Add support for running Docker container as non-root user using docker-entrypoint.sh (#1892)

* Enabling the usage of non root user in Docker * Added docker-entrypoint.sh to .goreleaser.yml * Renamed UID to PUID and GID to PGID
2024-09-19 23:06:32 +08:00 · 2024-07-21 06:33:15 +01:00 · 2024-07-21 06:33:15 +01:00 · 821b43d74f
parent 888e33e5e3
commit 821b43d74f
3 changed files with 73 additions and 2 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -63,6 +63,7 @@ dockers:
    extra_files:
      - config.toml.sample
      - config-demo.toml
+      - docker-entrypoint.sh
  - use: buildx
    goos: linux
    goarch: arm64
@ -87,6 +88,7 @@ dockers:
    extra_files:
      - config.toml.sample
      - config-demo.toml
+      - docker-entrypoint.sh
  - use: buildx
    goos: linux
    goarch: arm
@ -112,6 +114,7 @@ dockers:
    extra_files:
      - config.toml.sample
      - config-demo.toml
+      - docker-entrypoint.sh
  - use: buildx
    goos: linux
    goarch: arm
@ -137,6 +140,7 @@ dockers:
    extra_files:
      - config.toml.sample
      - config-demo.toml
+      - docker-entrypoint.sh

 docker_manifests:
  - name_template: "{{ .Env.DOCKER_ORG }}/{{ .ProjectName }}:latest"
--- a/23
+++ b/23
@ -1,8 +1,27 @@
 FROM --platform=$BUILDPLATFORM alpine:latest
-RUN apk --no-cache add ca-certificates tzdata
+
+# Install dependencies
+RUN apk --no-cache add ca-certificates tzdata shadow su-exec
+
+# Set the working directory
 WORKDIR /listmonk
+
+# Copy only the necessary files
 COPY listmonk .
 COPY config.toml.sample config.toml
 COPY config-demo.toml .
-CMD ["./listmonk"]
+
+# Copy the entrypoint script
+COPY docker-entrypoint.sh /usr/local/bin/
+
+# Make the entrypoint script executable
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+# Expose the application port
 EXPOSE 9000
+
+# Set the entrypoint
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# Define the command to run the application
+CMD ["./listmonk"]
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+export PUID=${PUID:-0}
+export PGID=${PGID:-0}
+export GROUP_NAME="app"
+export USER_NAME="app"
+
+# This function evaluates if the supplied PGID is already in use
+# if it is not in use, it creates the group with the PGID
+# if it is in use, it sets the GROUP_NAME to the existing group
+create_group() {
+  if ! getent group ${PGID} > /dev/null 2>&1; then
+    addgroup -g ${PGID} ${GROUP_NAME}
+  else
+    existing_group=$(getent group ${PGID} | cut -d: -f1)
+    export GROUP_NAME=${existing_group}
+  fi
+}
+
+# This function evaluates if the supplied PUID is already in use
+# if it is not in use, it creates the user with the PUID and PGID
+create_user() {
+  if ! getent passwd ${PUID} > /dev/null 2>&1; then
+    adduser -u ${PUID} -G ${GROUP_NAME} -s /bin/sh -D ${USER_NAME}
+  else
+    existing_user=$(getent passwd ${PUID} | cut -d: -f1)
+    export USER_NAME=${existing_user}
+  fi
+}
+
+# Run the needed functions to create the user and group
+create_group
+create_user
+
+# Set the ownership of the app directory to the app user
+chown -R ${PUID}:${PGID} /listmonk
+
+echo "Launching listmonk with user=[${USER_NAME}] group=[${GROUP_NAME}] PUID=[${PUID}] PGID=[${PGID}]"
+
+# If running as root and PUID is not 0, then execute command as PUID
+# this allows us to run the container as a non-root user
+if [ "$(id -u)" = "0" ] && [ "${PUID}" != "0" ]; then
+  su-exec ${PUID}:${PGID} "$@"
+else
+  exec "$@"
+fi