From 73f7fbabd36f2741ba3282184de727af27be491b Mon Sep 17 00:00:00 2001 From: Louis Lam Date: Wed, 14 Sep 2022 18:05:02 +0800 Subject: [PATCH] True rootless image --- docker/debian-base.dockerfile | 2 -- docker/dockerfile | 14 +++++++------- extra/entrypoint.sh | 21 --------------------- 3 files changed, 7 insertions(+), 30 deletions(-) delete mode 100644 extra/entrypoint.sh diff --git a/docker/debian-base.dockerfile b/docker/debian-base.dockerfile index 20bef3dd..ceb2cac1 100644 --- a/docker/debian-base.dockerfile +++ b/docker/debian-base.dockerfile @@ -3,8 +3,6 @@ FROM node:16-buster-slim ARG TARGETPLATFORM -WORKDIR /app - # Install Curl # Install Apprise, add sqlite3 cli for debugging in the future, iputils-ping for ping, util-linux for setpriv # Stupid python3 and python3-pip actually install a lot of useless things into Debian, specify --no-install-recommends to skip them, make the base even smaller than alpine! diff --git a/docker/dockerfile b/docker/dockerfile index eea6ba33..95f79f81 100644 --- a/docker/dockerfile +++ b/docker/dockerfile @@ -1,27 +1,27 @@ FROM louislam/uptime-kuma:base-debian AS build +USER node WORKDIR /app - ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=1 - -COPY . . -RUN npm ci --production && \ - chmod +x /app/extra/entrypoint.sh +COPY --chown=node:node . . +RUN npm ci --production FROM louislam/uptime-kuma:base-debian AS release +USER node WORKDIR /app # Copy app files from build layer -COPY --from=build /app /app +COPY --chown=node:node --from=build /app /app EXPOSE 3001 VOLUME ["/app/data"] HEALTHCHECK --interval=60s --timeout=30s --start-period=180s --retries=5 CMD node extra/healthcheck.js -ENTRYPOINT ["/usr/bin/dumb-init", "--", "extra/entrypoint.sh"] +ENTRYPOINT ["/usr/bin/dumb-init", "--"] CMD ["node", "server/server.js"] FROM release AS nightly +USER node RUN npm run mark-as-nightly # Build an image for testing pr diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh deleted file mode 100644 index 23c4f017..00000000 --- a/extra/entrypoint.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env sh - -# set -e Exit the script if an error happens -set -e -PUID=${PUID=0} -PGID=${PGID=0} - -files_ownership () { - # -h Changes the ownership of an encountered symbolic link and not that of the file or directory pointed to by the symbolic link. - # -R Recursively descends the specified directories - # -c Like verbose but report only when a change is made - chown -hRc "$PUID":"$PGID" /app/data -} - -echo "==> Performing startup jobs and maintenance tasks" -files_ownership - -echo "==> Starting application with user $PUID group $PGID" - -# --clear-groups Clear supplementary groups. -exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@"