Simplify the container starting process to allow it to run with a

unprivileged user
2024-10-04 17:32:24 +02:00 · 2022-04-10 11:55:11 +02:00 · 2022-04-10 11:55:11 +02:00 · 049f85221e
commit 049f85221e
parent cd75da69f9
8 changed files with 53 additions and 54 deletions
--- a/20
+++ b/20
@ -12,24 +12,28 @@ RUN yarn build
 # production stage
 FROM alpine:3.15

-ENV USER lighttpd
-ENV GROUP lighttpd
-ENV GID 911
-ENV UID 911
+ENV GID 1000
+ENV UID 1000
 ENV PORT 8080
 ENV SUBFOLDER "/_"
+ENV INIT_ASSETS 1

-RUN addgroup -S ${GROUP} -g ${GID} && adduser -D -S -u ${UID} ${USER} ${GROUP} && \
+RUN addgroup -S lighttpd -g ${GID} && adduser -D -S -u ${UID} lighttpd lighttpd && \
    apk add -U --no-cache lighttpd

-COPY entrypoint.sh /entrypoint.sh
-COPY lighttpd.conf /lighttpd.conf
+WORKDIR /www

-COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist /www/
+COPY lighttpd.conf /lighttpd.conf
+COPY entrypoint.sh /entrypoint.sh
+COPY --from=build-stage --chown=${UID}:${GID} /app/dist /www/
 COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist/assets /www/default-assets
+
+USER ${UID}:${GID}
+
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:${PORT}/ || exit 1

 EXPOSE ${PORT}
 VOLUME /www/assets
+
 ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]
--- a/Dockerfile.arm32v7
+++ b/Dockerfile.arm32v7
@ -32,14 +32,16 @@ RUN addgroup -S ${GROUP} -g ${GID} && adduser -D -S -u ${UID} ${USER} ${GROUP} &
    apk add -U --no-cache lighttpd && \
    rm /usr/bin/qemu-arm-static

-COPY entrypoint.sh /entrypoint.sh
-COPY lighttpd.conf /lighttpd.conf
+WORKDIR /www

+COPY lighttpd.conf /lighttpd.conf
 COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist /www/
-COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist/assets /www/default-assets
+
+USER ${USER}
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:${PORT}/ || exit 1

 EXPOSE ${PORT}
 VOLUME /www/assets
-ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]
+
+CMD ["lighttpd", "-D", "-f", "/lighttpd.conf"]
--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@ -32,14 +32,16 @@ RUN addgroup -S ${GROUP} -g ${GID} && adduser -D -S -u ${UID} ${USER} ${GROUP} &
    apk add -U --no-cache lighttpd && \
    rm /usr/bin/qemu-aarch64-static

-COPY entrypoint.sh /entrypoint.sh
-COPY lighttpd.conf /lighttpd.conf
+WORKDIR /www

+COPY lighttpd.conf /lighttpd.conf
 COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist /www/
-COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist/assets /www/default-assets
+
+USER ${USER}
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:${PORT}/ || exit 1

 EXPOSE ${PORT}
 VOLUME /www/assets
-ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]
+
+CMD ["lighttpd", "-D", "-f", "/lighttpd.conf"]
--- a/README.md
+++ b/README.md
@ -71,8 +71,6 @@ See [documentation](docs/configuration.md) for information about the configurati

 ### Using docker

-To launch container:
-
 ```sh
 docker run -d \
  -p 8080:8080 \
@ -81,16 +79,19 @@ docker run -d \
  b4bz/homer:latest
 ```

-Default assets will be automatically installed in the `/www/assets` directory. Use `UID` and/or `GID` env var to change the assets owner (`docker run -e "UID=1000" -e "GID=1000" [...]`).
+Environment variables: 

-## Host in subfolder
+* **`INIT_ASSETS`** (default: `1`)
+Install exemple configuration file & assets (favicons, ...) to help you get started.
+
+* **`SUBFOLDER`** (default: `null`)
+If you would like to host Homer in a subfolder, (ex: *http://my-domain/**homer***), set this to the subfolder path (ex `/homer`).

-If you would like to host Homer in a subfolder, for e.g. behind a reverse proxy, supply the name of subfolder by using the `SUBFOLDER` env var.

 ### Using docker-compose

 The `docker-compose.yml` file must be edited to match your needs.
-Set the port and volume (equivalent to `-p` and `-v` arguments):
+You probably want to set the port mapping and volume binding (equivalent to `-p` and `-v` arguments):

 ```yaml
 volumes:
@ -99,21 +100,13 @@ ports:
  - 8080:8080
 ```

-To launch container:
+Then launch the container:

 ```sh
-cd /path/to/docker-compose.yml
+cd /path/to/docker-compose.yml/
 docker-compose up -d
 ```

-Default assets will be automatically installed in the `/www/assets` directory. Use `UID` and/or `GID` env var to change the assets owner, also in `docker-compose.yml`:
-
-```yaml
-environment:
-  - UID=1000
-  - GID=1000
-```
-
 ### Using the release tarball (prebuilt, ready to use)

 Download and extract the latest release (`homer.zip`) from the [release page](https://github.com/bastienwirtz/homer/releases), rename the `assets/config.yml.dist` file to `assets/config.yml`, and put it behind a web server.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -10,7 +10,6 @@ services:
      - /your/local/assets/:/www/assets
    ports:
      - 8080:8080
-    #environment:
-    #  - UID=1000
-    #  - GID=1000
-    restart: unless-stopped
+    user: 1000:1000 # default
+    environment:
+      - INIT_ASSETS=1 # default
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,23 +1,18 @@
 #!/bin/sh

-# Ensure default assets are present.
-while true; do echo n; done | cp -Ri /www/default-assets/* /www/assets/ &> /dev/null
+PERMISSION_ERROR="Check assets directory permissions & docker user or skip default assets install by setting the INIT_ASSETS env var to 0"

-# Ensure compatibility with previous version (config.yml was in the root directory)
-if [ -f "/www/config.yml" ]; then
-    yes n | cp -i /www/config.yml /www/assets/ &> /dev/null
+# Default assets & exemple configuration installation if possible.
+if [[ "${INIT_ASSETS}" == "1" ]] && [[ ! -f "/www/config.yml" ]]; then
+    echo "No configuration found, installing default config & assets"
+    if [[ ! -w "/www/assets/" ]]; then echo "Assets directory not writable. $PERMISSION_ERROR" && exit 1; fi
+    
+    while true; do echo n; done | cp -Ri /www/default-assets/* /www/assets/ &> /dev/null
+    if [[ $? -ne 0 ]]; then echo "Fail to copy default assets. $PERMISSION_ERROR" && exit 1; fi
+
+    yes n | cp -i /www/default-assets/config.yml.dist /www/assets/config.yml &> /dev/null
+    if [[ $? -ne 0 ]]; then echo "Fail to copy default config file. $PERMISSION_ERROR" && exit 1; fi
 fi

-# Install default config if no one is available.
-yes n | cp -i /www/default-assets/config.yml.dist /www/assets/config.yml &> /dev/null
-
-# Create symbolic link for hosting in subfolder.
-if [[ -n "${SUBFOLDER}" ]]; then
-  ln -s /www "/www/$SUBFOLDER"
-  chown -h $USER:$GROUP "/www/$SUBFOLDER"
-fi
-
-chown -R $UID:$GID /www/assets
-
 echo "Starting webserver"
 lighttpd -D -f /lighttpd.conf
--- a/lighttpd.conf
+++ b/lighttpd.conf
@ -2,8 +2,8 @@ include "/etc/lighttpd/mime-types.conf"

 server.port           = env.PORT
 server.modules        = ( "mod_alias" )
-server.username       = env.USER
-server.groupname      = env.GROUP
+server.username       = "lighttpd"
+server.groupname      = "lighttpd"
 server.document-root  = "/www"
 alias.url             = ( env.SUBFOLDER => "/www" )
 server.indexfiles     = ("index.html")
--- a/src/assets/app.scss
+++ b/src/assets/app.scss
@ -104,6 +104,10 @@ body {

    .dashboard-title {
      padding: 6px 0 0 80px;
+
+      &.no-logo {
+        padding-left: 0;
+      }
    }

    .first-line {