feat!: default to nobody:nogroup in containers (#1019)

onedr0p · May 14, 2024 · 85811a6 · 85811a6
1 parent a0dd346
commit 85811a6
Show file tree

Hide file tree

Showing 18 changed files with 44 additions and 21 deletions.
diff --git a/apps/bazarr/Dockerfile b/apps/bazarr/Dockerfile
@@ -62,6 +62,10 @@ RUN \
 COPY ./apps/bazarr/entrypoint.sh /entrypoint.sh
 COPY --from=ghcr.io/linuxserver/unrar:7.0.7 /usr/bin/unrar-alpine /usr/bin/unrar
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/bazarr/entrypoint.sh b/apps/bazarr/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 #shellcheck disable=SC2086
 exec \
     /usr/bin/python3 \

diff --git a/apps/jbops/Dockerfile b/apps/jbops/Dockerfile
@@ -56,6 +56,8 @@ RUN apk add --no-cache \
 
 COPY ./apps/jbops/entrypoint.sh /entrypoint.sh
 
+USER nobody:nogroup
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/lidarr/Dockerfile b/apps/lidarr/Dockerfile
@@ -68,6 +68,10 @@ COPY ./apps/lidarr/config.xml.tmpl /app/config.xml.tmpl
 COPY ./apps/lidarr/entrypoint.sh /entrypoint.sh
 COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/lidarr/entrypoint.sh b/apps/lidarr/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 # Discover existing configuration settings for backwards compatibility
 if [[ -f /config/config.xml ]]; then
     current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)"

diff --git a/apps/plex/Dockerfile b/apps/plex/Dockerfile
@@ -62,5 +62,9 @@ RUN \
 
 COPY ./apps/plex/entrypoint.sh /entrypoint.sh
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT [ "/usr/bin/catatonit", "--" ]
 CMD ["/entrypoint.sh"]
diff --git a/apps/prowlarr/Dockerfile b/apps/prowlarr/Dockerfile
@@ -66,6 +66,10 @@ COPY ./apps/prowlarr/config.xml.tmpl /app/config.xml.tmpl
 COPY ./apps/prowlarr/entrypoint.sh /entrypoint.sh
 COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/prowlarr/entrypoint.sh b/apps/prowlarr/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 # Discover existing configuration settings for backwards compatibility
 if [[ -f /config/config.xml ]]; then
     current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)"

diff --git a/apps/qbittorrent/Dockerfile b/apps/qbittorrent/Dockerfile
@@ -52,6 +52,10 @@ RUN \
 COPY ./apps/qbittorrent/scripts/config.py /scripts/config.py
 COPY ./apps/qbittorrent/entrypoint.sh /entrypoint.sh
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/radarr/Dockerfile b/apps/radarr/Dockerfile
@@ -66,6 +66,10 @@ COPY ./apps/radarr/config.xml.tmpl /app/config.xml.tmpl
 COPY ./apps/radarr/entrypoint.sh /entrypoint.sh
 COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/radarr/entrypoint.sh b/apps/radarr/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 # Discover existing configuration settings for backwards compatibility
 if [[ -f /config/config.xml ]]; then
     current_analytics_enabled="$(xmlstarlet sel -t -v "//AnalyticsEnabled" -nl /config/config.xml)"

diff --git a/apps/readarr/Dockerfile b/apps/readarr/Dockerfile
@@ -65,6 +65,10 @@ COPY ./apps/readarr/config.xml.tmpl /app/config.xml.tmpl
 COPY ./apps/readarr/entrypoint.sh /entrypoint.sh
 COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/readarr/entrypoint.sh b/apps/readarr/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 # Discover existing configuration settings for backwards compatibility
 if [[ -f /config/config.xml ]]; then
     current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)"

diff --git a/apps/sabnzbd/Dockerfile b/apps/sabnzbd/Dockerfile
@@ -64,6 +64,10 @@ RUN ln -s /usr/local/bin/par2 /usr/local/bin/par2create \
     && ln -s /usr/local/bin/par2 /usr/local/bin/par2verify
 COPY --from=ghcr.io/linuxserver/unrar:7.0.7 /usr/bin/unrar-alpine /usr/bin/unrar
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/sabnzbd/entrypoint.sh b/apps/sabnzbd/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 if [[ ! -f "/config/sabnzbd.ini" ]]; then
     printf "Copying over default configuration ...\n"
     mkdir -p /config/sabnzbd

diff --git a/apps/sonarr/Dockerfile b/apps/sonarr/Dockerfile
@@ -66,6 +66,10 @@ COPY ./apps/sonarr/config.xml.tmpl /app/config.xml.tmpl
 COPY ./apps/sonarr/entrypoint.sh /entrypoint.sh
 COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst
 
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
 ENTRYPOINT ["/usr/bin/catatonit", "--"]
 CMD ["/entrypoint.sh"]
 

diff --git a/apps/sonarr/entrypoint.sh b/apps/sonarr/entrypoint.sh
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-mkdir -p /config
-
 # Discover existing configuration settings for backwards compatibility
 if [[ -f /config/config.xml ]]; then
     current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)"

diff --git a/apps/theme-park/Dockerfile b/apps/theme-park/Dockerfile
@@ -5,7 +5,6 @@ ARG VERSION
 ARG CHANNEL
 
 USER root
-ENV NGINX_WEB_ROOT "/usr/share/nginx/html"
 
 #hadolint ignore=DL3008
 RUN \
@@ -20,18 +19,18 @@ RUN \
     && \
     grep -rl 'https://theme-park.dev' /tmp | xargs sed -i 's/https\:\/\/theme-park.dev//g' \
     && \
-    cp -r /tmp/css/ "${NGINX_WEB_ROOT}" \
-    && cp -r /tmp/resources/ "${NGINX_WEB_ROOT}" \
-    && cp /tmp/index.html "${NGINX_WEB_ROOT}" \
+    cp -r /tmp/css/ /usr/share/nginx/html \
+    && cp -r /tmp/resources/ /usr/share/nginx/html \
+    && cp /tmp/index.html /usr/share/nginx/html \
     && apt-get remove -y python3 \
     && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
     && apt-get autoremove -y \
     && apt-get clean \
-    && chown -R nginx:nginx "${NGINX_WEB_ROOT}" \
-    && chmod -R 755 "${NGINX_WEB_ROOT}" \
+    && chown -R nginx:nginx /usr/share/nginx/html \
+    && chmod -R 755 /usr/share/nginx/html \
     && rm -rf /tmp/*
 
 USER nginx
-WORKDIR ${NGINX_WEB_ROOT}
+WORKDIR /usr/share/nginx/html
 
 LABEL org.opencontainers.image.source="https://github.com/themepark-dev/theme.park"