Run Docker container as unprivileged user

Previously, the container process ran with root privileges. This commit changes the default to an unprivileged user and makes it possible to specify PUID/PGID environment variables to choose UID/GID. Migration of existing data owned by root is handled transparently.
3 years ago · 12d26c6667
parent d297850539
commit 12d26c6667
2 changed files with 30 additions and 14 deletions
--- a/33
+++ b/33
@ -39,21 +39,24 @@ RUN pip install --target=/dependencies playwright~=1.41.2 \
 FROM python:${PYTHON_VERSION}-slim-bookworm
 LABEL org.opencontainers.image.source="https://github.com/dgtlmoon/changedetection.io"

-RUN apt-get update && apt-get install -y --no-install-recommends \
-    libxslt1.1 \
-    # For presenting price amounts correctly in the restock/price detection overview
-    locales \
-    # For pdftohtml
-    poppler-utils \
-    zlib1g \
-    && apt-get clean && rm -rf /var/lib/apt/lists/*
-
+RUN set -ex; \
+    apt-get update && apt-get install -y --no-install-recommends \
+        gosu \
+        libxslt1.1 \
+        # For presenting price amounts correctly in the restock/price detection overview
+        locales \
+        # For pdftohtml
+        poppler-utils \
+        zlib1g && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*; \
+    useradd -u 911 -U -d /datastore -s /bin/false abc && \
+    usermod -G users abc; \
+    mkdir -p /datastore

 # https://stackoverflow.com/questions/58701233/docker-logs-erroneously-appears-empty-until-container-stops
 ENV PYTHONUNBUFFERED=1

-RUN [ ! -d "/datastore" ] && mkdir /datastore
-
 # Re #80, sets SECLEVEL=1 in openssl.conf to allow monitoring sites with weak/old cipher suites
 RUN sed -i 's/^CipherString = .*/CipherString = DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf

@ -63,6 +66,10 @@ ENV PYTHONPATH=/usr/local

 EXPOSE 5000

+# The entrypoint script handling PUID/PGID and permissions
+COPY docker-entrypoint.sh /app/docker-entrypoint.sh
+RUN chmod u+x /app/docker-entrypoint.sh
+
 # The actual flask app module
 COPY changedetectionio /app/changedetectionio
 # Starting wrapper
@ -74,6 +81,4 @@ ARG LOGGER_LEVEL=''
 ENV LOGGER_LEVEL "$LOGGER_LEVEL"

 WORKDIR /app
-CMD ["python", "./changedetection.py", "-d", "/datastore"]
-
-
+CMD ["/app/docker-entrypoint.sh"]
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+PUID=${PUID:-911}
+PGID=${PGID:-911}
+
+groupmod -o -g "$PGID" abc
+usermod -o -u "$PUID" abc
+
+chown -R abc:abc /datastore
+
+exec gosu abc:abc python ./changedetection.py -d /datastore