From 29e74d1bdc7f1eed27dab82466087f6eb109e78b Mon Sep 17 00:00:00 2001 From: Debdut Chakraborty Date: Wed, 11 Dec 2024 15:29:23 +0530 Subject: [PATCH] use non-root nobody user for monolith docker image --- apps/meteor/.docker/Dockerfile.alpine | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/apps/meteor/.docker/Dockerfile.alpine b/apps/meteor/.docker/Dockerfile.alpine index 0f1e170f9570..bd295686b1fa 100644 --- a/apps/meteor/.docker/Dockerfile.alpine +++ b/apps/meteor/.docker/Dockerfile.alpine @@ -4,9 +4,18 @@ LABEL maintainer="buildmaster@rocket.chat" ENV LANG=C.UTF-8 -RUN apk add --no-cache deno ttf-dejavu - -ADD . /app +# `nobody` user/group is historically reserved for NFS. +# We don't use any NFS related tools in this image. +# For the same reason of NFS using the uid, we can also use it as long as there are no conflicts in terms of running processes with the same euid (which is 1 in our case). +# While 65534 raw uid/gid could be used, renaming nobody to rocketchat here for maximum compatibility with older debian image. +# More info on nobody - https://wiki.ubuntu.com/nobody +RUN apk add --no-cache deno ttf-dejavu \ + && apk add --no-cache --virtual .usermod shadow \ + && usermod -l rocketchat nobody \ + && groupmod -n rocketchat nobody \ + && apk del .usermod + +ADD --chown=rocketchat:rocketchat . /app # needs a mongo instance - defaults to container linking with alias 'mongo' ENV DEPLOY_METHOD=docker \ @@ -39,8 +48,8 @@ RUN set -x \ && apk del .fetch-deps # TODO: remove hack once upstream builds are fixed -COPY matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@matrix-org/matrix-sdk-crypto-nodejs -COPY matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk/node_modules/@matrix-org/matrix-sdk-crypto-nodejs +COPY --chown=rocketchat:rocketchat matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@matrix-org/matrix-sdk-crypto-nodejs +COPY --chown=rocketchat:rocketchat matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk/node_modules/@matrix-org/matrix-sdk-crypto-nodejs VOLUME /app/uploads @@ -48,4 +57,6 @@ WORKDIR /app/bundle EXPOSE 3000 +USER rocketchat + CMD ["node", "main.js"]