From 049f85221e945b90bf87d21afe4d306839d65740 Mon Sep 17 00:00:00 2001 From: Bastien Wirtz Date: Sun, 10 Apr 2022 11:55:11 +0200 Subject: [PATCH] Simplify the container starting process to allow it to run with a unprivileged user --- Dockerfile | 20 ++++++++++++-------- Dockerfile.arm32v7 | 10 ++++++---- Dockerfile.arm64v8 | 10 ++++++---- README.md | 25 +++++++++---------------- docker-compose.yml | 7 +++---- entrypoint.sh | 25 ++++++++++--------------- lighttpd.conf | 4 ++-- src/assets/app.scss | 4 ++++ 8 files changed, 52 insertions(+), 53 deletions(-) diff --git a/Dockerfile b/Dockerfile index ffe50c4..0e9d51a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,24 +12,28 @@ RUN yarn build # production stage FROM alpine:3.15 -ENV USER lighttpd -ENV GROUP lighttpd -ENV GID 911 -ENV UID 911 +ENV GID 1000 +ENV UID 1000 ENV PORT 8080 ENV SUBFOLDER "/_" +ENV INIT_ASSETS 1 -RUN addgroup -S ${GROUP} -g ${GID} && adduser -D -S -u ${UID} ${USER} ${GROUP} && \ +RUN addgroup -S lighttpd -g ${GID} && adduser -D -S -u ${UID} lighttpd lighttpd && \ apk add -U --no-cache lighttpd -COPY entrypoint.sh /entrypoint.sh -COPY lighttpd.conf /lighttpd.conf +WORKDIR /www -COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist /www/ +COPY lighttpd.conf /lighttpd.conf +COPY entrypoint.sh /entrypoint.sh +COPY --from=build-stage --chown=${UID}:${GID} /app/dist /www/ COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist/assets /www/default-assets + +USER ${UID}:${GID} + HEALTHCHECK --interval=30s --timeout=5s --retries=3 \ CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:${PORT}/ || exit 1 EXPOSE ${PORT} VOLUME /www/assets + ENTRYPOINT ["/bin/sh", "/entrypoint.sh"] diff --git a/Dockerfile.arm32v7 b/Dockerfile.arm32v7 index 01a2196..7e1d92b 100644 --- a/Dockerfile.arm32v7 +++ b/Dockerfile.arm32v7 @@ -32,14 +32,16 @@ RUN addgroup -S ${GROUP} -g ${GID} && adduser -D -S -u ${UID} ${USER} ${GROUP} & apk add -U --no-cache lighttpd && \ rm /usr/bin/qemu-arm-static -COPY entrypoint.sh /entrypoint.sh -COPY lighttpd.conf /lighttpd.conf +WORKDIR /www +COPY lighttpd.conf /lighttpd.conf COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist /www/ -COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist/assets /www/default-assets + +USER ${USER} HEALTHCHECK --interval=30s --timeout=5s --retries=3 \ CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:${PORT}/ || exit 1 EXPOSE ${PORT} VOLUME /www/assets -ENTRYPOINT ["/bin/sh", "/entrypoint.sh"] + +CMD ["lighttpd", "-D", "-f", "/lighttpd.conf"] diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8 index f9e6675..573a2e4 100644 --- a/Dockerfile.arm64v8 +++ b/Dockerfile.arm64v8 @@ -32,14 +32,16 @@ RUN addgroup -S ${GROUP} -g ${GID} && adduser -D -S -u ${UID} ${USER} ${GROUP} & apk add -U --no-cache lighttpd && \ rm /usr/bin/qemu-aarch64-static -COPY entrypoint.sh /entrypoint.sh -COPY lighttpd.conf /lighttpd.conf +WORKDIR /www +COPY lighttpd.conf /lighttpd.conf COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist /www/ -COPY --from=build-stage --chown=${USER}:${GROUP} /app/dist/assets /www/default-assets + +USER ${USER} HEALTHCHECK --interval=30s --timeout=5s --retries=3 \ CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:${PORT}/ || exit 1 EXPOSE ${PORT} VOLUME /www/assets -ENTRYPOINT ["/bin/sh", "/entrypoint.sh"] + +CMD ["lighttpd", "-D", "-f", "/lighttpd.conf"] diff --git a/README.md b/README.md index 57185a7..6ac71e6 100644 --- a/README.md +++ b/README.md @@ -71,8 +71,6 @@ See [documentation](docs/configuration.md) for information about the configurati ### Using docker -To launch container: - ```sh docker run -d \ -p 8080:8080 \ @@ -81,16 +79,19 @@ docker run -d \ b4bz/homer:latest ``` -Default assets will be automatically installed in the `/www/assets` directory. Use `UID` and/or `GID` env var to change the assets owner (`docker run -e "UID=1000" -e "GID=1000" [...]`). +Environment variables: + +* **`INIT_ASSETS`** (default: `1`) +Install exemple configuration file & assets (favicons, ...) to help you get started. -## Host in subfolder +* **`SUBFOLDER`** (default: `null`) +If you would like to host Homer in a subfolder, (ex: *http://my-domain/**homer***), set this to the subfolder path (ex `/homer`). -If you would like to host Homer in a subfolder, for e.g. behind a reverse proxy, supply the name of subfolder by using the `SUBFOLDER` env var. ### Using docker-compose The `docker-compose.yml` file must be edited to match your needs. -Set the port and volume (equivalent to `-p` and `-v` arguments): +You probably want to set the port mapping and volume binding (equivalent to `-p` and `-v` arguments): ```yaml volumes: @@ -99,21 +100,13 @@ ports: - 8080:8080 ``` -To launch container: +Then launch the container: ```sh -cd /path/to/docker-compose.yml +cd /path/to/docker-compose.yml/ docker-compose up -d ``` -Default assets will be automatically installed in the `/www/assets` directory. Use `UID` and/or `GID` env var to change the assets owner, also in `docker-compose.yml`: - -```yaml -environment: - - UID=1000 - - GID=1000 -``` - ### Using the release tarball (prebuilt, ready to use) Download and extract the latest release (`homer.zip`) from the [release page](https://github.com/bastienwirtz/homer/releases), rename the `assets/config.yml.dist` file to `assets/config.yml`, and put it behind a web server. diff --git a/docker-compose.yml b/docker-compose.yml index 884703c..231e72a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,6 @@ services: - /your/local/assets/:/www/assets ports: - 8080:8080 - #environment: - # - UID=1000 - # - GID=1000 - restart: unless-stopped + user: 1000:1000 # default + environment: + - INIT_ASSETS=1 # default diff --git a/entrypoint.sh b/entrypoint.sh index e10e17e..eba1cb2 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,23 +1,18 @@ #!/bin/sh -# Ensure default assets are present. -while true; do echo n; done | cp -Ri /www/default-assets/* /www/assets/ &> /dev/null +PERMISSION_ERROR="Check assets directory permissions & docker user or skip default assets install by setting the INIT_ASSETS env var to 0" -# Ensure compatibility with previous version (config.yml was in the root directory) -if [ -f "/www/config.yml" ]; then - yes n | cp -i /www/config.yml /www/assets/ &> /dev/null -fi - -# Install default config if no one is available. -yes n | cp -i /www/default-assets/config.yml.dist /www/assets/config.yml &> /dev/null +# Default assets & exemple configuration installation if possible. +if [[ "${INIT_ASSETS}" == "1" ]] && [[ ! -f "/www/config.yml" ]]; then + echo "No configuration found, installing default config & assets" + if [[ ! -w "/www/assets/" ]]; then echo "Assets directory not writable. $PERMISSION_ERROR" && exit 1; fi + + while true; do echo n; done | cp -Ri /www/default-assets/* /www/assets/ &> /dev/null + if [[ $? -ne 0 ]]; then echo "Fail to copy default assets. $PERMISSION_ERROR" && exit 1; fi -# Create symbolic link for hosting in subfolder. -if [[ -n "${SUBFOLDER}" ]]; then - ln -s /www "/www/$SUBFOLDER" - chown -h $USER:$GROUP "/www/$SUBFOLDER" + yes n | cp -i /www/default-assets/config.yml.dist /www/assets/config.yml &> /dev/null + if [[ $? -ne 0 ]]; then echo "Fail to copy default config file. $PERMISSION_ERROR" && exit 1; fi fi -chown -R $UID:$GID /www/assets - echo "Starting webserver" lighttpd -D -f /lighttpd.conf diff --git a/lighttpd.conf b/lighttpd.conf index 04b0bed..32e14da 100644 --- a/lighttpd.conf +++ b/lighttpd.conf @@ -2,8 +2,8 @@ include "/etc/lighttpd/mime-types.conf" server.port = env.PORT server.modules = ( "mod_alias" ) -server.username = env.USER -server.groupname = env.GROUP +server.username = "lighttpd" +server.groupname = "lighttpd" server.document-root = "/www" alias.url = ( env.SUBFOLDER => "/www" ) server.indexfiles = ("index.html") diff --git a/src/assets/app.scss b/src/assets/app.scss index aa8b077..ae2cb6b 100644 --- a/src/assets/app.scss +++ b/src/assets/app.scss @@ -104,6 +104,10 @@ body { .dashboard-title { padding: 6px 0 0 80px; + + &.no-logo { + padding-left: 0; + } } .first-line { -- 2.41.0