Open pythoninthegrass opened 4 months ago
Dockerfile
# syntax=docker/dockerfile:1.6
FROM lsiobase/alpine:3.19 as base
ENV TZ=Etc/UTC
RUN <<EOF
#!/usr/bin/env bash
echo "**** install build packages ****"
apk add --no-cache nodejs npm
echo "**** cleanup ****"
rm -rf \
/root/.cache \
/tmp/*
ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
EOF
WORKDIR /app
ARG data_dir=/app/config
VOLUME $data_dir
ENV CONFIG_DIR=$data_dir
COPY docker/root/ /
ENV PUBLIC_KENER_FOLDER=${CONFIG_DIR}/static
ENV MONITOR_YAML_PATH=${CONFIG_DIR}/monitors.yaml
ENV SITE_YAML_PATH=${CONFIG_DIR}/site.yaml
FROM base as build
ARG USERNAME=abc
ARG PUID=1002
ARG PGID=$PUID
COPY --chown=${PUID}:${PGID} . /app
# TODO: mount node_modules as volume to speed up build
# TODO: avoid using mkdir and chown
RUN mkdir -p "${CONFIG_DIR}/static" \
&& npm install \
&& chown -R root:root node_modules \
&& npm run kener:build
FROM base as app
WORKDIR /app
ARG USERNAME=abc
ARG PUID=1002
ARG PGID=$PUID
RUN groupmod --gid $PGID $USERNAME \
&& usermod --uid $PUID --gid $PGID $USERNAME \
&& chown -R ${PUID}:${PGID} /app
COPY --chown=${PUID}:${PGID} package*.json .
COPY --from=base /usr/local/bin /usr/local/bin
COPY --from=base /usr/local/lib /usr/local/lib
COPY --chown=${PUID}:${PGID} scripts /app/scripts
COPY --chown=${PUID}:${PGID} static /app/static
COPY --chown=${PUID}:${PGID} config /app/config
COPY --chown=${PUID}:${PGID} src/lib/helpers.js /app/src/lib/helpers.js
COPY --from=build --chown=${PUID}:${PGID} /app/build /app/build
COPY --from=build --chown=${PUID}:${PGID} /app/prod.js /app/prod.js
COPY --from=build --chown=${PUID}:${PGID} ${CONFIG_DIR}/static ${CONFIG_DIR}/static
ENV NODE_ENV=production
RUN npm install --omit=dev \
&& npm cache clean --force \
&& chown -R ${PUID}:${PGID} node_modules
ARG WEB_PORT=3000
ENV PORT=$WEB_PORT
EXPOSE $PORT
USER $USERNAME
# leave entrypoint blank!
# uses LSIO s6-init entrypoint with scripts
# that populate CONFIG_DIR with static dir, monitor/site.yaml when dir is empty
# and chown's all files so they are owned by proper user based on PUID/GUID env
docker-compose.yml
# version: '3.9'
services:
kener:
container_name: status-page
build:
context: .
dockerfile: Dockerfile
env_file:
- .env
environment:
- TZ=Etc/UTC
- PUID=1002
- PGID=1002
- PORT=3000
- CONFIG_DIR=/app/config
- PUBLIC_KENER_FOLDER=/app/config/static
- MONITOR_YAML_PATH=/app/config/monitors.yaml
- SITE_YAML_PATH=/app/config/site.yaml
ports:
- '5173:3000/tcp'
working_dir: /app
volumes:
- ./config:/app/config
- ./static:/app/static
- ./scripts:/app/scripts
restart: unless-stopped
Is your feature request related to a problem? Please describe. Currently trying to run the container as a non-root user. Despite changing
PUID
/PGID
, the container runs as root.Describe the solution you'd like Standard user should be available with privilege escalation where needed.
Describe alternatives you've considered Tried making a custom
Dockerfile
from your official version that sets user/group permissions and changes to the standard user before the commented outCMD
/ENTRYPOINT
. The lsio images appear to run as root with an s6-overlay preventing normal docker directives, which was anecdotally confirmed by a mod at their forums (forget the URL.)My suspicion is that the s6 overlay scripts are clobbering the
Dockerfile
configUSER
directive.Additional context It's entirely possible that the permissions are relatively locked down upstream, but if possible, it'd be nice to be able to set an env var in the compose file, and that ensures a standard user is given least principle access at runtime.
The logs show:
with exec'ing into the container returning
FWIW my custom user is
abc
.