diff --git a/ocis/docker/Dockerfile.linux.amd64 b/ocis/docker/Dockerfile.linux.amd64 index ce227da2d8..4d2b1b39aa 100644 --- a/ocis/docker/Dockerfile.linux.amd64 +++ b/ocis/docker/Dockerfile.linux.amd64 @@ -1,4 +1,4 @@ -FROM amd64/alpine:3.13 +FROM amd64/alpine:3.14 ARG VERSION="" ARG REVISION="" @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" +RUN addgroup -g 700 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 700 ocis-user + +RUN mkdir -p /var/tmp/ocis && \ + chown -R ocis-user:ocis-group /var/tmp/ocis && \ + chmod -R 777 /var/tmp/ocis + +# default artifact location for autogenerated certifaces +# needs to be a static location because of the docker uid switch mechanism +ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ + GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \ + IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \ + IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \ + PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \ + PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key + +VOLUME [ "/var/tmp/ocis" ] +WORKDIR /var/tmp/ocis + +USER ocis-user + EXPOSE 9200/tcp ENTRYPOINT ["/usr/bin/ocis"] CMD ["server"] COPY dist/binaries/ocis-linux-amd64 /usr/bin/ocis - -VOLUME [ "/var/tmp/ocis" ] diff --git a/ocis/docker/Dockerfile.linux.arm b/ocis/docker/Dockerfile.linux.arm index f0ddbb32ae..ab3e30353d 100644 --- a/ocis/docker/Dockerfile.linux.arm +++ b/ocis/docker/Dockerfile.linux.arm @@ -1,4 +1,4 @@ -FROM arm32v6/alpine:3.13 +FROM arm32v6/alpine:3.14 ARG VERSION="" ARG REVISION="" @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" +RUN addgroup -g 700 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 700 ocis-user + +RUN mkdir -p /var/tmp/ocis && \ + chown -R ocis-user:ocis-group /var/tmp/ocis && \ + chmod -R 777 /var/tmp/ocis + +# default artifact location for autogenerated certifaces +# needs to be a static location because of the docker uid switch mechanism +ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ + GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \ + IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \ + IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \ + PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \ + PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key + +VOLUME [ "/var/tmp/ocis" ] +WORKDIR /var/tmp/ocis + +USER ocis-user + EXPOSE 9200/tcp ENTRYPOINT ["/usr/bin/ocis"] CMD ["server"] COPY dist/binaries/ocis-linux-arm /usr/bin/ocis - -VOLUME [ "/var/tmp/ocis" ] diff --git a/ocis/docker/Dockerfile.linux.arm64 b/ocis/docker/Dockerfile.linux.arm64 index 3e1f4f555f..12c6361839 100644 --- a/ocis/docker/Dockerfile.linux.arm64 +++ b/ocis/docker/Dockerfile.linux.arm64 @@ -1,4 +1,4 @@ -FROM arm64v8/alpine:3.13 +FROM arm64v8/alpine:3.14 ARG VERSION="" ARG REVISION="" @@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.version="${VERSION}" \ org.opencontainers.image.revision="${REVISION}" +RUN addgroup -g 700 -S ocis-group && \ + adduser -S --ingroup ocis-group --uid 700 ocis-user + +RUN mkdir -p /var/tmp/ocis && \ + chown -R ocis-user:ocis-group /var/tmp/ocis && \ + chmod -R 777 /var/tmp/ocis + +# default artifact location for autogenerated certifaces +# needs to be a static location because of the docker uid switch mechanism +ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \ + GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \ + IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \ + IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \ + PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \ + PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key + +VOLUME [ "/var/tmp/ocis" ] +WORKDIR /var/tmp/ocis + +USER ocis-user + EXPOSE 9200/tcp ENTRYPOINT ["/usr/bin/ocis"] CMD ["server"] COPY dist/binaries/ocis-linux-arm64 /usr/bin/ocis - -VOLUME [ "/var/tmp/ocis" ]