Merge pull request #662 from bjw-s/nonroot

feat: Run application as non-root (`node`) user
jorenn92 · Jan 7, 2024 · 006fba1 · 006fba1
2 parents bbf76eb + 0174feb
commit 006fba1
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 10 deletions.
diff --git a/.github/workflows/build_release.yml b/.github/workflows/build_release.yml
@@ -0,0 +1,54 @@
+name: "Build and push Docker image"
+
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'main'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build_docker_image:
+    name: Build and push Docker image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/jorenn92/maintainerr
+
+      - name: Log in to GitHub Container registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,7 @@ COPY server/ /opt/server/
 COPY ui/ /opt/ui/
 COPY docs/ /opt/docs/
 COPY package.json /opt/package.json
-COPY yarn.lock /opt/yarn.lock 
+COPY yarn.lock /opt/yarn.lock
 COPY datasource-config.ts /opt/datasource-config.ts
 COPY ormconfig.json /opt/ormconfig.json
 COPY jsdoc.json /opt/jsdoc.json
@@ -60,9 +60,11 @@ COPY --from=BUILDER /opt ./
 COPY supervisord.conf /etc/supervisord.conf
 
 RUN apk add supervisor && \
-    rm -rf /tmp/* && \
-    mkdir /opt/data
+	  rm -rf /tmp/* && \
+    mkdir /opt/data && \
+    chown -R node:node /opt
 
-VOLUME [ "/opt/data" ]
+USER node
 
-ENTRYPOINT ["/opt/start.sh"]
+VOLUME [ "/opt/data" ]
+ENTRYPOINT ["/opt/start.sh"]
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ Currently, <b>Maintainerr</b> supports rule parameters from these apps :
 
 # Installation
 
-Docker images for amd64, arm64 & armv7 are available under jorenn92/maintainerr. <br />
+Docker images for amd64 & arm64 are available under jorenn92/maintainerr. <br />
 Data is saved within the container under /opt/data, it is recommended to tie a persistent volume to this location in your docker command/compose file.
 
 For more information, visit the [installation guide](docs/2-getting-started/1-installation/Installation.md) or navigate to \<maintainerr_url\>:\<port\>/docs after starting your <b>Maintainerr</b> container.
@@ -76,6 +76,7 @@ services:
   maintainerr:
     image: jorenn92/maintainerr:latest
     container_name: maintainerr
+    user: 1000:1000
     volumes:
       - <persistent-local-volume>:/opt/data
     environment:

diff --git a/docs/2-getting-started/1-installation/Installation.md b/docs/2-getting-started/1-installation/Installation.md
@@ -1,6 +1,6 @@
 The easiest way to start Maintainerr is with Docker.
 
-images for amd64, arm64 & armv7 are available under jorenn92/maintainerr.
+images for amd64 & arm64 are available under jorenn92/maintainerr.
 Data is saved under /opt/data, a volume should be created to persist the configuration.
 
 # Run
@@ -35,7 +35,9 @@ You may alternatively use a third-party updating mechanism, such as Watchtower o
 
 # Compose
 
-Define the Maintainerr service in your docker-compose.yml as follows:
+Define the Maintainerr service in your docker-compose.yml as follows.
+
+> You have the option to define a User and Group ID for running the container. Maintainerr will operate using this specified UID:GID, and any files it generates within your data volume will also be associated with this designated user and group. If not explicitly specified, the default UID:GID is set to 1000:1000, representing the 'node' user inside the container.
 
 ```Yaml
 version: '3'
@@ -44,6 +46,7 @@ services:
   maintainerr:
     image: jorenn92/maintainerr:latest
     container_name: maintainerr
+    user: 1000:1000
     volumes:
       - ./data:/opt/data
     environment:

diff --git a/supervisord.conf b/supervisord.conf
@@ -1,6 +1,6 @@
 [supervisord]
 nodaemon=true
-user=root
+user=node
 
 [program:server]
 command=yarn start:server
@@ -21,4 +21,4 @@ redirect_stderr=true
 [program:docs]
 command=yarn docs-serve
 autorestart=true
-startretries=100
+startretries=100