Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make image not using root user #2380

Merged
merged 4 commits into from
Aug 12, 2021
Merged

make image not using root user #2380

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
305ef58
make image not using root user
wkloucek Aug 11, 2021
1468abe
change USER statement to use the UID
wkloucek Aug 12, 2021
a8d78c0
use uid and gid 1000
wkloucek Aug 12, 2021
41b26a3
add changelog
wkloucek Aug 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions changelog/unreleased/docker-image-non-root-user.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Enhancement: Use non root user for the owncloud/ocis docker image

The owncloud/ocis docker image now uses a non root user and enables you to set a different user with the docker `--user` parameter. The default user has the UID 1000 is part of a group with the GID 1000.

This is a breaking change for existing docker deployments. The permission on the files and folders in persistent volumes need to be changed to the UID and GID used for oCIS (default 1000:1000 if not changed by the user).

https://github.com/owncloud/ocis/pull/2380
25 changes: 22 additions & 3 deletions ocis/docker/Dockerfile.linux.amd64
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM amd64/alpine:3.13
FROM amd64/alpine:3.14

ARG VERSION=""
ARG REVISION=""
Expand All @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <[email protected]>" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.revision="${REVISION}"

RUN addgroup -g 1000 -S ocis-group && \
adduser -S --ingroup ocis-group --uid 1000 ocis-user

RUN mkdir -p /var/tmp/ocis && \
chown -R ocis-user:ocis-group /var/tmp/ocis && \
chmod -R 777 /var/tmp/ocis

# default artifact location for autogenerated certifaces
# needs to be a static location because of the docker uid switch mechanism
ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key

VOLUME [ "/var/tmp/ocis" ]
WORKDIR /var/tmp/ocis

USER 1000

EXPOSE 9200/tcp

ENTRYPOINT ["/usr/bin/ocis"]
CMD ["server"]

COPY dist/binaries/ocis-linux-amd64 /usr/bin/ocis

VOLUME [ "/var/tmp/ocis" ]
25 changes: 22 additions & 3 deletions ocis/docker/Dockerfile.linux.arm
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM arm32v6/alpine:3.13
FROM arm32v6/alpine:3.14

ARG VERSION=""
ARG REVISION=""
Expand All @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <[email protected]>" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.revision="${REVISION}"

RUN addgroup -g 1000 -S ocis-group && \
adduser -S --ingroup ocis-group --uid 1000 ocis-user

RUN mkdir -p /var/tmp/ocis && \
chown -R ocis-user:ocis-group /var/tmp/ocis && \
chmod -R 777 /var/tmp/ocis

# default artifact location for autogenerated certifaces
# needs to be a static location because of the docker uid switch mechanism
ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key

VOLUME [ "/var/tmp/ocis" ]
WORKDIR /var/tmp/ocis

USER 1000

EXPOSE 9200/tcp

ENTRYPOINT ["/usr/bin/ocis"]
CMD ["server"]

COPY dist/binaries/ocis-linux-arm /usr/bin/ocis

VOLUME [ "/var/tmp/ocis" ]
25 changes: 22 additions & 3 deletions ocis/docker/Dockerfile.linux.arm64
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM arm64v8/alpine:3.13
FROM arm64v8/alpine:3.14

ARG VERSION=""
ARG REVISION=""
Expand All @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <[email protected]>" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.revision="${REVISION}"

RUN addgroup -g 1000 -S ocis-group && \
adduser -S --ingroup ocis-group --uid 1000 ocis-user

RUN mkdir -p /var/tmp/ocis && \
chown -R ocis-user:ocis-group /var/tmp/ocis && \
chmod -R 777 /var/tmp/ocis

# default artifact location for autogenerated certifaces
# needs to be a static location because of the docker uid switch mechanism
ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key

VOLUME [ "/var/tmp/ocis" ]
WORKDIR /var/tmp/ocis

USER 1000

EXPOSE 9200/tcp

ENTRYPOINT ["/usr/bin/ocis"]
CMD ["server"]

COPY dist/binaries/ocis-linux-arm64 /usr/bin/ocis

VOLUME [ "/var/tmp/ocis" ]