Run as nonroot user

HadrienPatte · Apr 22, 2024 · 46384c7 · 46384c7
1 parent 403e182
commit 46384c7
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 6 deletions.
diff --git a/images/prowlarr/Dockerfile b/images/prowlarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download prowlarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Prowlarr /Prowlarr
 
+USER nonroot
 ENTRYPOINT ["/Prowlarr/Prowlarr", "--nobrowser", "--data=/config"]
diff --git a/images/radarr/Dockerfile b/images/radarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download radarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Radarr /Radarr
 
+USER nonroot
 ENTRYPOINT ["/Radarr/Radarr", "--nobrowser", "--data=/config"]
diff --git a/images/sonarr/Dockerfile b/images/sonarr/Dockerfile
@@ -14,10 +14,18 @@ RUN \
         --root /rootfs \
         base-files_base \
         base-files_release-info \
-        base-passwd_data \
         ca-certificates_data \
         dotnet-runtime-8.0_libs \
-        libsqlite3-0_libs
+        libsqlite3-0_libs \
+    && useradd \
+        --root /rootfs \
+        --system \
+        --no-create-home \
+        --uid 1000 \
+        nonroot \
+    && rm /rootfs/etc/.pwd.lock \
+    && mkdir /rootfs/config \
+    && chown 1000 /rootfs/config
 
 # Download sonarr
 RUN \
@@ -33,4 +41,5 @@ FROM scratch
 COPY --from=builder /rootfs /
 COPY --from=builder /Sonarr /Sonarr
 
+USER nonroot
 ENTRYPOINT ["/Sonarr/Sonarr", "--nobrowser", "--data=/config"]