Merge pull request #5111 from penpot/bameda-docker-use-nginx-unprivileged-base-image

🐳 Use nginx-unprivileged as base image

CHANGES.md

@@ -6,6 +6,8 @@
 
 ### :boom: Breaking changes & Deprecations
 
+- Use [nginx-unprivileged](https://hub.docker.com/r/nginxinc/nginx-unprivileged) as base image for Penpot's frontend docker image. Now all the docker images runs with the same unprivileged user (penpot). Because of that, the default NGINX listen port now is 8080, instead of 80, so you will have to modify your infrastructure to apply this change.
+
 ### :heart: Community contributions (Thank you!)
 
 ### :sparkles: New features

docker/devenv/Dockerfile

@@ -1,5 +1,5 @@
 FROM debian:bookworm
-LABEL maintainer="Andrey Antukh <niwi@niwi.nz>"
+LABEL maintainer="Penpot <docker@penpot.app>"
 
 ARG DEBIAN_FRONTEND=noninteractive
 

docker/images/Dockerfile.backend

@@ -1,6 +1,6 @@
 FROM ubuntu:22.04
+LABEL maintainer="Penpot <docker@penpot.app>"
 
-LABEL maintainer="Andrey Antukh <niwi@niwi.nz>"
 ENV LANG='en_US.UTF-8' \
     LC_ALL='en_US.UTF-8' \
     JAVA_HOME="/opt/jdk" \

docker/images/Dockerfile.exporter

@@ -1,5 +1,5 @@
 FROM ubuntu:22.04
-LABEL maintainer="Andrey Antukh <niwi@niwi.nz>"
+LABEL maintainer="Penpot <docker@penpot.app>"
 
 ENV LANG=en_US.UTF-8 \
     LC_ALL=en_US.UTF-8 \

docker/images/Dockerfile.frontend

@@ -1,5 +1,7 @@
-FROM nginx:1.23
+FROM nginxinc/nginx-unprivileged:1.27.1
-LABEL maintainer="Andrey Antukh <niwi@niwi.nz>"
+LABEL maintainer="Penpot <docker@penpot.app>"
+
+USER root
 
 RUN set -ex; \
     useradd -U -M -u 1001 -s /bin/false -d /opt/penpot penpot; \
@@ -12,5 +14,13 @@ ADD ./files/nginx.conf /etc/nginx/nginx.conf.template
 ADD ./files/nginx-mime.types /etc/nginx/mime.types
 ADD ./files/nginx-entrypoint.sh /entrypoint.sh
 
+RUN chown -R 1001:0 /var/cache/nginx; \
+    chmod -R g+w /var/cache/nginx; \
+    chown -R 1001:0 /etc/nginx; \
+    chmod -R g+w /etc/nginx; \
+    chown -R 1001:0 /var/www; \
+    chmod -R g+w /var/www;
+
+USER penpot:penpot
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]

docker/images/docker-compose.yaml

@@ -35,7 +35,7 @@ services:
     image: "penpotapp/frontend:latest"
     restart: always
     ports:
-      - 9001:80
+      - 9001:8080
 
     volumes:
       - penpot_assets:/opt/data/assets

docker/images/files/nginx.conf

@@ -1,6 +1,5 @@
-user www-data;
 worker_processes auto;
-pid /run/nginx.pid;
+pid /tmp/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
@@ -9,6 +8,12 @@ events {
 }
 
 http {
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
@@ -56,7 +61,7 @@ http {
     include /etc/nginx/overrides.d/*.conf;
 
     server {
-        listen 80 default_server;
+        listen 8080 default_server;
         server_name _;
 
         client_max_body_size 100M;

manage.sh

@@ -178,17 +178,24 @@ function build-exporter-bundle {
     echo ">> bundle exporter end";
 }
 
-function build-docker-images {
+function build-frontend-docker-images {
     rsync -avr --delete ./bundles/frontend/ ./docker/images/bundle-frontend/;
-    rsync -avr --delete ./bundles/backend/ ./docker/images/bundle-backend/;
-    rsync -avr --delete ./bundles/exporter/ ./docker/images/bundle-exporter/;
-
     pushd ./docker/images;
-
     docker build -t penpotapp/frontend:$CURRENT_BRANCH -t penpotapp/frontend:latest -f Dockerfile.frontend .;
-    docker build -t penpotapp/backend:$CURRENT_BRANCH -t penpotapp/backend:latest -f Dockerfile.backend .;
+    popd;
-    docker build -t penpotapp/exporter:$CURRENT_BRANCH -t penpotapp/exporter:latest -f Dockerfile.exporter .;
+}
 
+function build-backend-docker-images {
+    rsync -avr --delete ./bundles/backend/ ./docker/images/bundle-backend/;
+    pushd ./docker/images;
+    docker build -t penpotapp/backend:$CURRENT_BRANCH -t penpotapp/backend:latest -f Dockerfile.backend .;
+    popd;
+}
+
+function build-exporter-docker-images {
+    rsync -avr --delete ./bundles/exporter/ ./docker/images/bundle-exporter/;
+    pushd ./docker/images;
+    docker build -t penpotapp/exporter:$CURRENT_BRANCH -t penpotapp/exporter:latest -f Dockerfile.exporter .;
     popd;
 }
 
@@ -198,12 +205,26 @@ function usage {
     echo "Options:"
     echo "- pull-devenv                      Pulls docker development oriented image"
     echo "- build-devenv                     Build docker development oriented image"
+    echo "- build-devenv-local               Build a local docker development oriented image"
     echo "- create-devenv                    Create the development oriented docker compose service."
     echo "- start-devenv                     Start the development oriented docker compose service."
     echo "- stop-devenv                      Stops the development oriented docker compose service."
     echo "- drop-devenv                      Remove the development oriented docker compose containers, volumes and clean images."
     echo "- run-devenv                       Attaches to the running devenv container and starts development environment"
+    echo "- run-devenv-shell                 Attaches to the running devenv container and starts a bash shell."
+    echo "- log-devenv                       Show logs of the running devenv docker compose service."
     echo ""
+    echo "- build-bundle                     Build all bundles (frontend, backend and exporter)."
+    echo "- build-frontend-bundle            Build frontend bundle"
+    echo "- build-backend-bundle             Build backend bundle."
+    echo "- build-exporter-bundle            Build exporter bundle."
+    echo ""
+    echo "- build-docker-images              Build all docker images (frontend, backend and exporter)."
+    echo "- build-frontend-docker-images     Build frontend docker images."
+    echo "- build-backend-docker-images      Build backend docker images."
+    echo "- build-exporter-docker-images     Build exporter docker images."
+    echo ""
+    echo "- version                          Show penpot's version."
 }
 
 case $1 in
@@ -224,10 +245,6 @@ case $1 in
         build-devenv-local ${@:2}
         ;;
 
-    push-devenv)
-        push-devenv ${@:2}
-        ;;
-
     create-devenv)
         create-devenv ${@:2}
         ;;
@@ -251,7 +268,7 @@ case $1 in
         log-devenv ${@:2}
         ;;
 
-    # production builds
+    ## production builds
     build-bundle)
         build-frontend-bundle;
         build-backend-bundle;
@@ -271,10 +288,23 @@ case $1 in
         ;;
 
     build-docker-images)
-        build-docker-images
+        build-frontend-docker-images
+        build-backend-docker-images
+        build-exporter-docker-images
+        ;;
+
+    build-frontend-docker-images)
+        build-frontend-docker-images
+        ;;
+
+    build-backend-docker-images)
+        build-backend-docker-images
+        ;;
+
+    build-exporter-docker-images)
+        build-exporter-docker-images
         ;;
 
-    # Docker Image Tasks
     *)
         usage
         ;;