fix(docker): use user 1000 and standard db path

b4225cb0 · Jonas Zohren · 98b67da6 · b4225cb0 · b4225cb0
Unverified Commit b4225cb0 authored 3 years ago by Jonas Zohren
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,8 @@ FROM docker.io/rust:1.58-bullseye AS builder
 WORKDIR /usr/src/conduit
 # Install required packages to build Conduit and it's dependencies
-RUN apt update && apt -y install libclang-dev
+RUN apt-get update && \
+    apt-get -y --no-install-recommends install libclang-dev=1:11.0-51+nmu5
 # == Build dependencies without our own code separately for caching ==
 #
@@ -44,7 +45,7 @@ ENV CONDUIT_PORT=6167 \
 # Conduit needs:
 #   ca-certificates: for https
 #   iproute2 & wget: for the healthcheck script
-RUN apt update && apt -y install \
+RUN apt-get update && apt-get -y --no-install-recommends install \
    ca-certificates \
    iproute2 \
    wget \
@@ -61,12 +62,12 @@ HEALTHCHECK --start-period=5s --interval=5s CMD ./healthcheck.sh
 COPY --from=builder /usr/src/conduit/target/release/conduit /srv/conduit/conduit
 # Improve security: Don't run stuff as root, that does not need to run as root
-# Add 'conduit' user and group (100:82). The UID:GID choice is to be compatible
+# Most distros also use 1000:1000 for the first real user, so this should resolve volume mounting problems.
-# with previous, Alpine-based containers, where the user and group were both
+ARG USER_ID=1000
-# named 'www-data'.
+ARG GROUP_ID=1000
 RUN set -x ; \
-    groupadd -r -g 82 conduit ; \
+    groupadd -r -g ${GROUP_ID} conduit ; \
-    useradd -r -M -d /srv/conduit -o -u 100 -g conduit conduit && exit 0 ; exit 1
+    useradd -l -r -M -d /srv/conduit -o -u ${USER_ID} -g conduit conduit && exit 0 ; exit 1
 # Change ownership of Conduit files to conduit user and group and make the healthcheck executable:
 RUN chown -cR conduit:conduit /srv/conduit && \

--- a/docker/ci-binaries-packaging.Dockerfile
+++ b/docker/ci-binaries-packaging.Dockerfile
@@ -14,9 +14,14 @@ FROM docker.io/alpine:3.15.0 AS runner
 # You still need to map the port when using the docker command or docker-compose.
 EXPOSE 6167
-# Note from @jfowl: I would like to remove the config file in the future and just have the Docker version be configured with envs. 
+# Users are expected to mount a volume to this directory:
-ENV CONDUIT_CONFIG="/srv/conduit/conduit.toml" \
+ARG DEFAULT_DB_PATH=/var/lib/matrix-conduit
-    CONDUIT_PORT=6167
+ENV CONDUIT_PORT=6167 \
+    CONDUIT_ADDRESS="0.0.0.0" \
+    CONDUIT_DATABASE_PATH=${DEFAULT_DB_PATH} \
+    CONDUIT_CONFIG=''
+#    └─> Set no config file to do all configuration with env vars
 # Conduit needs:
 #   ca-certificates: for https
@@ -25,7 +30,6 @@ RUN apk add --no-cache \
    ca-certificates \
    iproute2
 ARG CREATED
 ARG VERSION
 ARG GIT_REF
@@ -45,36 +49,36 @@ LABEL org.opencontainers.image.created=${CREATED} \
    org.opencontainers.image.ref.name=""
 # Created directory for the database and media files
-RUN mkdir -p /srv/conduit/.local/share/conduit
+RUN mkdir -p ${DEFAULT_DB_PATH}
 # Test if Conduit is still alive, uses the same endpoint as Element
 COPY ./docker/healthcheck.sh /srv/conduit/healthcheck.sh
 HEALTHCHECK --start-period=5s --interval=5s CMD ./healthcheck.sh
-# Depending on the target platform (e.g. "linux/arm/v7", "linux/arm64/v8", or "linux/amd64")
-# copy the matching binary into this docker image
-ARG TARGETPLATFORM
-COPY ./$TARGETPLATFORM /srv/conduit/conduit
 # Improve security: Don't run stuff as root, that does not need to run as root:
-# Add www-data user and group with UID 82, as used by alpine
+# Most distros also use 1000:1000 for the first real user, so this should resolve volume mounting problems.
-# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install
+ARG USER_ID=1000
+ARG GROUP_ID=1000
 RUN set -x ; \
-    addgroup -Sg 82 www-data 2>/dev/null ; \
+    deluser --remove-home www-data ; \
-    adduser -S -D -H -h /srv/conduit -G www-data -g www-data www-data 2>/dev/null ; \
+    addgroup -S -g ${GROUP_ID} conduit 2>/dev/null ; \
-    addgroup www-data www-data 2>/dev/null && exit 0 ; exit 1
+    adduser -S -u ${USER_ID} -D -H -h /srv/conduit -G conduit -g conduit conduit 2>/dev/null ; \
+    addgroup conduit conduit 2>/dev/null && exit 0 ; exit 1
-# Change ownership of Conduit files to www-data user and group
+# Change ownership of Conduit files to conduit user and group
-RUN chown -cR www-data:www-data /srv/conduit
+RUN chown -cR conduit:conduit /srv/conduit && \
-RUN chmod +x /srv/conduit/healthcheck.sh
+    chmod +x /srv/conduit/healthcheck.sh
-# Change user to www-data
+# Change user to conduit
-USER www-data
+USER conduit
 # Set container home directory
 WORKDIR /srv/conduit
 # Run Conduit and print backtraces on panics
 ENV RUST_BACKTRACE=1
 ENTRYPOINT [ "/srv/conduit/conduit" ]
+# Depending on the target platform (e.g. "linux/arm/v7", "linux/arm64/v8", or "linux/amd64")
+# copy the matching binary into this docker image
+ARG TARGETPLATFORM
+COPY --chown=conduit:conduit ./$TARGETPLATFORM /srv/conduit/conduit