about summary refs log tree commit diff
diff options
context:
space:
mode:
authorWonderfall <wonderfall@targaryen.house>2017-05-20 15:12:29 +0200
committerEugen Rochko <eugen@zeonfederated.com>2017-05-20 15:12:29 +0200
commitd972845ff663605becec1dde904271897fe2e347 (patch)
treeefa009a5451fd7f4c7c0f0498999484a7b05879e
parent2c405aed553067bfba2daf1b235a27f7ba52c956 (diff)
Fix #2680 - Run processes in Docker as non-root user (#3159)
-rw-r--r--Dockerfile12
-rw-r--r--docker_entrypoint.sh4
2 files changed, 14 insertions, 2 deletions
diff --git a/Dockerfile b/Dockerfile
index e2926725a..3248dd9d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,8 +3,8 @@ FROM ruby:2.4.1-alpine
 LABEL maintainer="https://github.com/tootsuite/mastodon" \
       description="A GNU Social-compatible microblogging server"
 
-ENV RAILS_ENV=production \
-    NODE_ENV=production
+ENV UID=991 GID=991 \
+    RAILS_ENV=production NODE_ENV=production
 
 EXPOSE 3000 4000
 
@@ -31,6 +31,8 @@ RUN echo "@edge https://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/reposit
     imagemagick@edge \
     ca-certificates \
     protobuf \
+    tini \
+    su-exec \
  && npm install -g npm@3 && npm install -g yarn \
  && update-ca-certificates \
  && rm -rf /tmp/* /var/cache/apk/*
@@ -42,4 +44,10 @@ RUN bundle install --deployment --without test development \
 
 COPY . /mastodon
 
+COPY docker_entrypoint.sh /usr/local/bin/run
+
+RUN chmod +x /usr/local/bin/run
+
 VOLUME /mastodon/public/system /mastodon/public/assets /mastodon/public/packs
+
+ENTRYPOINT ["/usr/local/bin/run"]
diff --git a/docker_entrypoint.sh b/docker_entrypoint.sh
new file mode 100644
index 000000000..e53261340
--- /dev/null
+++ b/docker_entrypoint.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+addgroup -g ${GID} mastodon && adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon
+find /mastodon -path /mastodon/public/system -prune -o -not -user mastodon -not -group mastodon -print0 | xargs -0 chown -f mastodon:mastodon
+su-exec mastodon:mastodon /sbin/tini -- "$@"