Add support for running Docker container as non-root user using docke…

…r-entrypoint.sh (#1892)

* Enabling the usage of non root user in Docker
* Added docker-entrypoint.sh to .goreleaser.yml
* Renamed UID to PUID and GID to PGID

.goreleaser.yml

@@ -63,6 +63,7 @@ dockers:
     extra_files:
       - config.toml.sample
       - config-demo.toml
+      - docker-entrypoint.sh
   - use: buildx
     goos: linux
     goarch: arm64
@@ -87,6 +88,7 @@ dockers:
     extra_files:
       - config.toml.sample
       - config-demo.toml
+      - docker-entrypoint.sh
   - use: buildx
     goos: linux
     goarch: arm
@@ -112,6 +114,7 @@ dockers:
     extra_files:
       - config.toml.sample
       - config-demo.toml
+      - docker-entrypoint.sh
   - use: buildx
     goos: linux
     goarch: arm
@@ -137,6 +140,7 @@ dockers:
     extra_files:
       - config.toml.sample
       - config-demo.toml
+      - docker-entrypoint.sh
 
 docker_manifests:
   - name_template: "{{ .Env.DOCKER_ORG }}/{{ .ProjectName }}:latest"

Dockerfile

@@ -1,8 +1,27 @@
 FROM --platform=$BUILDPLATFORM alpine:latest
-RUN apk --no-cache add ca-certificates tzdata
+
+# Install dependencies
+RUN apk --no-cache add ca-certificates tzdata shadow su-exec
+
+# Set the working directory
 WORKDIR /listmonk
+
+# Copy only the necessary files
 COPY listmonk .
 COPY config.toml.sample config.toml
 COPY config-demo.toml .
-CMD ["./listmonk"]
+
+# Copy the entrypoint script
+COPY docker-entrypoint.sh /usr/local/bin/
+
+# Make the entrypoint script executable
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+# Expose the application port
 EXPOSE 9000
+
+# Set the entrypoint
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# Define the command to run the application
+CMD ["./listmonk"]

docker-entrypoint.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+export PUID=${PUID:-0}
+export PGID=${PGID:-0}
+export GROUP_NAME="app"
+export USER_NAME="app"
+
+# This function evaluates if the supplied PGID is already in use
+# if it is not in use, it creates the group with the PGID
+# if it is in use, it sets the GROUP_NAME to the existing group
+create_group() {
+  if ! getent group ${PGID} > /dev/null 2>&1; then
+    addgroup -g ${PGID} ${GROUP_NAME}
+  else
+    existing_group=$(getent group ${PGID} | cut -d: -f1)
+    export GROUP_NAME=${existing_group}
+  fi
+}
+
+# This function evaluates if the supplied PUID is already in use
+# if it is not in use, it creates the user with the PUID and PGID
+create_user() {
+  if ! getent passwd ${PUID} > /dev/null 2>&1; then
+    adduser -u ${PUID} -G ${GROUP_NAME} -s /bin/sh -D ${USER_NAME}
+  else
+    existing_user=$(getent passwd ${PUID} | cut -d: -f1)
+    export USER_NAME=${existing_user}
+  fi
+}
+
+# Run the needed functions to create the user and group
+create_group
+create_user
+
+# Set the ownership of the app directory to the app user
+chown -R ${PUID}:${PGID} /listmonk
+
+echo "Launching listmonk with user=[${USER_NAME}] group=[${GROUP_NAME}] PUID=[${PUID}] PGID=[${PGID}]"
+
+# If running as root and PUID is not 0, then execute command as PUID
+# this allows us to run the container as a non-root user
+if [ "$(id -u)" = "0" ] && [ "${PUID}" != "0" ]; then
+  su-exec ${PUID}:${PGID} "$@"
+else
+  exec "$@"
+fi