add non-root user

1 month ago · f4071fe690
4 changed files with 40 additions and 8 deletions
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@ -17,6 +17,10 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /et
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
 RUN apk add fuse # for weed mount

+# Create non-root user and group
+RUN addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -G seaweed seaweed
+
 # volume server gprc port
 EXPOSE 18080
 # volume server http port
@ -34,11 +38,15 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333

-RUN mkdir -p /data/filerldb2
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filerldb2 && \
+    chown -R seaweed:seaweed /data /etc/seaweedfs && \
+    chmod +x /entrypoint.sh

 VOLUME /data
 WORKDIR /data

-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed

 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@ -9,6 +9,10 @@ COPY ./entrypoint.sh /entrypoint.sh
 RUN apk add fuse # for weed mount
 RUN apk add curl # for health checks

+# Create non-root user and group
+RUN addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -G seaweed seaweed
+
 # volume server grpc port
 EXPOSE 18080
 # volume server http port
@ -26,11 +30,15 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333

-RUN mkdir -p /data/filerldb2
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filerldb2 && \
+    chown -R seaweed:seaweed /data /etc/seaweedfs && \
+    chmod +x /entrypoint.sh

 VOLUME /data
 WORKDIR /data

-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed

 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.rocksdb_large
+++ b/docker/Dockerfile.rocksdb_large
@ -34,6 +34,10 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
 RUN apk add fuse snappy gflags

+# Create non-root user and group
+RUN addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -G seaweed seaweed
+
 # volume server gprc port
 EXPOSE 18080
 # volume server http port
@ -51,12 +55,16 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333

-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+    chown -R seaweed:seaweed /data /etc/seaweedfs && \
+    chmod +x /entrypoint.sh

 VOLUME /data

 WORKDIR /data

-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed

 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.rocksdb_large_local
+++ b/docker/Dockerfile.rocksdb_large_local
@ -17,6 +17,10 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
 RUN apk add fuse snappy gflags tmux

+# Create non-root user and group
+RUN addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -G seaweed seaweed
+
 # volume server gprc port
 EXPOSE 18080
 # volume server http port
@ -34,12 +38,16 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333

-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+    chown -R seaweed:seaweed /data /etc/seaweedfs && \
+    chmod +x /entrypoint.sh

 VOLUME /data

 WORKDIR /data

-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed

 ENTRYPOINT ["/entrypoint.sh"]