From c38d242bea8dfee62da8430f927170f27b76739f Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Fri, 6 Nov 2020 10:18:29 +0100 Subject: [PATCH] docker: allow running as an arbitrary user --- Dockerfile | 4 +--- Dockerfile.alpine | 4 +--- docker/README.md | 25 ++++++++++++++++++++++++- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0318ea23..3fe9da2f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,9 +55,7 @@ RUN sed -i "s|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\" sed -i "s|\"backups\"|\"/srv/sftpgo/backups\"|" /etc/sftpgo/sftpgo.json && \ sed -i "s|\"bind_address\": \"127.0.0.1\",|\"bind_address\": \"\",|" /etc/sftpgo/sftpgo.json -RUN chown -R sftpgo:sftpgo /etc/sftpgo && chown sftpgo:sftpgo /var/lib/sftpgo /srv/sftpgo && \ - chmod 640 /etc/sftpgo/sftpgo.json && \ - chmod 750 /etc/sftpgo /var/lib/sftpgo /srv/sftpgo +RUN chown -R sftpgo:sftpgo /etc/sftpgo && chown sftpgo:sftpgo /var/lib/sftpgo /srv/sftpgo WORKDIR /var/lib/sftpgo USER 1000:1000 diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 8e67ae4f..c9e2e9b8 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -60,9 +60,7 @@ RUN sed -i "s|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\" sed -i "s|\"backups\"|\"/srv/sftpgo/backups\"|" /etc/sftpgo/sftpgo.json && \ sed -i "s|\"bind_address\": \"127.0.0.1\",|\"bind_address\": \"\",|" /etc/sftpgo/sftpgo.json -RUN chown -R sftpgo:sftpgo /etc/sftpgo && chown sftpgo:sftpgo /var/lib/sftpgo /srv/sftpgo && \ - chmod 640 /etc/sftpgo/sftpgo.json && \ - chmod 750 /etc/sftpgo /var/lib/sftpgo /srv/sftpgo +RUN chown -R sftpgo:sftpgo /etc/sftpgo && chown sftpgo:sftpgo /var/lib/sftpgo /srv/sftpgo WORKDIR /var/lib/sftpgo USER 1000:1000 diff --git a/docker/README.md b/docker/README.md index 1c1d98f7..a2fabb4b 100644 --- a/docker/README.md +++ b/docker/README.md @@ -44,7 +44,7 @@ docker logs some-sftpgo Important note: There are several ways to store data used by applications that run in Docker containers. We encourage users of the SFTPGo images to familiarize themselves with the options available, including: - Let Docker manage the storage for SFTPGo data by [writing them to disk on the host system using its own internal volume management](https://docs.docker.com/engine/tutorials/dockervolumes/#adding-a-data-volume). This is the default and is easy and fairly transparent to the user. The downside is that the files may be hard to locate for tools and applications that run directly on the host system, i.e. outside containers. -- Create a data directory on the host system (outside the container) and [mount this to a directory visible from inside the container]((https://docs.docker.com/engine/tutorials/dockervolumes/#mount-a-host-directory-as-a-data-volume)). This places the SFTPGo files in a known location on the host system, and makes it easy for tools and applications on the host system to access the files. The downside is that the user needs to make sure that the directory exists, and that e.g. directory permissions and other security mechanisms on the host system are set up correctly. The SFTPGo images run using `1000` as uid and gid. +- Create a data directory on the host system (outside the container) and [mount this to a directory visible from inside the container]((https://docs.docker.com/engine/tutorials/dockervolumes/#mount-a-host-directory-as-a-data-volume)). This places the SFTPGo files in a known location on the host system, and makes it easy for tools and applications on the host system to access the files. The downside is that the user needs to make sure that the directory exists, and that e.g. directory permissions and other security mechanisms on the host system are set up correctly. The SFTPGo image runs using `1000` as UID/GID by default. The Docker documentation is a good starting point for understanding the different storage options and variations, and there are multiple blogs and forum postings that discuss and give advice in this area. We will simply show the basic procedure here for the latter option above: @@ -75,6 +75,29 @@ Please take a look [here](../docs/full-configuration.md#environment-variables) t Alternately you can mount your custom configuration file to `/var/lib/sftpgo` or `/var/lib/sftpgo/.config/sftpgo`. +### Running as an arbitrary user + +The SFTPGo image runs using `1000` as UID/GID by default. If you know the permissions of your data and/or configuration directory are already set appropriately or you have need of running SFTPGo with a specific UID/GID, it is possible to invoke this image with `--user` set to any value (other than `root/0`) in order to achieve the desired access/configuration: + +```shell +$ ls -lnd data +drwxr-xr-x 2 1100 11000 6 6 nov 09.09 data +$ ls -lnd config +drwxr-xr-x 2 1100 11000 6 6 nov 09.19 config +``` + +With the above directory permissions, you can start a SFTPGo instance like this: + +```shell +docker run --name some-sftpgo \ + --user 1100:1100 \ + -p 127.0.0.1:8080:8080 \ + -p 2022:2022 \ + --mount type=bind,source="${PWD}/data",target=/srv/sftpgo \ + --mount type=bind,source="${PWD}/config",target=/var/lib/sftpgo \ + -d "drakkan/sftpgo:tag" +``` + ## Image Variants The `sftpgo` images comes in many flavors, each designed for a specific use case. The `edge` and `edge-alpine`tags are updated after each new commit.