From f4071fe690e95af53d6b1cc37edae67279b2065c Mon Sep 17 00:00:00 2001 From: chrislu Date: Tue, 28 Oct 2025 13:48:02 -0700 Subject: [PATCH] add non-root user --- docker/Dockerfile.go_build | 12 ++++++++++-- docker/Dockerfile.local | 12 ++++++++++-- docker/Dockerfile.rocksdb_large | 12 ++++++++++-- docker/Dockerfile.rocksdb_large_local | 12 ++++++++++-- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build index a52e74143..68056bd5f 100644 --- a/docker/Dockerfile.go_build +++ b/docker/Dockerfile.go_build @@ -17,6 +17,10 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /et COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh RUN apk add fuse # for weed mount +# Create non-root user and group +RUN addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -G seaweed seaweed + # volume server gprc port EXPOSE 18080 # volume server http port @@ -34,11 +38,15 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filerldb2 +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filerldb2 && \ + chown -R seaweed:seaweed /data /etc/seaweedfs && \ + chmod +x /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local index 269a993b4..6a24f0fa1 100644 --- a/docker/Dockerfile.local +++ b/docker/Dockerfile.local @@ -9,6 +9,10 @@ COPY ./entrypoint.sh /entrypoint.sh RUN apk add fuse # for weed mount RUN apk add curl # for health checks +# Create non-root user and group +RUN addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -G seaweed seaweed + # volume server grpc port EXPOSE 18080 # volume server http port @@ -26,11 +30,15 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filerldb2 +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filerldb2 && \ + chown -R seaweed:seaweed /data /etc/seaweedfs && \ + chmod +x /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.rocksdb_large b/docker/Dockerfile.rocksdb_large index 2c3516fb0..9fc969494 100644 --- a/docker/Dockerfile.rocksdb_large +++ b/docker/Dockerfile.rocksdb_large @@ -34,6 +34,10 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb. COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh RUN apk add fuse snappy gflags +# Create non-root user and group +RUN addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -G seaweed seaweed + # volume server gprc port EXPOSE 18080 # volume server http port @@ -51,12 +55,16 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filer_rocksdb +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filer_rocksdb && \ + chown -R seaweed:seaweed /data /etc/seaweedfs && \ + chmod +x /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.rocksdb_large_local b/docker/Dockerfile.rocksdb_large_local index b3b08dd0c..5e3d5888f 100644 --- a/docker/Dockerfile.rocksdb_large_local +++ b/docker/Dockerfile.rocksdb_large_local @@ -17,6 +17,10 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb. COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh RUN apk add fuse snappy gflags tmux +# Create non-root user and group +RUN addgroup -g 1000 seaweed && \ + adduser -D -u 1000 -G seaweed seaweed + # volume server gprc port EXPOSE 18080 # volume server http port @@ -34,12 +38,16 @@ EXPOSE 8333 # webdav server http port EXPOSE 7333 -RUN mkdir -p /data/filer_rocksdb +# Create data directory and set proper ownership for seaweed user +RUN mkdir -p /data/filer_rocksdb && \ + chown -R seaweed:seaweed /data /etc/seaweedfs && \ + chmod +x /entrypoint.sh VOLUME /data WORKDIR /data -RUN chmod +x /entrypoint.sh +# Switch to non-root user +USER seaweed ENTRYPOINT ["/entrypoint.sh"]