From 537b8cbdf5d6bcb6737d15870eeef6153b0b766a Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 27 Apr 2026 13:05:29 +0000 Subject: [PATCH] chore(docker): drop root in containers Add willow uid 10001 + USER directive in runtime stage of relay, replay, storage Dockerfiles. chown writable dirs (/etc/willow, /shared, /var/lib/willow) before USER switch. Web: switch nginx:alpine to nginxinc/nginx-unprivileged:alpine (uid 101, listens 8080). Compose maps host 8080 to container 8080. Refs #314 https://claude.ai/code/session_016cmtqT7yEQUgjcLgz4pARP --- docker-compose.yml | 2 +- docker/relay.Dockerfile | 6 +++++- docker/replay.Dockerfile | 6 +++++- docker/storage.Dockerfile | 6 +++++- docker/web.Dockerfile | 8 +++++--- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 07494858..e5157040 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -72,7 +72,7 @@ services: context: . dockerfile: docker/web.Dockerfile ports: - - "${WILLOW_WEB_PORT:-8080}:80" + - "${WILLOW_WEB_PORT:-8080}:8080" depends_on: - relay restart: unless-stopped diff --git a/docker/relay.Dockerfile b/docker/relay.Dockerfile index 00c76b21..c23932a3 100644 --- a/docker/relay.Dockerfile +++ b/docker/relay.Dockerfile @@ -4,9 +4,13 @@ COPY . . RUN cargo build --release -p willow-relay FROM rust:slim +RUN useradd -r -u 10001 -m -d /home/willow willow \ + && mkdir -p /etc/willow /shared \ + && chown -R willow:willow /etc/willow /shared COPY --from=builder /build/target/release/willow-relay /usr/local/bin/willow-relay -COPY docker/relay-entrypoint.sh /entrypoint.sh +COPY --chown=willow:willow docker/relay-entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh +USER willow EXPOSE 9090 9091 ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/replay.Dockerfile b/docker/replay.Dockerfile index f07aa73f..bb2c628d 100644 --- a/docker/replay.Dockerfile +++ b/docker/replay.Dockerfile @@ -4,8 +4,12 @@ COPY . . RUN cargo build --release -p willow-replay FROM rust:slim +RUN useradd -r -u 10001 -m -d /home/willow willow \ + && mkdir -p /etc/willow \ + && chown -R willow:willow /etc/willow COPY --from=builder /build/target/release/willow-replay /usr/local/bin/willow-replay -COPY docker/replay-entrypoint.sh /entrypoint.sh +COPY --chown=willow:willow docker/replay-entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh +USER willow ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/storage.Dockerfile b/docker/storage.Dockerfile index 96a051a4..cc6f8c03 100644 --- a/docker/storage.Dockerfile +++ b/docker/storage.Dockerfile @@ -4,8 +4,12 @@ COPY . . RUN cargo build --release -p willow-storage FROM rust:slim +RUN useradd -r -u 10001 -m -d /home/willow willow \ + && mkdir -p /etc/willow /var/lib/willow \ + && chown -R willow:willow /etc/willow /var/lib/willow COPY --from=builder /build/target/release/willow-storage /usr/local/bin/willow-storage -COPY docker/storage-entrypoint.sh /entrypoint.sh +COPY --chown=willow:willow docker/storage-entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh +USER willow ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/web.Dockerfile b/docker/web.Dockerfile index 069931a7..8fe1677c 100644 --- a/docker/web.Dockerfile +++ b/docker/web.Dockerfile @@ -5,7 +5,9 @@ WORKDIR /build COPY . . RUN cd crates/web && trunk build --release -FROM nginx:alpine -COPY --from=builder /build/crates/web/dist/ /usr/share/nginx/html/ +FROM nginxinc/nginx-unprivileged:alpine +COPY --from=builder --chown=nginx:nginx /build/crates/web/dist/ /usr/share/nginx/html/ RUN chmod 644 /usr/share/nginx/html/* -EXPOSE 80 + +USER nginx +EXPOSE 8080