non-root users for Dockerfiles (actualbudget#300)

* Optional non-root users for Dockerfiles
MMichotte · Sep 9, 2024 · c26f5d5 · c26f5d5
1 parent 2efa0f5
commit c26f5d5
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -7,6 +7,14 @@ RUN yarn workspaces focus --all --production
 
 FROM node:18-bullseye-slim as prod
 RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
 COPY --from=base /app/node_modules /app/node_modules
 ADD package.json app.js ./

diff --git a/docker/edge-alpine.Dockerfile b/docker/edge-alpine.Dockerfile
@@ -17,6 +17,13 @@ RUN unzip /tmp/desktop-client.zip -d /public
 
 FROM alpine:3.17 as prod
 RUN apk add --no-cache nodejs tini
+
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID}
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
 COPY --from=base /app/node_modules /app/node_modules
 COPY --from=base /public /public

diff --git a/docker/edge-ubuntu.Dockerfile b/docker/edge-ubuntu.Dockerfile
@@ -16,6 +16,14 @@ RUN unzip /tmp/desktop-client.zip -d /public
 
 FROM node:18-bullseye-slim as prod
 RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
 COPY --from=base /app/node_modules /app/node_modules
 COPY --from=base /public /public

diff --git a/docker/stable-alpine.Dockerfile b/docker/stable-alpine.Dockerfile
@@ -9,6 +9,13 @@ RUN if [ "$(uname -m)" = "armv7l" ]; then npm install bcrypt better-sqlite3 --bu
 
 FROM alpine:3.17 as prod
 RUN apk add --no-cache nodejs tini
+
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID}
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
 COPY --from=base /app/node_modules /app/node_modules
 ADD package.json app.js ./

diff --git a/docker/stable-ubuntu.Dockerfile b/docker/stable-ubuntu.Dockerfile
@@ -8,6 +8,14 @@ RUN yarn workspaces focus --all --production
 
 FROM node:18-bullseye-slim as prod
 RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
 WORKDIR /app
 COPY --from=base /app/node_modules /app/node_modules
 ADD package.json app.js ./

diff --git a/upcoming-release-notes/300.md b/upcoming-release-notes/300.md
@@ -0,0 +1,6 @@
+---
+category: Maintenance
+authors: [hkiang01]
+---
+
+Optional non-root user for Docker