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +COPY --from=base /app/node_modules /app/node_modules +COPY --from=base /public /public +ADD package.json app.js ./ +ADD src ./src +ADD migrations ./migrations USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile index a820818c2..94c1b0175 100644 --- a/docker/stable-alpine.Dockerfile +++ b/docker/stable-alpine.Dockerfile @@ -16,10 +16,10 @@ RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNA RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data WORKDIR /app -COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules -ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ -ADD --chown=${USER_UID}:${USER_GID} src ./src -ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +COPY --from=base /app/node_modules /app/node_modules +ADD package.json app.js ./ +ADD src ./src +ADD migrations ./migrations USER ${USER_UID} ENTRYPOINT ["/sbin/tini","-g", "--"] EXPOSE 5006 diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile index 1416e0d73..6ccae8f55 100644 --- a/docker/stable-ubuntu.Dockerfile +++ b/docker/stable-ubuntu.Dockerfile @@ -16,10 +16,10 @@ RUN groupadd --gid $USER_GID $USERNAME \ RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data WORKDIR /app -COPY --from=base --chown=${USER_UID}:${USER_GID} /app/node_modules /app/node_modules -ADD --chown=${USER_UID}:${USER_GID} package.json app.js ./ -ADD --chown=${USER_UID}:${USER_GID} src ./src -ADD --chown=${USER_UID}:${USER_GID} migrations ./migrations +COPY --from=base /app/node_modules /app/node_modules +ADD package.json app.js ./ +ADD src ./src +ADD migrations ./migrations USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 From 1de859e7ad524394a952c50bbe264314f1d3d6a3 Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Tue, 16 Jan 2024 17:28:09 -0600 Subject: [PATCH 7/9] existing users need to sync --- Dockerfile | 1 - docker/edge-alpine.Dockerfile | 1 - docker/edge-ubuntu.Dockerfile | 1 - docker/stable-alpine.Dockerfile | 1 - docker/stable-ubuntu.Dockerfile | 1 - 5 files changed, 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6ccae8f55..aff9e2cfd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,6 @@ COPY --from=base /app/node_modules /app/node_modules ADD package.json app.js ./ ADD src ./src ADD migrations ./migrations -USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile index 70ab820be..16622c18e 100644 --- a/docker/edge-alpine.Dockerfile +++ b/docker/edge-alpine.Dockerfile @@ -29,7 +29,6 @@ COPY --from=base /public /public ADD package.json app.js ./ ADD src ./src ADD migrations ./migrations -USER ${USER_UID} ENTRYPOINT ["/sbin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public EXPOSE 5006 diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile index de3966500..33725525b 100644 --- a/docker/edge-ubuntu.Dockerfile +++ b/docker/edge-ubuntu.Dockerfile @@ -29,7 +29,6 @@ COPY --from=base /public /public ADD package.json app.js ./ ADD src ./src ADD migrations ./migrations -USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] ENV ACTUAL_WEB_ROOT=/public EXPOSE 5006 diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile index 94c1b0175..cf9d59462 100644 --- a/docker/stable-alpine.Dockerfile +++ b/docker/stable-alpine.Dockerfile @@ -20,7 +20,6 @@ COPY --from=base /app/node_modules /app/node_modules ADD package.json app.js ./ ADD src ./src ADD migrations ./migrations -USER ${USER_UID} ENTRYPOINT ["/sbin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile index 6ccae8f55..aff9e2cfd 100644 --- a/docker/stable-ubuntu.Dockerfile +++ b/docker/stable-ubuntu.Dockerfile @@ -20,7 +20,6 @@ COPY --from=base /app/node_modules /app/node_modules ADD package.json app.js ./ ADD src ./src ADD migrations ./migrations -USER ${USER_UID} ENTRYPOINT ["/usr/bin/tini","-g", "--"] EXPOSE 5006 CMD ["node", "app.js"] From eb4ee069f74061ebc96a51c95e23bab9e7647228 Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Wed, 17 Jan 2024 18:04:15 -0600 Subject: [PATCH 8/9] meaningful user --- Dockerfile | 2 +- docker/edge-alpine.Dockerfile | 2 +- docker/edge-ubuntu.Dockerfile | 2 +- docker/stable-alpine.Dockerfile | 2 +- docker/stable-ubuntu.Dockerfile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index aff9e2cfd..ad5aa098e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ RUN yarn workspaces focus --all --production FROM node:18-bullseye-slim as prod RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/* -ARG USERNAME=appuser +ARG USERNAME=actual ARG USER_UID=1001 ARG USER_GID=$USER_UID RUN groupadd --gid $USER_GID $USERNAME \ diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile index 16622c18e..541e21686 100644 --- a/docker/edge-alpine.Dockerfile +++ b/docker/edge-alpine.Dockerfile @@ -17,7 +17,7 @@ RUN unzip /tmp/desktop-client.zip -d /public FROM alpine:3.17 as prod RUN apk add --no-cache nodejs tini -ARG USERNAME=appuser +ARG USERNAME=actual ARG USER_UID=1001 ARG USER_GID=$USER_UID RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID} diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile index 33725525b..bd24338f4 100644 --- a/docker/edge-ubuntu.Dockerfile +++ b/docker/edge-ubuntu.Dockerfile @@ -16,7 +16,7 @@ RUN unzip /tmp/desktop-client.zip -d /public FROM node:18-bullseye-slim as prod RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/* -ARG USERNAME=appuser +ARG USERNAME=actual ARG USER_UID=1001 ARG USER_GID=$USER_UID RUN groupadd --gid $USER_GID $USERNAME \ diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile index cf9d59462..be52427c7 100644 --- a/docker/stable-alpine.Dockerfile +++ b/docker/stable-alpine.Dockerfile @@ -9,7 +9,7 @@ RUN if [ "$(uname -m)" = "armv7l" ]; then npm install bcrypt better-sqlite3 --bu FROM alpine:3.17 as prod RUN apk add --no-cache nodejs tini -ARG USERNAME=appuser +ARG USERNAME=actual ARG USER_UID=1001 ARG USER_GID=$USER_UID RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID} diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile index aff9e2cfd..ad5aa098e 100644 --- a/docker/stable-ubuntu.Dockerfile +++ b/docker/stable-ubuntu.Dockerfile @@ -8,7 +8,7 @@ RUN yarn workspaces focus --all --production FROM node:18-bullseye-slim as prod RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/* -ARG USERNAME=appuser +ARG USERNAME=actual ARG USER_UID=1001 ARG USER_GID=$USER_UID RUN groupadd --gid $USER_GID $USERNAME \ From 9815a36c52af9d68ffa2a7416275730fff7f51da Mon Sep 17 00:00:00 2001 From: Harrison Kiang Date: Wed, 17 Jan 2024 18:04:38 -0600 Subject: [PATCH 9/9] stress that this is optional --- upcoming-release-notes/300.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upcoming-release-notes/300.md b/upcoming-release-notes/300.md index b86889f74..4256ba4b5 100644 --- a/upcoming-release-notes/300.md +++ b/upcoming-release-notes/300.md @@ -3,4 +3,4 @@ category: Maintenance authors: [hkiang01] --- -Non-root users for Dockerfiles \ No newline at end of file +Optional non-root user for Docker \ No newline at end of file