From 6771bfdf50d60f0c966fcda3bdd6606c2f557bf9 Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Wed, 18 Dec 2024 16:08:45 +0100
Subject: [PATCH] chore: make Docker image rootless (#683)

* add first version of rootless docker image

* skip user creation if user is already a non root user
---
 Dockerfile                                    | 14 +++++----
 docs/docs/setup/configuration.md              |  4 ++-
 scripts/docker/create-user.sh                 | 30 +++++++++++++++++++
 .../entrypoint.sh}                            |  0
 4 files changed, 42 insertions(+), 6 deletions(-)
 create mode 100644 scripts/docker/create-user.sh
 rename scripts/{docker-entrypoint.sh => docker/entrypoint.sh} (100%)

diff --git a/Dockerfile b/Dockerfile
index c11e2d00..0b15479c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,9 +30,12 @@ RUN npm run build && npm prune --production
 FROM node:20-alpine AS runner
 ENV NODE_ENV=docker
 
+# Delete default node user
+RUN deluser --remove-home node
+
 RUN apk update --no-cache \
     && apk upgrade --no-cache \
-    && apk add --no-cache curl caddy
+    && apk add --no-cache curl caddy su-exec
 
 WORKDIR /opt/app/frontend
 COPY --from=frontend-builder /opt/app/public ./public
@@ -46,13 +49,14 @@ COPY --from=backend-builder /opt/app/dist ./dist
 COPY --from=backend-builder /opt/app/prisma ./prisma
 COPY --from=backend-builder /opt/app/package.json ./
 
-COPY ./reverse-proxy /etc/caddy
-COPY ./scripts/docker-entrypoint.sh /opt/app/docker-entrypoint.sh
-
 WORKDIR /opt/app
 
+COPY ./reverse-proxy /etc/caddy
+COPY ./scripts ./scripts
+
 EXPOSE 3000
 
 HEALTHCHECK --interval=10s --timeout=3s CMD curl -f http://localhost:3000/api/health || exit 1
 
-CMD ["sh", "/opt/app/docker-entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]
\ No newline at end of file
diff --git a/docs/docs/setup/configuration.md b/docs/docs/setup/configuration.md
index a8a3833d..1392515e 100644
--- a/docs/docs/setup/configuration.md
+++ b/docs/docs/setup/configuration.md
@@ -49,8 +49,10 @@ For installation specific configuration, you can use environment variables. The
 | `PORT`    | `3000`                  | The port on which the frontend listens.  |
 | `API_URL` | `http://localhost:8080` | The URL of the backend for the frontend. |
 
-#### Reverse Proxy (inside the Docker container)
+#### Docker specific
+Environment variables that are only available when running Pingvin Share with Docker.
 
 | Variable      | Default Value | Description                                                                                                 |
 | ------------- | ------------- | ----------------------------------------------------------------------------------------------------------- |
 | `TRUST_PROXY` | `false`       | Whether Pingvin Share is behind a reverse proxy. If set to `true`, the `X-Forwarded-For` header is trusted. |
+| `PUID` and `PGID` | `1000`       |  The user and group ID of the user who should run Pingvin Share inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |
diff --git a/scripts/docker/create-user.sh b/scripts/docker/create-user.sh
new file mode 100644
index 00000000..386dac52
--- /dev/null
+++ b/scripts/docker/create-user.sh
@@ -0,0 +1,30 @@
+# If we aren't running as root, just exec the CMD
+[ "$(id -u)" -ne 0 ] && exec "$@"
+
+echo "Creating user and group..."
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# Check if the group with PGID exists; if not, create it
+if ! getent group pingvin-share-group > /dev/null 2>&1; then
+    addgroup -g "$PGID" pingvin-share-group
+fi
+
+# Check if a user with PUID exists; if not, create it
+if ! id -u pingvin-share > /dev/null 2>&1; then
+    if ! getent passwd "$PUID" > /dev/null 2>&1; then
+        adduser -u "$PUID" -G pingvin-share-group pingvin-share > /dev/null 2>&1
+    else
+        # If a user with the PUID already exists, use that user
+        existing_user=$(getent passwd "$PUID" | cut -d: -f1)
+        echo "Using existing user: $existing_user"
+    fi
+fi
+
+# Change ownership of the data directory
+mkdir -p /opt/app/backend/data
+find /opt/app/backend/data \( ! -group "${PGID}" -o ! -user "${PUID}" \) -exec chown "${PUID}:${PGID}" {} +
+
+# Switch to the non-root user
+exec su-exec "$PUID:$PGID" "$@"
\ No newline at end of file
diff --git a/scripts/docker-entrypoint.sh b/scripts/docker/entrypoint.sh
similarity index 100%
rename from scripts/docker-entrypoint.sh
rename to scripts/docker/entrypoint.sh