Merge pull request #850 from benphelps/revert-644-feat/unprivileged-container

Revert "use unprivileged user in a container"

Dockerfile

@@ -7,10 +7,12 @@ WORKDIR /app
 
 COPY --link package.json pnpm-lock.yaml* ./
 
-SHELL ["/bin/ash", "-xeo", "pipefail", "-c"]
+RUN <<EOF
-RUN apk add --no-cache libc6-compat \
+    set -xe
- && apk add --no-cache --virtual .gyp python3 make g++ \
+    apk add libc6-compat
- && npm install -g pnpm
+    apk add --virtual .gyp python3 make g++
+    npm install -g pnpm
+EOF
 
 RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store pnpm fetch | grep -v "cross-device link not permitted\|Falling back to copying packages from store"
 
@@ -27,10 +29,12 @@ ARG REVISION
 COPY --link --from=deps /app/node_modules ./node_modules/
 COPY . .
 
-SHELL ["/bin/ash", "-xeo", "pipefail", "-c"]
+RUN <<EOF
-RUN npm run telemetry \
+    set -xe
- && mkdir config && echo '---' > config/settings.yaml \
+    npm run telemetry
- && NEXT_PUBLIC_BUILDTIME=$BUILDTIME NEXT_PUBLIC_VERSION=$VERSION NEXT_PUBLIC_REVISION=$REVISION npm run build
+    mkdir config && echo '-' > config/settings.yaml
+    NEXT_PUBLIC_BUILDTIME=$BUILDTIME NEXT_PUBLIC_VERSION=$VERSION NEXT_PUBLIC_REVISION=$REVISION npm run build
+EOF
 
 # Production image, copy all the files and run next
 FROM docker.io/node:18-alpine AS runner
@@ -46,15 +50,12 @@ ENV NODE_ENV production
 WORKDIR /app
 
 # Copy files from context (this allows the files to copy before the builder stage is done).
-COPY --link --chown=1000:1000 package.json next.config.js ./
+COPY --link package.json next.config.js ./
-COPY --link --chown=1000:1000 /public ./public/
+COPY --link /public ./public
 
 # Copy files from builder
-COPY --link --from=builder --chown=1000:1000 /app/.next/standalone ./
+COPY --link --from=builder /app/.next/standalone ./
-COPY --link --from=builder --chown=1000:1000 /app/.next/static/ ./.next/static/
+COPY --link --from=builder /app/.next/static/ ./.next/static/
-COPY --link --chmod=755 docker-entrypoint.sh /usr/local/bin/
-
-RUN apk add --no-cache su-exec
 
 ENV PORT 3000
 EXPOSE $PORT
@@ -62,5 +63,4 @@ EXPOSE $PORT
 HEALTHCHECK --interval=10s --timeout=3s --start-period=20s \
   CMD wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost:$PORT/api/healthcheck || exit 1
 
-ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["node", "server.js"]

docker-entrypoint.sh

@@ -2,22 +2,8 @@
 
 set -e
 
-# Default to root, so old installations won't break
-export PUID=${PUID:-0}
-export PGID=${PGID:-0}
-
 # This is in attempt to preserve the original behavior of the Dockerfile,
 # while also supporting the lscr.io /config directory
 [ ! -d "/app/config" ] && ln -s /config /app/config
 
-# Set privileges for /app but only if pid 1 user is root and we are dropping privileges.
+node server.js
-# If container is run as an unprivileged user, it means owner already handled ownership setup on their own.
-# Running chown in that case (as non-root) will cause error
-[ "$(id -u)" == "0" ] && [ "${PUID}" != "0" ] && chown -R ${PUID}:${PGID} /app
-
-# Drop privileges (when asked to) if root, otherwise run as current user
-if [ "$(id -u)" == "0" ] && [ "${PUID}" != "0" ]; then
-  su-exec ${PUID}:${PGID} "$@"
-else
-  exec "$@"
-fi