From 7046a1885644714d40e52822fea2a42802f08939 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Wed, 22 Sep 2021 20:14:53 +0200 Subject: [PATCH 1/7] Docker: use custom non-root UID/GID (build-arg) --- Dockerfile | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c8a42bd9d..36bed5a01 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,12 +14,24 @@ ENV GO111MODULE=on # build & install server RUN CGO_ENABLED=0 go build -tags netgo -ldflags "-X github.com/dutchcoders/transfer.sh/cmd.Version=$(git describe --tags) -a -s -w -extldflags '-static'" -o /go/bin/transfersh +ARG PUID=1000 \ + PGID=1000 + +RUN mkdir -p /tmp/useradd && \ + echo "transfersh:x:${PUID}:${PGID}::/nonexistent:/sbin/nologin" >> /tmp/useradd/passwd && \ + echo "transfersh:!:::::::" >> /tmp/useradd/shadow && \ + echo "transfersh:x:${PGID}:" >> /tmp/useradd/group && \ + echo "transfersh:!::" >> /tmp/useradd/groupshadow + FROM scratch AS final LABEL maintainer="Andrea Spacca " -COPY --from=build /go/bin/transfersh /go/bin/transfersh +COPY --from=build /tmp/useradd/* /etc/ +COPY --from=build --chown=transfersh /go/bin/transfersh /go/bin/transfersh COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt +USER transfersh + ENTRYPOINT ["/go/bin/transfersh", "--listener", ":8080"] EXPOSE 8080 From 6740dd970fb22abe3aa8f53fb83ae3bf5304d269 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Sat, 9 Oct 2021 17:09:07 +0200 Subject: [PATCH 2/7] Docker: allow selection between root and non-root UID/GID at build time --- Dockerfile | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 36bed5a01..ed949fdc3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,23 +14,27 @@ ENV GO111MODULE=on # build & install server RUN CGO_ENABLED=0 go build -tags netgo -ldflags "-X github.com/dutchcoders/transfer.sh/cmd.Version=$(git describe --tags) -a -s -w -extldflags '-static'" -o /go/bin/transfersh -ARG PUID=1000 \ - PGID=1000 +ARG PUID=5000 \ + PGID=5000 \ + RUNAS RUN mkdir -p /tmp/useradd && \ - echo "transfersh:x:${PUID}:${PGID}::/nonexistent:/sbin/nologin" >> /tmp/useradd/passwd && \ - echo "transfersh:!:::::::" >> /tmp/useradd/shadow && \ - echo "transfersh:x:${PGID}:" >> /tmp/useradd/group && \ - echo "transfersh:!::" >> /tmp/useradd/groupshadow + if [ ! -z "$RUNAS" ]; then \ + echo "${RUNAS}:x:${PUID}:${PGID}::/nonexistent:/sbin/nologin" >> /tmp/useradd/passwd && \ + echo "${RUNAS}:!:::::::" >> /tmp/useradd/shadow && \ + echo "${RUNAS}:x:${PGID}:" >> /tmp/useradd/group && \ + echo "${RUNAS}:!::" >> /tmp/useradd/groupshadow; fi FROM scratch AS final LABEL maintainer="Andrea Spacca " +ARG RUNAS COPY --from=build /tmp/useradd/* /etc/ -COPY --from=build --chown=transfersh /go/bin/transfersh /go/bin/transfersh +COPY --from=build --chown=${RUNAS} /go/bin/transfersh /go/bin/transfersh COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt -USER transfersh + +USER ${RUNAS} ENTRYPOINT ["/go/bin/transfersh", "--listener", ":8080"] From e2022045872e264e28257500c6d88c3c12aa71b9 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Sat, 9 Oct 2021 17:09:07 +0200 Subject: [PATCH 3/7] Docker: allow selection between root and non-root UID/GID at build time --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ed949fdc3..768464c9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,6 @@ COPY --from=build /tmp/useradd/* /etc/ COPY --from=build --chown=${RUNAS} /go/bin/transfersh /go/bin/transfersh COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt - USER ${RUNAS} ENTRYPOINT ["/go/bin/transfersh", "--listener", ":8080"] From 4a46b239ddabd2a680e8d848be19a6059513460e Mon Sep 17 00:00:00 2001 From: jeanluc Date: Sat, 9 Oct 2021 20:28:05 +0200 Subject: [PATCH 4/7] Docker: fixed build error complaining about empty source dir when building root version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 768464c9d..196ea75e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ RUN mkdir -p /tmp/useradd && \ echo "${RUNAS}:x:${PUID}:${PGID}::/nonexistent:/sbin/nologin" >> /tmp/useradd/passwd && \ echo "${RUNAS}:!:::::::" >> /tmp/useradd/shadow && \ echo "${RUNAS}:x:${PGID}:" >> /tmp/useradd/group && \ - echo "${RUNAS}:!::" >> /tmp/useradd/groupshadow; fi + echo "${RUNAS}:!::" >> /tmp/useradd/groupshadow; else touch /tmp/useradd/unused; fi FROM scratch AS final LABEL maintainer="Andrea Spacca " From 8607c20c23b60909f3f2b9e4d323573cea974694 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Thu, 24 Mar 2022 12:33:54 +0100 Subject: [PATCH 5/7] Add documentation about noroot Docker image --- README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 107a9147a..7b618cc0f 100644 --- a/README.md +++ b/README.md @@ -140,12 +140,31 @@ $ go build -o transfersh main.go ## Docker -For easy deployment, we've created a Docker container. +For easy deployment, we've created an official Docker container. There are two variants, differing only by which user runs the process. + +The default one will run as `root`: ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/ ``` +The one tagged with the suffix `-noroot` will use `5000` as both UID and GID: +```bash +docker run --publish 8080:8080 dutchcoders/transfer.sh:latest-noroot --provider local --basedir /tmp/ +``` + +### Building the Container +You can also build the container yourself. This allows you to choose which UID/GID will be used, e.g. when using NFS mounts: +```bash +# Build arguments: +# * RUNAS: If empty, the container will run as root. +# Set this to anything to enable UID/GID selection. +# * PUID: UID of the process. Needs RUNAS != "". Defaults to 5000. +# * PGID: GID of the process. Needs RUNAS != "". Defaults to 5000. + +docker build -t tfsh-noroot --build-arg RUNAS=doesntmatter --build-arg PUID=1337 --build-arg PGID=1338 . +``` + ## S3 Usage For the usage with a AWS S3 Bucket, you just need to specify the following options: From 9f4a15a1e95d2576f66d8413e83e246e0080f6c0 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Thu, 24 Mar 2022 12:34:46 +0100 Subject: [PATCH 6/7] Add noroot image to Docker build workflow --- .github/workflows/build-docker-images.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index c8713446e..1b5a17b6b 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -34,9 +34,11 @@ jobs: fi TAGS="--tag ${DOCKER_IMAGE}:${VERSION}" + TAGS_NOROOT="--tag ${DOCKER_IMAGE}:${VERSION}-noroot" if [ $VERSION = edge -o $VERSION = nightly ]; then TAGS="$TAGS --tag ${DOCKER_IMAGE}:latest" + TAGS_NOROOT="$TAGS_NOROOT --tag ${DOCKER_IMAGE}:latest-noroot" fi echo ::set-output name=docker_image::${DOCKER_IMAGE} @@ -46,6 +48,12 @@ jobs: --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \ --build-arg VCS_REF=${GITHUB_SHA::8} \ ${TAGS} . + echo ::set-output name=buildx_args_noroot::--platform ${DOCKER_PLATFORMS} \ + --build-arg VERSION=${VERSION} \ + --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \ + --build-arg VCS_REF=${GITHUB_SHA::8} \ + --build-arg RUNAS=noroot \ + ${TAGS_NOROOT} . - name: Set up QEMU uses: docker/setup-qemu-action@v1 @@ -64,6 +72,7 @@ jobs: name: Docker Buildx (build) run: | docker buildx build --no-cache --pull --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }} + docker buildx build --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args_noroot }} - name: Docker Login if: success() && github.event_name != 'pull_request' @@ -77,11 +86,13 @@ jobs: if: success() && github.event_name != 'pull_request' run: | docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }} + docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args_noroot }} - name: Docker Check Manifest if: always() && github.event_name != 'pull_request' run: | docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} + docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}-noroot - name: Clear if: always() && github.event_name != 'pull_request' From 151a013aefe2694ca9cc74ed0b94c8cbb268afb1 Mon Sep 17 00:00:00 2001 From: jeanluc Date: Sun, 3 Apr 2022 10:46:27 +0200 Subject: [PATCH 7/7] Make example docker build command more explicit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b618cc0f..44ccb5c5a 100644 --- a/README.md +++ b/README.md @@ -162,7 +162,7 @@ You can also build the container yourself. This allows you to choose which UID/G # * PUID: UID of the process. Needs RUNAS != "". Defaults to 5000. # * PGID: GID of the process. Needs RUNAS != "". Defaults to 5000. -docker build -t tfsh-noroot --build-arg RUNAS=doesntmatter --build-arg PUID=1337 --build-arg PGID=1338 . +docker build -t transfer.sh-noroot --build-arg RUNAS=doesntmatter --build-arg PUID=1337 --build-arg PGID=1338 . ``` ## S3 Usage