diff --git a/Dockerfile b/Dockerfile index 2448ba936..509961261 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,9 +19,19 @@ ARG ETHERPAD_PLUGINS= # this can be done with build args (and is mandatory to build ARM version) ENV NODE_ENV=development +# Follow the principle of least privilege: run as unprivileged user. +# +# Running as non-root enables running this image in platforms like OpenShift +# that do not allow images running as root. +RUN useradd --uid 5001 --create-home etherpad + +RUN mkdir /opt/etherpad-lite && chown etherpad:etherpad /opt/etherpad-lite + +USER etherpad:etherpad + WORKDIR /opt/etherpad-lite -COPY ./ ./ +COPY --chown=etherpad:etherpad ./ ./ # install node dependencies for Etherpad RUN bin/installDeps.sh && \ @@ -34,18 +44,7 @@ RUN bin/installDeps.sh && \ RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; done # Copy the configuration file. -COPY ./settings.json.docker /opt/etherpad-lite/settings.json - -# Follow the principle of least privilege: run as unprivileged user. -# -# Running as non-root enables running this image in platforms like OpenShift -# that do not allow images running as root. -RUN \ - echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \ - echo 'etherpad:x:65534:' > /etc/group && \ - chown -R etherpad:etherpad ./ - -USER etherpad:etherpad +COPY --chown=etherpad:etherpad ./settings.json.docker /opt/etherpad-lite/settings.json EXPOSE 9001 CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]