From 0c3041e284c5f1f2b30b70aa1d0d9a3722a9edae Mon Sep 17 00:00:00 2001 From: Andrey Antukh Date: Thu, 22 Dec 2022 15:15:35 +0100 Subject: [PATCH] :sparkles: Make exporter docker image run on non-root user --- docker/images/Dockerfile.exporter | 127 ++++++++++++++++-------------- 1 file changed, 68 insertions(+), 59 deletions(-) diff --git a/docker/images/Dockerfile.exporter b/docker/images/Dockerfile.exporter index 144b5a9c1..0cc5b2b0a 100644 --- a/docker/images/Dockerfile.exporter +++ b/docker/images/Dockerfile.exporter @@ -1,70 +1,76 @@ FROM ubuntu:22.04 LABEL maintainer="Andrey Antukh " -ARG DEBIAN_FRONTEND=noninteractive - ENV LANG=en_US.UTF-8 \ LC_ALL=en_US.UTF-8 \ - NODE_VERSION=v16.17.0 + NODE_VERSION=v18.12.1 \ + DEBIAN_FRONTEND=noninteractive \ + PATH=/opt/node/bin:$PATH RUN set -ex; \ + useradd -U -M -u 1001 -s /bin/false -d /opt/penpot penpot; \ mkdir -p /etc/resolvconf/resolv.conf.d; \ - echo "nameserver 8.8.8.8" > /etc/resolvconf/resolv.conf.d/tail; \ + echo "nameserver 127.0.0.11" > /etc/resolvconf/resolv.conf.d/tail; \ apt-get -qq update; \ - apt-get -qqy --no-install-recommends install curl tzdata locales ca-certificates fontconfig xz-utils; \ + apt-get -qqy --no-install-recommends install \ + curl \ + tzdata \ + locales \ + ca-certificates \ + fontconfig \ + xz-utils \ + ; \ + rm -rf /var/lib/apt/lists/*; \ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \ - locale-gen; \ - rm -rf /var/lib/apt/lists/*; + locale-gen; RUN set -ex; \ apt-get -qq update; \ apt-get -qqy install \ - imagemagick \ - ghostscript \ - netpbm \ - poppler-utils \ - potrace \ - gconf-service \ - libasound2 \ - libatk1.0-0 \ - libatk-bridge2.0-0 \ - libatomic1 \ - libcairo2 \ - libcups2 \ - libdbus-1-3 \ - libexpat1 \ - libfontconfig1 \ - libgcc1 \ - libgconf-2-4 \ - libgdk-pixbuf2.0-0 \ - libglib2.0-0 \ - libgtk-3-0 \ - libnspr4 \ - libpango-1.0-0 \ - libpangocairo-1.0-0 \ - libx11-6 \ - libx11-xcb1 \ - libxcb1 \ - libxcb-dri3-0 \ - libxcomposite1 \ - libxcursor1 \ - libxdamage1 \ - libxext6 \ - libxfixes3 \ - libxi6 \ - libxrandr2 \ - libxrender1 \ - libxshmfence1 \ - libxss1 \ - libxtst6 \ - fonts-liberation \ - libnss3 \ - libgbm1 \ + imagemagick \ + ghostscript \ + netpbm \ + poppler-utils \ + potrace \ + gconf-service \ + libasound2 \ + libatk1.0-0 \ + libatk-bridge2.0-0 \ + libatomic1 \ + libcairo2 \ + libcups2 \ + libdbus-1-3 \ + libexpat1 \ + libfontconfig1 \ + libgcc1 \ + libgconf-2-4 \ + libgdk-pixbuf2.0-0 \ + libglib2.0-0 \ + libgtk-3-0 \ + libnspr4 \ + libpango-1.0-0 \ + libpangocairo-1.0-0 \ + libx11-6 \ + libx11-xcb1 \ + libxcb1 \ + libxcb-dri3-0 \ + libxcomposite1 \ + libxcursor1 \ + libxdamage1 \ + libxext6 \ + libxfixes3 \ + libxi6 \ + libxrandr2 \ + libxrender1 \ + libxshmfence1 \ + libxss1 \ + libxtst6 \ + fonts-liberation \ + libnss3 \ + libgbm1 \ ; \ rm -rf /var/lib/apt/lists/*; -ENV PATH="/usr/local/nodejs/bin:$PATH" - RUN set -eux; \ ARCH="$(dpkg --print-architecture)"; \ case "${ARCH}" in \ @@ -83,19 +89,22 @@ RUN set -eux; \ ;; \ esac; \ curl -LfsSo /tmp/nodejs.tar.xz ${BINARY_URL}; \ - mkdir -p /usr/local/nodejs; \ - cd /usr/local/nodejs; \ + mkdir -p /opt/node; \ + cd /opt/node; \ tar -xf /tmp/nodejs.tar.xz --strip-components=1; \ - chown -R root /usr/local/nodejs; \ - /usr/local/nodejs/bin/npm install -g yarn; \ - rm -rf /tmp/nodejs.tar.xz; + chown -R root /opt/node; \ + npm install -g yarn; \ + rm -rf /tmp/nodejs.tar.xz; \ + mkdir -p /opt/penpot; \ + chown -R penpot:penpot /opt/penpot; -WORKDIR /opt/app +ADD --chown=penpot:penpot ./bundle-exporter/ /opt/penpot/exporter -ADD ./bundle-exporter/ /opt/app/ +WORKDIR /opt/penpot/exporter +USER penpot:penpot RUN set -ex; \ yarn; \ - npx playwright install chromium; + yarn run playwright install chromium; -CMD ["/usr/local/nodejs/bin/node", "app.js"] +CMD ["node", "app.js"]