From faecc028fefe0e04c3d04a756d3bf8d890fd3f8d Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Wed, 6 Nov 2024 14:29:18 +0100 Subject: [PATCH] add user-IDs to all containers Signed-off-by: Simon L. --- Containers/apache/Dockerfile | 2 +- Containers/clamav/Dockerfile | 2 +- Containers/imaginary/Dockerfile | 4 ++-- Containers/postgresql/Dockerfile | 2 +- Containers/redis/Dockerfile | 2 +- Containers/talk-recording/Dockerfile | 4 ++-- Containers/talk/Dockerfile | 2 +- Containers/whiteboard/Dockerfile | 2 +- manual-install/update-yaml.sh | 1 + php/containers-schema.json | 3 +++ php/containers.json | 10 ++++++++++ 11 files changed, 24 insertions(+), 10 deletions(-) diff --git a/Containers/apache/Dockerfile b/Containers/apache/Dockerfile index b118fd95034..5f45922d6c0 100644 --- a/Containers/apache/Dockerfile +++ b/Containers/apache/Dockerfile @@ -81,7 +81,7 @@ RUN set -ex; \ \ echo "root:$(openssl rand -base64 12)" | chpasswd -USER www-data +USER 33 ENTRYPOINT ["/start.sh"] CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"] diff --git a/Containers/clamav/Dockerfile b/Containers/clamav/Dockerfile index a3ae61bb042..81310d2fd2f 100644 --- a/Containers/clamav/Dockerfile +++ b/Containers/clamav/Dockerfile @@ -19,7 +19,7 @@ RUN set -ex; \ VOLUME /var/lib/clamav -USER clamav +USER 100 LABEL com.centurylinklabs.watchtower.enable="false" diff --git a/Containers/imaginary/Dockerfile b/Containers/imaginary/Dockerfile index f07bb42884d..1b15336a149 100644 --- a/Containers/imaginary/Dockerfile +++ b/Containers/imaginary/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:latest FROM golang:1.23.2-alpine3.20 AS go -ENV IMAGINARY_HASH=8f36a26c448be8c151a3878404b75fcd1cd3cf0c +ENV IMAGINARY_HASH=8f36a26c448be8c151a3878404b75fcd1cd3cf0c RUN set -ex; \ apk add --no-cache \ @@ -33,7 +33,7 @@ COPY --chmod=775 start.sh /start.sh ENV PORT=9000 -USER nobody +USER 65534 # https://github.com/h2non/imaginary#memory-issues ENV MALLOC_ARENA_MAX=2 diff --git a/Containers/postgresql/Dockerfile b/Containers/postgresql/Dockerfile index 64d66403c49..def1ce246be 100644 --- a/Containers/postgresql/Dockerfile +++ b/Containers/postgresql/Dockerfile @@ -39,7 +39,7 @@ RUN set -ex; \ VOLUME /mnt/data -USER postgres +USER 999 ENTRYPOINT ["/start.sh"] HEALTHCHECK CMD /healthcheck.sh diff --git a/Containers/redis/Dockerfile b/Containers/redis/Dockerfile index f5fc22e50ef..98fb8529988 100644 --- a/Containers/redis/Dockerfile +++ b/Containers/redis/Dockerfile @@ -14,7 +14,7 @@ RUN set -ex; \ # Get rid of unused binaries rm -f /usr/local/bin/gosu; -USER redis +USER 999 ENTRYPOINT ["/start.sh"] HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1 diff --git a/Containers/talk-recording/Dockerfile b/Containers/talk-recording/Dockerfile index 41ad1c14eb8..945b1d73afd 100644 --- a/Containers/talk-recording/Dockerfile +++ b/Containers/talk-recording/Dockerfile @@ -28,7 +28,7 @@ RUN set -ex; \ build-base \ linux-headers \ geckodriver; \ - useradd -d /tmp --system recording; \ + useradd -d /tmp --system recording -u 1000; \ # Give root a random password echo "root:$(openssl rand -base64 12)" | chpasswd; \ git clone --recursive https://github.com/nextcloud/nextcloud-talk-recording --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \ @@ -49,7 +49,7 @@ RUN set -ex; \ linux-headers; WORKDIR /tmp -USER recording +USER 1000 ENTRYPOINT ["/start.sh"] CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"] diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile index 13896e1bd97..37b0c9eba14 100644 --- a/Containers/talk/Dockerfile +++ b/Containers/talk/Dockerfile @@ -99,7 +99,7 @@ RUN set -ex; \ ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \ ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl -USER eturnal +USER 1000 ENTRYPOINT ["/start.sh"] CMD ["supervisord", "-c", "/supervisord.conf"] diff --git a/Containers/whiteboard/Dockerfile b/Containers/whiteboard/Dockerfile index 00e5b26fc60..83b6e8b18c7 100644 --- a/Containers/whiteboard/Dockerfile +++ b/Containers/whiteboard/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:latest FROM ghcr.io/nextcloud-releases/whiteboard:v1.0.4 -USER root +USER 65534 RUN set -ex; \ apk upgrade --no-cache -a; \ apk add --no-cache bash diff --git a/manual-install/update-yaml.sh b/manual-install/update-yaml.sh index e712304c6d9..68600f8a611 100644 --- a/manual-install/update-yaml.sh +++ b/manual-install/update-yaml.sh @@ -19,6 +19,7 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].image_tag)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].networks)')" +OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].documentation)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')" diff --git a/php/containers-schema.json b/php/containers-schema.json index db63fddfafa..b1e0cfbf5c3 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -68,6 +68,9 @@ "stop_grace_period": { "type": "integer" }, + "user": { + "type": "integer" + }, "ports": { "type": "array", "items": { diff --git a/php/containers.json b/php/containers.json index 2ed946c1cd4..6da70bccb0b 100644 --- a/php/containers.json +++ b/php/containers.json @@ -13,6 +13,7 @@ ], "display_name": "Apache", "image": "nextcloud/aio-apache", + "user": 33, "init": true, "ports": [ { @@ -78,6 +79,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "Database", "image": "nextcloud/aio-postgresql", + "user": 999, "init": true, "expose": [ "5432" @@ -251,6 +253,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "Notify Push", "image": "nextcloud/aio-notify-push", + "user": 33, "init": true, "expose": [ "7867" @@ -292,6 +295,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "Redis", "image": "nextcloud/aio-redis", + "user": 999, "init": true, "expose": [ "6379" @@ -328,6 +332,7 @@ "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358", "display_name": "Collabora", "image": "nextcloud/aio-collabora", + "user": 100, "init": true, "expose": [ "9980" @@ -366,6 +371,7 @@ "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358", "display_name": "Talk", "image": "nextcloud/aio-talk", + "user": 1000, "init": true, "ports": [ { @@ -422,6 +428,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "Talk Recording", "image": "nextcloud/aio-talk-recording", + "user": 1000, "init": true, "expose": [ "1234" @@ -575,6 +582,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "ClamAV", "image": "nextcloud/aio-clamav", + "user": 100, "init": false, "expose": [ "3310" @@ -655,6 +663,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "Imaginary", "image": "nextcloud/aio-imaginary", + "user": 65534, "init": true, "expose": [ "9000" @@ -760,6 +769,7 @@ "image_tag": "%AIO_CHANNEL%", "display_name": "Whiteboard", "image": "nextcloud/aio-whiteboard", + "user": 65534, "init": true, "expose": [ "3002"