search

vladkens / ghstats

🤩📈 Self-hosted dashboard for tracking GitHub repos traffic history longer than 14 days.
MIT License
113 stars 1 forks source link

[Feature Request] Non-Root user #9

Open modem7 opened 1 month ago

modem7 commented 1 month ago

Given that this container doesn't do anything fancy with the underlying image, it should be relatively safe and quick to secure it by not running it as a root user.

E.g.:

FROM rust:1.79-alpine AS builder
ARG TARGETPLATFORM
RUN apk add --no-cache build-base                                               \
                       musl-dev                                                 \
                       libressl-dev

WORKDIR /app
ADD Cargo.toml Cargo.lock ./
RUN mkdir src                                                                && \
    echo "fn main() {}" > src/main.rs

RUN --mount=type=cache,target=/usr/local/cargo/registry,id=${TARGETPLATFORM}    \
    cargo build --release --locked

ADD . .
RUN touch src/main.rs
RUN --mount=type=cache,target=/usr/local/cargo/registry,id=${TARGETPLATFORM}    \
    cargo build --release --frozen

FROM alpine:latest
LABEL org.opencontainers.image.source='https://github.com/vladkens/ghstats'
COPY --from=builder /app/target/release/ghstats /app/ghstats

RUN addgroup -g 1000 -S ghstats                                              && \
    adduser -u 1000 -S ghstats -G ghstats                                    && \
    chown -R ghstats: /app

WORKDIR /app

ENV HOST=0.0.0.0
ENV PORT=8080

EXPOSE 8080

USER ghstats

CMD ["/app/ghstats"]

Note: The only downside so far is that this may break existing databases due to ownership - maybe something to investigate for future. It should be relatively easy to change permissions during the container startup however and assign a custom UID/GID value.

I've also added and optimised a caching layer to speed up build times, and fixed the LABEL to be properly implemented.

I don't want to put in a PR as of yet without further discussion on how you wish to move forwards and what you want in the PR('s).

vladkens commented 1 month ago

Hi. I missed with the initial configuration, now I need to think how I can move the database file.

About mount=type=cache - that's fine for localhost, but I'm not sure how to split that build cache between CI runs.

modem7 commented 1 month ago

Regarding the database file, homepage seems to do a suitable workaround:

https://github.com/gethomepage/homepage/blob/main/docker-entrypoint.sh#L18

Not the most secure way (a lot of people dislike an image changing ownership once it's been built), but it's certainly better than nothing in this case.