set a non-root user for containers (#2496)

* change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly
2023-01-04 23:15:12 +01:00
parent e748d8f765
commit 2c6fd67276
10 changed files with 134 additions and 121 deletions
--- a/22
+++ b/22
@@ -1,10 +1,17 @@
-# Perform a build
+# IMPORTANT: This Dockerfile has been provided for the sake of convenience.
+# Currently, functionality of the containers built based on this file
+# is not a part of our continuous testing. Although, patches to keep it
+# up to date are always welcome.
+#
+# See ‘Earthfile’ for the recipes used in official builds.
+
 FROM golang:alpine AS build
-RUN mkdir /build
-ADD . /build
-WORKDIR /build
+
 RUN apk update && apk add --no-cache git gcc build-base linux-headers

+WORKDIR /build
+COPY . /build
+
 ARG VERSION=dev
 ENV VERSION=${VERSION}
 ARG GIT_COMMIT
@@ -15,13 +22,16 @@ ENV NAME=${NAME}
 RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -ldflags "-extldflags \"-static\" -s -w -X github.com/owncast/owncast/config.GitCommit=$GIT_COMMIT -X github.com/owncast/owncast/config.VersionNumber=$VERSION -X github.com/owncast/owncast/config.BuildPlatform=$NAME" -o owncast .

 # Create the image by copying the result of the build into a new alpine image
-FROM alpine
+FROM alpine:3.15.5
 RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates && update-ca-certificates

+RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
+
 # Copy owncast assets
 WORKDIR /app
 COPY --from=build /build/owncast /app/owncast
-COPY --from=build /build/webroot /app/webroot
 RUN mkdir /app/data
+RUN chown -R owncast:owncast /app
+USER owncast
 ENTRYPOINT ["/app/owncast"]
 EXPOSE 8080 1935