From 85811a65b53fdf7676a3bebbed88d0232cb5e8a1 Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Tue, 14 May 2024 13:47:16 -0400 Subject: [PATCH] feat!: default to nobody:nogroup in containers (#1019) --- apps/bazarr/Dockerfile | 4 ++++ apps/bazarr/entrypoint.sh | 2 -- apps/jbops/Dockerfile | 2 ++ apps/lidarr/Dockerfile | 4 ++++ apps/lidarr/entrypoint.sh | 2 -- apps/plex/Dockerfile | 4 ++++ apps/prowlarr/Dockerfile | 4 ++++ apps/prowlarr/entrypoint.sh | 2 -- apps/qbittorrent/Dockerfile | 4 ++++ apps/radarr/Dockerfile | 4 ++++ apps/radarr/entrypoint.sh | 2 -- apps/readarr/Dockerfile | 4 ++++ apps/readarr/entrypoint.sh | 2 -- apps/sabnzbd/Dockerfile | 4 ++++ apps/sabnzbd/entrypoint.sh | 2 -- apps/sonarr/Dockerfile | 4 ++++ apps/sonarr/entrypoint.sh | 2 -- apps/theme-park/Dockerfile | 13 ++++++------- 18 files changed, 44 insertions(+), 21 deletions(-) diff --git a/apps/bazarr/Dockerfile b/apps/bazarr/Dockerfile index 8b1b1ba73..add63e5e0 100644 --- a/apps/bazarr/Dockerfile +++ b/apps/bazarr/Dockerfile @@ -62,6 +62,10 @@ RUN \ COPY ./apps/bazarr/entrypoint.sh /entrypoint.sh COPY --from=ghcr.io/linuxserver/unrar:7.0.7 /usr/bin/unrar-alpine /usr/bin/unrar +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/bazarr/entrypoint.sh b/apps/bazarr/entrypoint.sh index 776790e74..32abfc9e2 100755 --- a/apps/bazarr/entrypoint.sh +++ b/apps/bazarr/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - #shellcheck disable=SC2086 exec \ /usr/bin/python3 \ diff --git a/apps/jbops/Dockerfile b/apps/jbops/Dockerfile index d608a4e2f..0890d345d 100644 --- a/apps/jbops/Dockerfile +++ b/apps/jbops/Dockerfile @@ -56,6 +56,8 @@ RUN apk add --no-cache \ COPY ./apps/jbops/entrypoint.sh /entrypoint.sh +USER nobody:nogroup + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/lidarr/Dockerfile b/apps/lidarr/Dockerfile index 3ae00d16d..37e98e1a8 100644 --- a/apps/lidarr/Dockerfile +++ b/apps/lidarr/Dockerfile @@ -68,6 +68,10 @@ COPY ./apps/lidarr/config.xml.tmpl /app/config.xml.tmpl COPY ./apps/lidarr/entrypoint.sh /entrypoint.sh COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/lidarr/entrypoint.sh b/apps/lidarr/entrypoint.sh index 1cf194f2c..aab14a3e5 100755 --- a/apps/lidarr/entrypoint.sh +++ b/apps/lidarr/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - # Discover existing configuration settings for backwards compatibility if [[ -f /config/config.xml ]]; then current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)" diff --git a/apps/plex/Dockerfile b/apps/plex/Dockerfile index a4e498a9b..4186418b4 100644 --- a/apps/plex/Dockerfile +++ b/apps/plex/Dockerfile @@ -62,5 +62,9 @@ RUN \ COPY ./apps/plex/entrypoint.sh /entrypoint.sh +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT [ "/usr/bin/catatonit", "--" ] CMD ["/entrypoint.sh"] diff --git a/apps/prowlarr/Dockerfile b/apps/prowlarr/Dockerfile index e5ffb78c7..8698bc4c2 100644 --- a/apps/prowlarr/Dockerfile +++ b/apps/prowlarr/Dockerfile @@ -66,6 +66,10 @@ COPY ./apps/prowlarr/config.xml.tmpl /app/config.xml.tmpl COPY ./apps/prowlarr/entrypoint.sh /entrypoint.sh COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/prowlarr/entrypoint.sh b/apps/prowlarr/entrypoint.sh index 92dcd1c27..a6ecf4ba9 100755 --- a/apps/prowlarr/entrypoint.sh +++ b/apps/prowlarr/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - # Discover existing configuration settings for backwards compatibility if [[ -f /config/config.xml ]]; then current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)" diff --git a/apps/qbittorrent/Dockerfile b/apps/qbittorrent/Dockerfile index bfb91bbe5..796f8c4d2 100644 --- a/apps/qbittorrent/Dockerfile +++ b/apps/qbittorrent/Dockerfile @@ -52,6 +52,10 @@ RUN \ COPY ./apps/qbittorrent/scripts/config.py /scripts/config.py COPY ./apps/qbittorrent/entrypoint.sh /entrypoint.sh +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/radarr/Dockerfile b/apps/radarr/Dockerfile index 3eafcc526..e340487dc 100644 --- a/apps/radarr/Dockerfile +++ b/apps/radarr/Dockerfile @@ -66,6 +66,10 @@ COPY ./apps/radarr/config.xml.tmpl /app/config.xml.tmpl COPY ./apps/radarr/entrypoint.sh /entrypoint.sh COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/radarr/entrypoint.sh b/apps/radarr/entrypoint.sh index d61c70687..049b91bb0 100755 --- a/apps/radarr/entrypoint.sh +++ b/apps/radarr/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - # Discover existing configuration settings for backwards compatibility if [[ -f /config/config.xml ]]; then current_analytics_enabled="$(xmlstarlet sel -t -v "//AnalyticsEnabled" -nl /config/config.xml)" diff --git a/apps/readarr/Dockerfile b/apps/readarr/Dockerfile index 35845e270..3f4f3ab57 100644 --- a/apps/readarr/Dockerfile +++ b/apps/readarr/Dockerfile @@ -65,6 +65,10 @@ COPY ./apps/readarr/config.xml.tmpl /app/config.xml.tmpl COPY ./apps/readarr/entrypoint.sh /entrypoint.sh COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/readarr/entrypoint.sh b/apps/readarr/entrypoint.sh index b97db64be..39bdb16f9 100755 --- a/apps/readarr/entrypoint.sh +++ b/apps/readarr/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - # Discover existing configuration settings for backwards compatibility if [[ -f /config/config.xml ]]; then current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)" diff --git a/apps/sabnzbd/Dockerfile b/apps/sabnzbd/Dockerfile index 4905bf9c7..5ad3ec226 100644 --- a/apps/sabnzbd/Dockerfile +++ b/apps/sabnzbd/Dockerfile @@ -64,6 +64,10 @@ RUN ln -s /usr/local/bin/par2 /usr/local/bin/par2create \ && ln -s /usr/local/bin/par2 /usr/local/bin/par2verify COPY --from=ghcr.io/linuxserver/unrar:7.0.7 /usr/bin/unrar-alpine /usr/bin/unrar +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/sabnzbd/entrypoint.sh b/apps/sabnzbd/entrypoint.sh index 77e7cd277..64201da02 100755 --- a/apps/sabnzbd/entrypoint.sh +++ b/apps/sabnzbd/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - if [[ ! -f "/config/sabnzbd.ini" ]]; then printf "Copying over default configuration ...\n" mkdir -p /config/sabnzbd diff --git a/apps/sonarr/Dockerfile b/apps/sonarr/Dockerfile index 833562a28..9b080d62c 100644 --- a/apps/sonarr/Dockerfile +++ b/apps/sonarr/Dockerfile @@ -66,6 +66,10 @@ COPY ./apps/sonarr/config.xml.tmpl /app/config.xml.tmpl COPY ./apps/sonarr/entrypoint.sh /entrypoint.sh COPY --from=envsubst /go/bin/envsubst /usr/local/bin/envsubst +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + ENTRYPOINT ["/usr/bin/catatonit", "--"] CMD ["/entrypoint.sh"] diff --git a/apps/sonarr/entrypoint.sh b/apps/sonarr/entrypoint.sh index c5101134e..fa9a88c88 100755 --- a/apps/sonarr/entrypoint.sh +++ b/apps/sonarr/entrypoint.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -mkdir -p /config - # Discover existing configuration settings for backwards compatibility if [[ -f /config/config.xml ]]; then current_log_level="$(xmlstarlet sel -t -v "//LogLevel" -nl /config/config.xml)" diff --git a/apps/theme-park/Dockerfile b/apps/theme-park/Dockerfile index 8974747db..d3c60e0dd 100644 --- a/apps/theme-park/Dockerfile +++ b/apps/theme-park/Dockerfile @@ -5,7 +5,6 @@ ARG VERSION ARG CHANNEL USER root -ENV NGINX_WEB_ROOT "/usr/share/nginx/html" #hadolint ignore=DL3008 RUN \ @@ -20,18 +19,18 @@ RUN \ && \ grep -rl 'https://theme-park.dev' /tmp | xargs sed -i 's/https\:\/\/theme-park.dev//g' \ && \ - cp -r /tmp/css/ "${NGINX_WEB_ROOT}" \ - && cp -r /tmp/resources/ "${NGINX_WEB_ROOT}" \ - && cp /tmp/index.html "${NGINX_WEB_ROOT}" \ + cp -r /tmp/css/ /usr/share/nginx/html \ + && cp -r /tmp/resources/ /usr/share/nginx/html \ + && cp /tmp/index.html /usr/share/nginx/html \ && apt-get remove -y python3 \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \ && apt-get autoremove -y \ && apt-get clean \ - && chown -R nginx:nginx "${NGINX_WEB_ROOT}" \ - && chmod -R 755 "${NGINX_WEB_ROOT}" \ + && chown -R nginx:nginx /usr/share/nginx/html \ + && chmod -R 755 /usr/share/nginx/html \ && rm -rf /tmp/* USER nginx -WORKDIR ${NGINX_WEB_ROOT} +WORKDIR /usr/share/nginx/html LABEL org.opencontainers.image.source="https://github.com/themepark-dev/theme.park"