From fdbd71ef0d20305eef5b61c887172e0b6465cfc9 Mon Sep 17 00:00:00 2001 From: Ralf Vogler Date: Sun, 25 May 2025 21:57:36 +0200 Subject: [PATCH] docker: user fgc instead of root, fixes #468, how to deal with existing volumes? --- Dockerfile | 12 ++++++++++-- docker-entrypoint.sh | 3 ++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1da4c55..58e1c4f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,7 +52,15 @@ RUN ln -s /usr/share/novnc/vnc_auto.html /usr/share/novnc/index.html RUN pip install --no-cache-dir apprise WORKDIR /fgc -COPY package*.json ./ +# add user fgc to not run the application as root in the end +ARG USER=fgc +RUN useradd -ms /bin/bash fgc +# adjust permissions, otherwise can only read /fgc/data, but not write +# normally this would be mounted, but since this only happens later we need to create /fgc/data first +# also need to chown ., otherwise we can't create node_modules inside as fgc +RUN mkdir data && chown -R fgc:fgc . +USER fgc +COPY --chown=fgc:fgc package*.json ./ # Playwright installs patched firefox to ~/.cache/ms-playwright/firefox-* # Requires some system deps to run (see inlined install-deps above). @@ -61,7 +69,7 @@ RUN npm install # From 1.38 Playwright will no longer install browser automatically for playwright, but apparently still for playwright-firefox: https://github.com/microsoft/playwright/releases/tag/v1.38.0 # RUN npx playwright install firefox -COPY . . +COPY --chown=fgc:fgc . . # Shell scripts need Linux line endings. On Windows, git might be configured to check out dos/CRLF line endings, so we convert them for those people in case they want to build the image. They could also use --config core.autocrlf=input RUN dos2unix ./*.sh && chmod +x ./*.sh diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 7b321a1..ca85c5a 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -36,9 +36,10 @@ rm -f /tmp/.X1-lock # Options passed directly to the Xvfb server: # -ac disables host-based access control mechanisms # −screen NUM WxHxD creates the screen and sets its width, height, and depth +# -nolisten unix tells the server not to use Unix domain sockets, thus avoiding the need to create /tmp/.X11-unix export DISPLAY=:1 # need to export this, otherwise playwright complains with 'Looks like you launched a headed browser without having a XServer running.' -Xvfb $DISPLAY -ac -screen 0 "${WIDTH}x${HEIGHT}x${DEPTH}" & +Xvfb $DISPLAY -ac -screen 0 "${WIDTH}x${HEIGHT}x${DEPTH}" -nolisten unix & echo "Xvfb display server created screen with resolution ${WIDTH}x${HEIGHT}" if [ -z "$VNC_PASSWORD" ]; then pw="-nopw"