feat(docker): enhance entrypoint script with gosu for privilege handling and improve healthcheck command
This commit is contained in:
Daniel Volz
+4
-1
@@ -36,7 +36,10 @@ FROM node:22-slim AS runner
|
|||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# node:22-slim already has user 'node' with UID 1000 - we'll use that
|
# Install gosu for reliable privilege dropping
|
||||||
|
RUN apt-get update && apt-get install -y --no-install-recommends gosu \
|
||||||
|
&& rm -rf /var/lib/apt/lists/* \
|
||||||
|
&& gosu nobody true
|
||||||
|
|
||||||
# Copy built application
|
# Copy built application
|
||||||
COPY --from=builder /app/node_modules ./node_modules
|
COPY --from=builder /app/node_modules ./node_modules
|
||||||
|
|||||||
@@ -5,9 +5,40 @@ set -e
|
|||||||
PUID=${PUID:-1000}
|
PUID=${PUID:-1000}
|
||||||
PGID=${PGID:-1000}
|
PGID=${PGID:-1000}
|
||||||
|
|
||||||
|
echo "[entrypoint] Starting with PUID=$PUID, PGID=$PGID"
|
||||||
|
|
||||||
# Ensure data directory exists and has correct ownership
|
# Ensure data directory exists and has correct ownership
|
||||||
mkdir -p /app/data
|
mkdir -p /app/data
|
||||||
|
echo "[entrypoint] Created /app/data"
|
||||||
|
|
||||||
chown -R "$PUID:$PGID" /app/data
|
chown -R "$PUID:$PGID" /app/data
|
||||||
|
echo "[entrypoint] Set ownership of /app/data to $PUID:$PGID"
|
||||||
|
|
||||||
|
# Check if we can write to data directory
|
||||||
|
if touch /app/data/.write-test 2>/dev/null; then
|
||||||
|
rm -f /app/data/.write-test
|
||||||
|
echo "[entrypoint] Write test passed"
|
||||||
|
else
|
||||||
|
echo "[entrypoint] ERROR: Cannot write to /app/data"
|
||||||
|
ls -la /app/
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Execute the main command as the specified user
|
# Execute the main command as the specified user
|
||||||
exec runuser -u "#$PUID" -- "$@"
|
# Try different methods for dropping privileges
|
||||||
|
if command -v gosu >/dev/null 2>&1; then
|
||||||
|
echo "[entrypoint] Using gosu"
|
||||||
|
exec gosu "$PUID:$PGID" "$@"
|
||||||
|
elif command -v su-exec >/dev/null 2>&1; then
|
||||||
|
echo "[entrypoint] Using su-exec"
|
||||||
|
exec su-exec "$PUID:$PGID" "$@"
|
||||||
|
else
|
||||||
|
echo "[entrypoint] Using su"
|
||||||
|
# Create a temporary user with the specified UID if it doesn't exist
|
||||||
|
if ! id -u "$PUID" >/dev/null 2>&1; then
|
||||||
|
echo "[entrypoint] UID $PUID doesn't exist, running as node user"
|
||||||
|
exec su -s /bin/sh node -c "exec $*"
|
||||||
|
else
|
||||||
|
exec su -s /bin/sh "#$PUID" -c "exec $*"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|||||||
+2
-2
@@ -20,13 +20,13 @@ services:
|
|||||||
# Security options
|
# Security options
|
||||||
security_opt:
|
security_opt:
|
||||||
- no-new-privileges:true
|
- no-new-privileges:true
|
||||||
read_only: true
|
# Note: read_only removed - entrypoint needs to fix permissions at startup
|
||||||
tmpfs:
|
tmpfs:
|
||||||
- /tmp:noexec,nosuid,size=64m
|
- /tmp:noexec,nosuid,size=64m
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "/nodejs/bin/node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
|
test: ["CMD", "node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
|
|||||||
Reference in New Issue
Block a user