Docker entrypoint for running the application as non-root user

3 years ago · 9eaa4ab846
3 changed files with 40 additions and 21 deletions
--- a/14
+++ b/14
@ -10,18 +10,19 @@ RUN apt update && \
    npm install mapbox/node-sqlite3#593c9d --build-from-source

 COPY . .
-RUN npm install --legacy-peer-deps && npm run build && npm prune --production
+RUN npm install --legacy-peer-deps && \
+    npm run build && \
+    npm prune --production && \
+    chmod +x /app/extra/entrypoint.sh
+

 FROM node:14-bullseye-slim AS release
 WORKDIR /app

-# Install Apprise,
-# add sqlite3 cli for debugging in the future
-# iputils-ping for ping
+# Install Apprise, add sqlite3 cli for debugging in the future, iputils-ping for ping, util-linux for setpriv
 RUN apt update && \
    apt --yes install python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \
-                sqlite3 \
-                iputils-ping && \
+        sqlite3 iputils-ping util-linux && \
    pip3 --no-cache-dir install apprise && \
    rm -rf /var/lib/apt/lists/*

@ -31,6 +32,7 @@ COPY --from=build /app /app
 EXPOSE 3001
 VOLUME ["/app/data"]
 HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js
+ENTRYPOINT ["extra/entrypoint.sh"]
 CMD ["node", "server/server.js"]

 FROM release AS nightly
--- a/10
+++ b/10
@ -10,14 +10,17 @@ RUN apk add --no-cache --virtual .build-deps make g++ python3 python3-dev git &&
    rm -f /usr/bin/python

 COPY . .
-RUN npm install --legacy-peer-deps && npm run build && npm prune --production
+RUN npm install --legacy-peer-deps && \
+    npm run build && \
+    npm prune --production && \
+    chmod +x /app/extra/entrypoint.sh


 FROM node:14-alpine3.12 AS release
 WORKDIR /app

-# Install apprise
-RUN apk add --no-cache python3 py3-cryptography py3-pip py3-six py3-yaml py3-click py3-markdown py3-requests py3-requests-oauthlib && \
+# Install apprise, iputils for non-root ping, setpriv
+RUN apk add --no-cache iputils setpriv python3 py3-cryptography py3-pip py3-six py3-yaml py3-click py3-markdown py3-requests py3-requests-oauthlib && \
    pip3 --no-cache-dir install apprise && \
    rm -rf /root/.cache

@ -27,6 +30,7 @@ COPY --from=build /app /app
 EXPOSE 3001
 VOLUME ["/app/data"]
 HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js
+ENTRYPOINT ["extra/entrypoint.sh"]
 CMD ["node", "server/server.js"]

 FROM release AS nightly
--- a/extra/entrypoint.sh
+++ b/extra/entrypoint.sh
@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+set -e
+
+files_ownership () {
+    chown -hRc "${PUID=1000}":"${PGID=1000}" /app/data
+}
+
+echo "==> Performing startup jobs and maintenance tasks"
+files_ownership
+
+echo "==> Starting application with user ${PUID=1000} group ${PGID=1000}"
+exec setpriv --reuid "${PUID=1000}" --regid "${PGID=1000}" --clear-groups "$@"