From b8bef0328bae8b56914f378e57e423a6340668f5 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Tue, 28 Oct 2025 14:58:10 -0700 Subject: [PATCH] docker containers: add non-root user (#7399) * add non-root user * using -g more clearly expresses the intent of setting the primary group for the new user * no cache * read only * specific perm --- docker/Dockerfile.go_build | 14 +++++++++++--- docker/Dockerfile.local | 15 +++++++++++---- docker/Dockerfile.rocksdb_large | 14 +++++++++++--- docker/Dockerfile.rocksdb_large_local | 14 +++++++++++--- 4 files changed, 44 insertions(+), 13 deletions(-) diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build index a52e74143..9f88f54b4 100644 --- a/docker/Dockerfile.go_build +++ b/docker/Dockerfile.go_build @@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/ RUN mkdir -p /etc/seaweedfs COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /etc/seaweedfs/filer.toml COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh -RUN apk add fuse # for weed mount + +# Install dependencies and create non-root user +RUN apk add --no-cache fuse && \ + addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -g seaweed seaweed # volume server gprc port EXPOSE 18080 @@ -34,11 +38,15 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filerldb2 +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filerldb2 && \ + chown -R seaweed:seaweed /data && \ + chmod 755 /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local index 269a993b4..3af4a851d 100644 --- a/docker/Dockerfile.local +++ b/docker/Dockerfile.local @@ -6,8 +6,11 @@ COPY ./weed_sub* /usr/bin/ RUN mkdir -p /etc/seaweedfs COPY ./filer.toml /etc/seaweedfs/filer.toml COPY ./entrypoint.sh /entrypoint.sh -RUN apk add fuse # for weed mount -RUN apk add curl # for health checks + +# Install dependencies and create non-root user +RUN apk add --no-cache fuse curl && \ + addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -g seaweed seaweed # volume server grpc port EXPOSE 18080 @@ -26,11 +29,15 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filerldb2 +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filerldb2 && \ + chown -R seaweed:seaweed /data && \ + chmod 755 /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.rocksdb_large b/docker/Dockerfile.rocksdb_large index 2c3516fb0..e0cccd99f 100644 --- a/docker/Dockerfile.rocksdb_large +++ b/docker/Dockerfile.rocksdb_large @@ -32,7 +32,11 @@ COPY --from=builder /go/bin/weed /usr/bin/ RUN mkdir -p /etc/seaweedfs COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh -RUN apk add fuse snappy gflags + +# Install dependencies and create non-root user +RUN apk add --no-cache fuse snappy gflags && \ + addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -g seaweed seaweed # volume server gprc port EXPOSE 18080 @@ -51,12 +55,16 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filer_rocksdb +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filer_rocksdb && \ + chown -R seaweed:seaweed /data && \ + chmod 755 /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.rocksdb_large_local b/docker/Dockerfile.rocksdb_large_local index b3b08dd0c..87aa15ef8 100644 --- a/docker/Dockerfile.rocksdb_large_local +++ b/docker/Dockerfile.rocksdb_large_local @@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/ RUN mkdir -p /etc/seaweedfs COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh -RUN apk add fuse snappy gflags tmux + +# Install dependencies and create non-root user +RUN apk add --no-cache fuse snappy gflags tmux && \ + addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -g seaweed seaweed # volume server gprc port EXPOSE 18080 @@ -34,12 +38,16 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filer_rocksdb +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filer_rocksdb && \ + chown -R seaweed:seaweed /data && \ + chmod 755 /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"]