Acasă Explorează Ajutor
Autentificare
mirrors
/
transfer.sh
oglindă de https://github.com/dutchcoders/transfer.sh
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

Docker: Allow selection of (unprivileged) UID/GID at build time (#418)

* Docker: use custom non-root UID/GID (build-arg)
jeanluc 3 ani în urmă
părinte
9c31ceb2c5
comite
bb0891cd7d
3 a modificat fișierele cu 47 adăugiri și 2 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 11 0
      .github/workflows/build-docker-images.yml
  2. 16 1
      Dockerfile
  3. 20 1
      README.md

+ 11 - 0
.github/workflows/build-docker-images.yml
Vizualizați fișierul 

@@ -34,9 +34,11 @@ jobs:
 
           fi
 
 
           TAGS="--tag ${DOCKER_IMAGE}:${VERSION}"
 
+          TAGS_NOROOT="--tag ${DOCKER_IMAGE}:${VERSION}-noroot"
 
 
           if [ $VERSION = edge -o $VERSION = nightly ]; then
 
             TAGS="$TAGS --tag ${DOCKER_IMAGE}:latest"
 
+            TAGS_NOROOT="$TAGS_NOROOT --tag ${DOCKER_IMAGE}:latest-noroot"
 
           fi
 
 
           echo ::set-output name=docker_image::${DOCKER_IMAGE}
 
@@ -46,6 +48,12 @@ jobs:
 
             --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
 
             --build-arg VCS_REF=${GITHUB_SHA::8} \
 
             ${TAGS} .
 
+          echo ::set-output name=buildx_args_noroot::--platform ${DOCKER_PLATFORMS} \
 
+            --build-arg VERSION=${VERSION} \
 
+            --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
 
+            --build-arg VCS_REF=${GITHUB_SHA::8} \
 
+            --build-arg RUNAS=noroot \
 
+            ${TAGS_NOROOT} .
 
       -
 
         name: Set up QEMU
 
         uses: docker/setup-qemu-action@v1
 
@@ -64,6 +72,7 @@ jobs:
 
         name: Docker Buildx (build)
 
         run: |
 
           docker buildx build --no-cache --pull --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }}
 
+          docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args_noroot }}
 
       -
 
         name: Docker Login
 
         if: success() && github.event_name != 'pull_request'
 
@@ -77,11 +86,13 @@ jobs:
 
         if: success() && github.event_name != 'pull_request'
 
         run: |
 
           docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
 
+          docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args_noroot }}
 
       -
 
         name: Docker Check Manifest
 
         if: always() && github.event_name != 'pull_request'
 
         run: |
 
           docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
 
+          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}-noroot
 
       -
 
         name: Clear
 
         if: always() && github.event_name != 'pull_request'

+ 16 - 1
Dockerfile
Vizualizați fișierul 

@@ -14,12 +14,27 @@ ENV GO111MODULE=on
 
 # build & install server
 
 RUN CGO_ENABLED=0 go build -tags netgo -ldflags "-X github.com/dutchcoders/transfer.sh/cmd.Version=$(git describe --tags) -a -s -w -extldflags '-static'" -o /go/bin/transfersh
 
 
+ARG PUID=5000 \
 
+    PGID=5000 \
 
+    RUNAS
 
+
 
+RUN mkdir -p /tmp/useradd && \
 
+    if [ ! -z "$RUNAS" ]; then \
 
+    echo "${RUNAS}:x:${PUID}:${PGID}::/nonexistent:/sbin/nologin" >> /tmp/useradd/passwd && \
 
+    echo "${RUNAS}:!:::::::" >> /tmp/useradd/shadow && \
 
+    echo "${RUNAS}:x:${PGID}:" >> /tmp/useradd/group && \
 
+    echo "${RUNAS}:!::" >> /tmp/useradd/groupshadow; else touch /tmp/useradd/unused; fi
 
+
 
 FROM scratch AS final
 
 LABEL maintainer="Andrea Spacca <andrea.spacca@gmail.com>"
 
+ARG RUNAS
 
 
-COPY --from=build  /go/bin/transfersh /go/bin/transfersh
 
+COPY --from=build /tmp/useradd/* /etc/
 
+COPY --from=build --chown=${RUNAS}  /go/bin/transfersh /go/bin/transfersh
 
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 
+USER ${RUNAS}
 
+
 
 ENTRYPOINT ["/go/bin/transfersh", "--listener", ":8080"]
 
 
 EXPOSE 8080

+ 20 - 1
README.md
Vizualizați fișierul 

@@ -140,12 +140,31 @@ $ go build -o transfersh main.go
 
 
 ## Docker
 
 
-For easy deployment, we've created a Docker container.
 
+For easy deployment, we've created an official Docker container. There are two variants, differing only by which user runs the process.
 
+
 
+The default one will run as `root`:
 
 
 ```bash
 
 docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/
 
 ```
 
 
+The one tagged with the suffix `-noroot` will use `5000` as both UID and GID:
 
+```bash
 
+docker run --publish 8080:8080 dutchcoders/transfer.sh:latest-noroot --provider local --basedir /tmp/
 
+```
 
+
 
+### Building the Container
 
+You can also build the container yourself. This allows you to choose which UID/GID will be used, e.g. when using NFS mounts:
 
+```bash
 
+# Build arguments:
 
+# * RUNAS: If empty, the container will run as root.
 
+#          Set this to anything to enable UID/GID selection.
 
+# * PUID:  UID of the process. Needs RUNAS != "". Defaults to 5000.
 
+# * PGID:  GID of the process. Needs RUNAS != "". Defaults to 5000.
 
+
 
+docker build -t transfer.sh-noroot --build-arg RUNAS=doesntmatter --build-arg PUID=1337 --build-arg PGID=1338 .
 
+```
 
+
 
 ## S3 Usage
 
 
 For the usage with a AWS S3 Bucket, you just need to specify the following options: