From 305ef58b732c263dc98215312a0dd9b175709008 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 11 Aug 2021 13:07:17 +0200 Subject: [PATCH 1/4] make image not using root user --- ocis/docker/Dockerfile.linux.amd64 | 25 ++++++++++++++++++++++--- ocis/docker/Dockerfile.linux.arm | 25 ++++++++++++++++++++++--- ocis/docker/Dockerfile.linux.arm64 | 25 ++++++++++++++++++++++--- 3 files changed, 66 insertions(+), 9 deletions(-) diff --git a/ocis/docker/Dockerfile.linux.amd64 b/ocis/docker/Dockerfile.linux.amd64 index ce227da2d87..4d2b1b39aa7 100644 --- a/ocis/docker/Dockerfile.linux.amd64 +++ b/ocis/docker/Dockerfile.linux.amd64 @@ -1,4 +1,4 @@ -FROM amd64/alpine:3.13 +FROM amd64/alpine:3.14 ARG VERSION="" ARG REVISION="" @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" +RUN addgroup -g 700 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 700 ocis-user + +RUN mkdir -p /var/tmp/ocis && \ + chown -R ocis-user:ocis-group /var/tmp/ocis && \ + chmod -R 777 /var/tmp/ocis + +# default artifact location for autogenerated certifaces +# needs to be a static location because of the docker uid switch mechanism +ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ + GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \ + IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \ + IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \ + PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \ + PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key + +VOLUME [ "/var/tmp/ocis" ] +WORKDIR /var/tmp/ocis + +USER ocis-user + EXPOSE 9200/tcp ENTRYPOINT ["/usr/bin/ocis"] CMD ["server"] COPY dist/binaries/ocis-linux-amd64 /usr/bin/ocis - -VOLUME [ "/var/tmp/ocis" ] diff --git a/ocis/docker/Dockerfile.linux.arm b/ocis/docker/Dockerfile.linux.arm index f0ddbb32ae2..ab3e30353d7 100644 --- a/ocis/docker/Dockerfile.linux.arm +++ b/ocis/docker/Dockerfile.linux.arm @@ -1,4 +1,4 @@ -FROM arm32v6/alpine:3.13 +FROM arm32v6/alpine:3.14 ARG VERSION="" ARG REVISION="" @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" +RUN addgroup -g 700 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 700 ocis-user + +RUN mkdir -p /var/tmp/ocis && \ + chown -R ocis-user:ocis-group /var/tmp/ocis && \ + chmod -R 777 /var/tmp/ocis + +# default artifact location for autogenerated certifaces +# needs to be a static location because of the docker uid switch mechanism +ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ + GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \ + IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \ + IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \ + PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \ + PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key + +VOLUME [ "/var/tmp/ocis" ] +WORKDIR /var/tmp/ocis + +USER ocis-user + EXPOSE 9200/tcp ENTRYPOINT ["/usr/bin/ocis"] CMD ["server"] COPY dist/binaries/ocis-linux-arm /usr/bin/ocis - -VOLUME [ "/var/tmp/ocis" ] diff --git a/ocis/docker/Dockerfile.linux.arm64 b/ocis/docker/Dockerfile.linux.arm64 index 3e1f4f555f9..12c63618397 100644 --- a/ocis/docker/Dockerfile.linux.arm64 +++ b/ocis/docker/Dockerfile.linux.arm64 @@ -1,4 +1,4 @@ -FROM arm64v8/alpine:3.13 +FROM arm64v8/alpine:3.14 ARG VERSION="" ARG REVISION="" @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" +RUN addgroup -g 700 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 700 ocis-user + +RUN mkdir -p /var/tmp/ocis && \ + chown -R ocis-user:ocis-group /var/tmp/ocis && \ + chmod -R 777 /var/tmp/ocis + +# default artifact location for autogenerated certifaces +# needs to be a static location because of the docker uid switch mechanism +ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ + GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \ + IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \ + IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \ + PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \ + PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key + +VOLUME [ "/var/tmp/ocis" ] +WORKDIR /var/tmp/ocis + +USER ocis-user + EXPOSE 9200/tcp ENTRYPOINT ["/usr/bin/ocis"] CMD ["server"] COPY dist/binaries/ocis-linux-arm64 /usr/bin/ocis - -VOLUME [ "/var/tmp/ocis" ] From 1468abe4e92cc1edd0416dd24057ed49cb2a8d49 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 12 Aug 2021 12:35:26 +0200 Subject: [PATCH 2/4] change USER statement to use the UID --- ocis/docker/Dockerfile.linux.amd64 | 2 +- ocis/docker/Dockerfile.linux.arm | 2 +- ocis/docker/Dockerfile.linux.arm64 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ocis/docker/Dockerfile.linux.amd64 b/ocis/docker/Dockerfile.linux.amd64 index 4d2b1b39aa7..6a0f7c04dc1 100644 --- a/ocis/docker/Dockerfile.linux.amd64 +++ b/ocis/docker/Dockerfile.linux.amd64 @@ -40,7 +40,7 @@ ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ VOLUME [ "/var/tmp/ocis" ] WORKDIR /var/tmp/ocis -USER ocis-user +USER 700 EXPOSE 9200/tcp diff --git a/ocis/docker/Dockerfile.linux.arm b/ocis/docker/Dockerfile.linux.arm index ab3e30353d7..278975ab736 100644 --- a/ocis/docker/Dockerfile.linux.arm +++ b/ocis/docker/Dockerfile.linux.arm @@ -40,7 +40,7 @@ ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ VOLUME [ "/var/tmp/ocis" ] WORKDIR /var/tmp/ocis -USER ocis-user +USER 700 EXPOSE 9200/tcp diff --git a/ocis/docker/Dockerfile.linux.arm64 b/ocis/docker/Dockerfile.linux.arm64 index 12c63618397..5c59bf3d83f 100644 --- a/ocis/docker/Dockerfile.linux.arm64 +++ b/ocis/docker/Dockerfile.linux.arm64 @@ -40,7 +40,7 @@ ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ VOLUME [ "/var/tmp/ocis" ] WORKDIR /var/tmp/ocis -USER ocis-user +USER 700 EXPOSE 9200/tcp From a8d78c06cd30d1e0bb9064f5e6373d3da6f08030 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 12 Aug 2021 15:00:46 +0200 Subject: [PATCH 3/4] use uid and gid 1000 --- ocis/docker/Dockerfile.linux.amd64 | 6 +++--- ocis/docker/Dockerfile.linux.arm | 6 +++--- ocis/docker/Dockerfile.linux.arm64 | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ocis/docker/Dockerfile.linux.amd64 b/ocis/docker/Dockerfile.linux.amd64 index 6a0f7c04dc1..57bbc44da73 100644 --- a/ocis/docker/Dockerfile.linux.amd64 +++ b/ocis/docker/Dockerfile.linux.amd64 @@ -21,8 +21,8 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" -RUN addgroup -g 700 -S ocis-group && \ - adduser -S --ingroup ocis-group --uid 700 ocis-user +RUN addgroup -g 1000 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 1000 ocis-user RUN mkdir -p /var/tmp/ocis && \ chown -R ocis-user:ocis-group /var/tmp/ocis && \ @@ -40,7 +40,7 @@ ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ VOLUME [ "/var/tmp/ocis" ] WORKDIR /var/tmp/ocis -USER 700 +USER 1000 EXPOSE 9200/tcp diff --git a/ocis/docker/Dockerfile.linux.arm b/ocis/docker/Dockerfile.linux.arm index 278975ab736..ed6ce63f576 100644 --- a/ocis/docker/Dockerfile.linux.arm +++ b/ocis/docker/Dockerfile.linux.arm @@ -21,8 +21,8 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" -RUN addgroup -g 700 -S ocis-group && \ - adduser -S --ingroup ocis-group --uid 700 ocis-user +RUN addgroup -g 1000 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 1000 ocis-user RUN mkdir -p /var/tmp/ocis && \ chown -R ocis-user:ocis-group /var/tmp/ocis && \ @@ -40,7 +40,7 @@ ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ VOLUME [ "/var/tmp/ocis" ] WORKDIR /var/tmp/ocis -USER 700 +USER 1000 EXPOSE 9200/tcp diff --git a/ocis/docker/Dockerfile.linux.arm64 b/ocis/docker/Dockerfile.linux.arm64 index 5c59bf3d83f..35892e86545 100644 --- a/ocis/docker/Dockerfile.linux.arm64 +++ b/ocis/docker/Dockerfile.linux.arm64 @@ -21,8 +21,8 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" -RUN addgroup -g 700 -S ocis-group && \ - adduser -S --ingroup ocis-group --uid 700 ocis-user +RUN addgroup -g 1000 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 1000 ocis-user RUN mkdir -p /var/tmp/ocis && \ chown -R ocis-user:ocis-group /var/tmp/ocis && \ @@ -40,7 +40,7 @@ ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ VOLUME [ "/var/tmp/ocis" ] WORKDIR /var/tmp/ocis -USER 700 +USER 1000 EXPOSE 9200/tcp From 41b26a3eb7eb5cea9a4f9df412ad8350a8d7a6f4 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 12 Aug 2021 15:06:46 +0200 Subject: [PATCH 4/4] add changelog --- changelog/unreleased/docker-image-non-root-user.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 changelog/unreleased/docker-image-non-root-user.md diff --git a/changelog/unreleased/docker-image-non-root-user.md b/changelog/unreleased/docker-image-non-root-user.md new file mode 100644 index 00000000000..fae6806702a --- /dev/null +++ b/changelog/unreleased/docker-image-non-root-user.md @@ -0,0 +1,7 @@ +Enhancement: Use non root user for the owncloud/ocis docker image + +The owncloud/ocis docker image now uses a non root user and enables you to set a different user with the docker `--user` parameter. The default user has the UID 1000 is part of a group with the GID 1000. + +This is a breaking change for existing docker deployments. The permission on the files and folders in persistent volumes need to be changed to the UID and GID used for oCIS (default 1000:1000 if not changed by the user). + +https://github.com/owncloud/ocis/pull/2380