docker containers: add non-root user (#7399)

* add non-root user

* using -g more clearly expresses the intent of setting the primary group for the new user

* no cache

* read only

* specific perm

docker/Dockerfile.go_build

@@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
 RUN mkdir -p /etc/seaweedfs
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /etc/seaweedfs/filer.toml
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse # for weed mount
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse && \
+    addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -g seaweed seaweed
 
 # volume server gprc port
 EXPOSE 18080
@@ -34,11 +38,15 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333
 
-RUN mkdir -p /data/filerldb2
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filerldb2 && \
+    chown -R seaweed:seaweed /data && \
+    chmod 755 /entrypoint.sh
 
 VOLUME /data
 WORKDIR /data
 
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
 
 ENTRYPOINT ["/entrypoint.sh"]

docker/Dockerfile.local

@@ -6,8 +6,11 @@ COPY  ./weed_sub* /usr/bin/
 RUN mkdir -p /etc/seaweedfs
 COPY ./filer.toml /etc/seaweedfs/filer.toml
 COPY ./entrypoint.sh /entrypoint.sh
-RUN apk add fuse # for weed mount
+
-RUN apk add curl # for health checks
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse curl && \
+    addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -g seaweed seaweed
 
 # volume server grpc port
 EXPOSE 18080
@@ -26,11 +29,15 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333
 
-RUN mkdir -p /data/filerldb2
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filerldb2 && \
+    chown -R seaweed:seaweed /data && \
+    chmod 755 /entrypoint.sh
 
 VOLUME /data
 WORKDIR /data
 
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
 
 ENTRYPOINT ["/entrypoint.sh"]

docker/Dockerfile.rocksdb_large

@@ -32,7 +32,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
 RUN mkdir -p /etc/seaweedfs
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse snappy gflags
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse snappy gflags && \
+    addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -g seaweed seaweed
 
 # volume server gprc port
 EXPOSE 18080
@@ -51,12 +55,16 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333
 
-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+    chown -R seaweed:seaweed /data && \
+    chmod 755 /entrypoint.sh
 
 VOLUME /data
 
 WORKDIR /data
 
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
 
 ENTRYPOINT ["/entrypoint.sh"]

docker/Dockerfile.rocksdb_large_local

@@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
 RUN mkdir -p /etc/seaweedfs
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse snappy gflags tmux
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse snappy gflags tmux && \
+    addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -g seaweed seaweed
 
 # volume server gprc port
 EXPOSE 18080
@@ -34,12 +38,16 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333
 
-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+    chown -R seaweed:seaweed /data && \
+    chmod 755 /entrypoint.sh
 
 VOLUME /data
 
 WORKDIR /data
 
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
 
 ENTRYPOINT ["/entrypoint.sh"]