diff options
author | Wonderfall <wonderfall@targaryen.house> | 2017-05-20 15:12:29 +0200 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-05-20 15:12:29 +0200 |
commit | d972845ff663605becec1dde904271897fe2e347 (patch) | |
tree | efa009a5451fd7f4c7c0f0498999484a7b05879e | |
parent | 2c405aed553067bfba2daf1b235a27f7ba52c956 (diff) |
Fix #2680 - Run processes in Docker as non-root user (#3159)
-rw-r--r-- | Dockerfile | 12 | ||||
-rw-r--r-- | docker_entrypoint.sh | 4 |
2 files changed, 14 insertions, 2 deletions
diff --git a/Dockerfile b/Dockerfile index e2926725a..3248dd9d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,8 @@ FROM ruby:2.4.1-alpine LABEL maintainer="https://github.com/tootsuite/mastodon" \ description="A GNU Social-compatible microblogging server" -ENV RAILS_ENV=production \ - NODE_ENV=production +ENV UID=991 GID=991 \ + RAILS_ENV=production NODE_ENV=production EXPOSE 3000 4000 @@ -31,6 +31,8 @@ RUN echo "@edge https://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/reposit imagemagick@edge \ ca-certificates \ protobuf \ + tini \ + su-exec \ && npm install -g npm@3 && npm install -g yarn \ && update-ca-certificates \ && rm -rf /tmp/* /var/cache/apk/* @@ -42,4 +44,10 @@ RUN bundle install --deployment --without test development \ COPY . /mastodon +COPY docker_entrypoint.sh /usr/local/bin/run + +RUN chmod +x /usr/local/bin/run + VOLUME /mastodon/public/system /mastodon/public/assets /mastodon/public/packs + +ENTRYPOINT ["/usr/local/bin/run"] diff --git a/docker_entrypoint.sh b/docker_entrypoint.sh new file mode 100644 index 000000000..e53261340 --- /dev/null +++ b/docker_entrypoint.sh @@ -0,0 +1,4 @@ +#!/bin/sh +addgroup -g ${GID} mastodon && adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon +find /mastodon -path /mastodon/public/system -prune -o -not -user mastodon -not -group mastodon -print0 | xargs -0 chown -f mastodon:mastodon +su-exec mastodon:mastodon /sbin/tini -- "$@" |