Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Non-Root user #9

Open
modem7 opened this issue Aug 13, 2024 · 2 comments
Open

[Feature Request] Non-Root user #9

modem7 opened this issue Aug 13, 2024 · 2 comments

Comments

@modem7
Copy link

modem7 commented Aug 13, 2024
edited
Loading

Given that this container doesn't do anything fancy with the underlying image, it should be relatively safe and quick to secure it by not running it as a root user.

E.g.:

FROM rust:1.79-alpine AS builder
ARG TARGETPLATFORM
RUN apk add --no-cache build-base                                               \
                       musl-dev                                                 \
                       libressl-dev

WORKDIR /app
ADD Cargo.toml Cargo.lock ./
RUN mkdir src                                                                && \
    echo "fn main() {}" > src/main.rs

RUN --mount=type=cache,target=/usr/local/cargo/registry,id=${TARGETPLATFORM}    \
    cargo build --release --locked

ADD . .
RUN touch src/main.rs
RUN --mount=type=cache,target=/usr/local/cargo/registry,id=${TARGETPLATFORM}    \
    cargo build --release --frozen

FROM alpine:latest
LABEL org.opencontainers.image.source='https://github.com/vladkens/ghstats'
COPY --from=builder /app/target/release/ghstats /app/ghstats

RUN addgroup -g 1000 -S ghstats                                              && \
    adduser -u 1000 -S ghstats -G ghstats                                    && \
    chown -R ghstats: /app

WORKDIR /app

ENV HOST=0.0.0.0
ENV PORT=8080

EXPOSE 8080

USER ghstats

CMD ["/app/ghstats"]

Note: The only downside so far is that this may break existing databases due to ownership - maybe something to investigate for future. It should be relatively easy to change permissions during the container startup however and assign a custom UID/GID value.

I've also added and optimised a caching layer to speed up build times, and fixed the LABEL to be properly implemented.

I don't want to put in a PR as of yet without further discussion on how you wish to move forwards and what you want in the PR('s).
@vladkens
Copy link
Owner

Hi. I missed with the initial configuration, now I need to think how I can move the database file.

About mount=type=cache - that's fine for localhost, but I'm not sure how to split that build cache between CI runs.

@modem7
Copy link
Author

modem7 commented Aug 16, 2024
edited
Loading

Regarding the database file, homepage seems to do a suitable workaround:

https://github.com/gethomepage/homepage/blob/main/docker-entrypoint.sh#L18

Not the most secure way (a lot of people dislike an image changing ownership once it's been built), but it's certainly better than nothing in this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladkens @modem7