Fix #2680 - Run processes in Docker as non-root user (#3159)

This commit is contained in:
Wonderfall 2017-05-20 15:12:29 +02:00 committed by Eugen Rochko
parent 2c405aed55
commit d972845ff6
2 changed files with 14 additions and 2 deletions

View file

@ -3,8 +3,8 @@ FROM ruby:2.4.1-alpine
LABEL maintainer="https://github.com/tootsuite/mastodon" \ LABEL maintainer="https://github.com/tootsuite/mastodon" \
description="A GNU Social-compatible microblogging server" description="A GNU Social-compatible microblogging server"
ENV RAILS_ENV=production \ ENV UID=991 GID=991 \
NODE_ENV=production RAILS_ENV=production NODE_ENV=production
EXPOSE 3000 4000 EXPOSE 3000 4000
@ -31,6 +31,8 @@ RUN echo "@edge https://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/reposit
imagemagick@edge \ imagemagick@edge \
ca-certificates \ ca-certificates \
protobuf \ protobuf \
tini \
su-exec \
&& npm install -g npm@3 && npm install -g yarn \ && npm install -g npm@3 && npm install -g yarn \
&& update-ca-certificates \ && update-ca-certificates \
&& rm -rf /tmp/* /var/cache/apk/* && rm -rf /tmp/* /var/cache/apk/*
@ -42,4 +44,10 @@ RUN bundle install --deployment --without test development \
COPY . /mastodon COPY . /mastodon
COPY docker_entrypoint.sh /usr/local/bin/run
RUN chmod +x /usr/local/bin/run
VOLUME /mastodon/public/system /mastodon/public/assets /mastodon/public/packs VOLUME /mastodon/public/system /mastodon/public/assets /mastodon/public/packs
ENTRYPOINT ["/usr/local/bin/run"]

4
docker_entrypoint.sh Normal file
View file

@ -0,0 +1,4 @@
#!/bin/sh
addgroup -g ${GID} mastodon && adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon
find /mastodon -path /mastodon/public/system -prune -o -not -user mastodon -not -group mastodon -print0 | xargs -0 chown -f mastodon:mastodon
su-exec mastodon:mastodon /sbin/tini -- "$@"