Merge pull request #2380 from owncloud/non-root-docker-image

make image not using root user

changelog/unreleased/docker-image-non-root-user.md

@@ -0,0 +1,7 @@
+Enhancement: Use non root user for the owncloud/ocis docker image
+
+The owncloud/ocis docker image now uses a non root user and enables you to set a different user with the docker `--user` parameter. The default user has the UID 1000 is part of a group with the GID 1000.
+
+This is a breaking change for existing docker deployments. The permission on the files and folders in persistent volumes need to be changed to the UID and GID used for oCIS (default 1000:1000 if not changed by the user).
+
+https://github.com/owncloud/ocis/pull/2380

ocis/docker/Dockerfile.linux.amd64

@@ -1,4 +1,4 @@
-FROM amd64/alpine:3.13
+FROM amd64/alpine:3.14
 
 ARG VERSION=""
 ARG REVISION=""
@@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <[email protected]>" \
   org.opencontainers.image.version="${VERSION}" \
   org.opencontainers.image.revision="${REVISION}"
 
+RUN addgroup -g 1000 -S ocis-group && \
+  adduser -S --ingroup ocis-group --uid 1000 ocis-user
+
+RUN mkdir -p /var/tmp/ocis && \
+ chown -R ocis-user:ocis-group /var/tmp/ocis && \
+ chmod -R 777 /var/tmp/ocis
+
+# default artifact location for autogenerated certifaces
+# needs to be a static location because of the docker uid switch mechanism
+ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
+  GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
+  IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
+  IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
+  PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
+  PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key
+
+VOLUME [ "/var/tmp/ocis" ]
+WORKDIR /var/tmp/ocis
+
+USER 1000
+
 EXPOSE 9200/tcp
 
 ENTRYPOINT ["/usr/bin/ocis"]
 CMD ["server"]
 
 COPY dist/binaries/ocis-linux-amd64 /usr/bin/ocis
-
-VOLUME [ "/var/tmp/ocis" ]

ocis/docker/Dockerfile.linux.arm

@@ -1,4 +1,4 @@
-FROM arm32v6/alpine:3.13
+FROM arm32v6/alpine:3.14
 
 ARG VERSION=""
 ARG REVISION=""
@@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <[email protected]>" \
   org.opencontainers.image.version="${VERSION}" \
   org.opencontainers.image.revision="${REVISION}"
 
+RUN addgroup -g 1000 -S ocis-group && \
+  adduser -S --ingroup ocis-group --uid 1000 ocis-user
+
+RUN mkdir -p /var/tmp/ocis && \
+ chown -R ocis-user:ocis-group /var/tmp/ocis && \
+ chmod -R 777 /var/tmp/ocis
+
+# default artifact location for autogenerated certifaces
+# needs to be a static location because of the docker uid switch mechanism
+ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
+  GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
+  IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
+  IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
+  PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
+  PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key
+
+VOLUME [ "/var/tmp/ocis" ]
+WORKDIR /var/tmp/ocis
+
+USER 1000
+
 EXPOSE 9200/tcp
 
 ENTRYPOINT ["/usr/bin/ocis"]
 CMD ["server"]
 
 COPY dist/binaries/ocis-linux-arm /usr/bin/ocis
-
-VOLUME [ "/var/tmp/ocis" ]

ocis/docker/Dockerfile.linux.arm64

@@ -1,4 +1,4 @@
-FROM arm64v8/alpine:3.13
+FROM arm64v8/alpine:3.14
 
 ARG VERSION=""
 ARG REVISION=""
@@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <[email protected]>" \
   org.opencontainers.image.version="${VERSION}" \
   org.opencontainers.image.revision="${REVISION}"
 
+RUN addgroup -g 1000 -S ocis-group && \
+  adduser -S --ingroup ocis-group --uid 1000 ocis-user
+
+RUN mkdir -p /var/tmp/ocis && \
+ chown -R ocis-user:ocis-group /var/tmp/ocis && \
+ chmod -R 777 /var/tmp/ocis
+
+# default artifact location for autogenerated certifaces
+# needs to be a static location because of the docker uid switch mechanism
+ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
+  GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
+  IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
+  IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
+  PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
+  PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key
+
+VOLUME [ "/var/tmp/ocis" ]
+WORKDIR /var/tmp/ocis
+
+USER 1000
+
 EXPOSE 9200/tcp
 
 ENTRYPOINT ["/usr/bin/ocis"]
 CMD ["server"]
 
 COPY dist/binaries/ocis-linux-arm64 /usr/bin/ocis
-
-VOLUME [ "/var/tmp/ocis" ]