Adds an additional stage to the Dockerfile to create images with default user www-data.
The apache webserver listens on unprivileged port 8000 instead of 80.
Publish all variants with an additional tag ending in `-nonroot` for distinction.
Refs: #306
test-files: 'apache-postgres'
docker-tag: roundcube/roundcubemail:1.6.x-apache,roundcube/roundcubemail:1.6.10-apache,roundcube/roundcubemail:latest-apache,roundcube/roundcubemail:latest
test-tag: roundcube/roundcubemail:latest-apache
+ target: 'root'
- variant: 'fpm'
test-files: 'fpm-postgres'
docker-tag: roundcube/roundcubemail:1.6.x-fpm,roundcube/roundcubemail:1.6.10-fpm,roundcube/roundcubemail:latest-fpm
test-tag: roundcube/roundcubemail:latest-fpm
+ target: 'root'
- variant: 'fpm-alpine'
test-files: 'fpm-postgres'
docker-tag: roundcube/roundcubemail:1.6.x-fpm-alpine,roundcube/roundcubemail:1.6.10-fpm-alpine,roundcube/roundcubemail:latest-fpm-alpine
test-tag: roundcube/roundcubemail:latest-fpm-alpine
+ target: 'root'
+ - variant: 'apache'
+ test-files: 'apache-postgres'
+ docker-tag: roundcube/roundcubemail:1.6.x-apache-nonroot,roundcube/roundcubemail:1.6.9-apache-nonroot,roundcube/roundcubemail:latest-apache-nonroot,roundcube/roundcubemail:latest-nonroot
+ test-tag: roundcube/roundcubemail:latest-apache-nonroot
+ target: 'nonroot'
+ - variant: 'fpm'
+ test-files: 'apache-postgres'
+ docker-tag: roundcube/roundcubemail:1.6.x-fpm-nonroot,roundcube/roundcubemail:1.6.9-fpm-nonroot,roundcube/roundcubemail:latest-fpm-nonroot
+ test-tag: roundcube/roundcubemail:latest-fpm-nonroot
+ target: 'nonroot'
+ - variant: 'fpm-alpine'
+ test-files: 'apache-postgres'
+ docker-tag: roundcube/roundcubemail:1.6.x-fpm-alpine-nonroot,roundcube/roundcubemail:1.6.9-fpm-alpine-nonroot,roundcube/roundcubemail:latest-fpm-alpine-nonroot
+ test-tag: roundcube/roundcubemail:latest-fpm-alpine-nonroot
+ target: 'nonroot'
steps:
- name: Checkout repository
uses: actions/checkout@v4
platforms: "linux/arm64,linux/arm/v6,linux/arm/v7,linux/386,linux/amd64,"
push: true
tags: ${{ matrix.docker-tag }}
+ target: ${{ matrix.target }}
# does not work linux/arm/v5 AND linux/mips64le - composer does not support mips64le or armv5 nor does the php image support them on the alpine variant
- name: Run tests
- variant: 'apache'
test-files: 'apache-postgres'
docker-tag: roundcube/roundcubemail:test-apache
+ target: 'root'
- variant: 'fpm'
test-files: 'fpm-postgres'
docker-tag: roundcube/roundcubemail:test-fpm
+ target: 'root'
- variant: 'fpm-alpine'
test-files: 'fpm-postgres'
docker-tag: roundcube/roundcubemail:test-fpm-alpine
+ target: 'root'
+ - variant: 'apache'
+ test-files: 'apache-postgres'
+ docker-tag: roundcube/roundcubemail:test-apache-nonroot
+ target: 'nonroot'
+ http-port: '8000'
+ - variant: 'fpm'
+ test-files: 'fpm-postgres'
+ docker-tag: roundcube/roundcubemail:test-fpm-nonroot
+ target: 'nonroot'
+ - variant: 'fpm-alpine'
+ test-files: 'fpm-postgres'
+ docker-tag: roundcube/roundcubemail:test-fpm-alpine-nonroot
+ target: 'nonroot'
steps:
- name: Checkout repository
uses: actions/checkout@v4
username: ${{ secrets.DOCKER_PULL_USERNAME }}
password: ${{ secrets.DOCKER_PULL_PASSWORD }}
- - name: Build image for "${{ matrix.variant }}"
- run: cd ${{ matrix.variant }} && docker buildx build ./ -t ${{ matrix.docker-tag }}
+ - name: Build image for "${{ matrix.variant }} / ${{ matrix.target }}"
+ run: cd ${{ matrix.variant }} && docker buildx build ./ -t ${{ matrix.docker-tag }} --target ${{ matrix.target }}
- name: Run tests
env:
ROUNDCUBEMAIL_TEST_IMAGE: ${{ matrix.docker-tag }}
+ HTTP_PORT: ${{ matrix.http-port || '80' }}
run: |
set -exu;
for testFile in ${{ join(matrix.test-files, ' ') }};
-FROM php:8.1-apache
+FROM php:8.1-apache as root
LABEL maintainer="Thomas Bruederli <thomas@roundcube.net>"
LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
rm -rf /usr/src/roundcubemail/installer; \
chown -R www-data:www-data /usr/src/roundcubemail/logs; \
# Create the config dir
- mkdir -p /var/roundcube/config /var/roundcube/enigma
+ mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+ chown -R www-data:www-data /var/roundcube; \
+ chmod +t /var/roundcube
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["apache2-foreground"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+# Prepare locale config for locale-gen
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen; \
+ /usr/sbin/locale-gen
+
+RUN sed -i 's/^Listen 80$/Listen 8000/' /etc/apache2/ports.conf
+
+EXPOSE 8000
+
+USER 33:33
\ No newline at end of file
: "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
- if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
- echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
- /usr/sbin/locale-gen
+ if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+ echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
fi
if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then
--- /dev/null
+RUN sed -i 's/^Listen 80$/Listen 8000/' /etc/apache2/ports.conf
+
+EXPOSE 8000
-FROM php:8.1-fpm-alpine
+FROM php:8.1-fpm-alpine as root
LABEL maintainer="Thomas Bruederli <thomas@roundcube.net>"
LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
rm -rf /usr/src/roundcubemail/installer; \
chown -R www-data:www-data /usr/src/roundcubemail/logs; \
# Create the config dir
- mkdir -p /var/roundcube/config /var/roundcube/enigma
+ mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+ chown -R www-data:www-data /var/roundcube; \
+ chmod +t /var/roundcube
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["php-fpm"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+USER 82:82
\ No newline at end of file
: "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
- if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
- echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
- /usr/sbin/locale-gen
+ if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+ echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
fi
if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then
-FROM php:8.1-fpm
+FROM php:8.1-fpm as root
LABEL maintainer="Thomas Bruederli <thomas@roundcube.net>"
LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
rm -rf /usr/src/roundcubemail/installer; \
chown -R www-data:www-data /usr/src/roundcubemail/logs; \
# Create the config dir
- mkdir -p /var/roundcube/config /var/roundcube/enigma
+ mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+ chown -R www-data:www-data /var/roundcube; \
+ chmod +t /var/roundcube
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["php-fpm"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+# Prepare locale config for locale-gen
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen; \
+ /usr/sbin/locale-gen
+
+USER 33:33
\ No newline at end of file
: "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
- if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
- echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
- /usr/sbin/locale-gen
+ if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+ echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
fi
if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then
-FROM php:8.1-%%VARIANT%%
+FROM php:8.1-%%VARIANT%% as root
LABEL maintainer="Thomas Bruederli <thomas@roundcube.net>"
LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
rm -rf /usr/src/roundcubemail/installer; \
chown -R www-data:www-data /usr/src/roundcubemail/logs; \
# Create the config dir
- mkdir -p /var/roundcube/config /var/roundcube/enigma
+ mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+ chown -R www-data:www-data /var/roundcube; \
+ chmod +t /var/roundcube
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["%%CMD%%"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+USER 82:82
\ No newline at end of file
-FROM php:8.1-%%VARIANT%%
+FROM php:8.1-%%VARIANT%% as root
LABEL maintainer="Thomas Bruederli <thomas@roundcube.net>"
LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
rm -rf /usr/src/roundcubemail/installer; \
chown -R www-data:www-data /usr/src/roundcubemail/logs; \
# Create the config dir
- mkdir -p /var/roundcube/config /var/roundcube/enigma
+ mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+ chown -R www-data:www-data /var/roundcube; \
+ chmod +t /var/roundcube
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["%%CMD%%"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+# Prepare locale config for locale-gen
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen; \
+ /usr/sbin/locale-gen
+
+%%NONROOT_ADD%%
+
+USER 33:33
\ No newline at end of file
: "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
- if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
- echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
- /usr/sbin/locale-gen
+ if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+ echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
fi
if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then
services:
roundcubemail:
image: ${ROUNDCUBEMAIL_TEST_IMAGE:-roundcube/roundcubemail:latest-apache}
+ ports:
+ - 80:${HTTP_PORT:-80}
healthcheck:
# To make it obvious in logs "ping=ping" is added
- test: ["CMD", "curl", "--fail", "http://localhost/?ping=ping"]
+ test: ["CMD", "curl", "--fail", "http://localhost:${HTTP_PORT:-80}/?ping=ping"]
interval: 2s
timeout: 3s
retries: 30
roundcubedb:
condition: service_healthy
command: /tests/run.sh
+ environment:
+ - ROUNDCUBE_URL=http://roundcubemail:${HTTP_PORT:-80}/
volumes:
- ./run.sh:/tests/run.sh:ro
working_dir: /tests
s/%%CMD%%/'"${CMD[$variant]}"'/;
' $template | tr '¬' '\n' > "$dir/Dockerfile"
+ if [[ -f "$dir/nonroot-add.txt" ]]; then
+ sed -i -e '/%%NONROOT_ADD%%/ {' -e 'r '"$dir/nonroot-add.txt" -e 'd' -e '}' $dir/Dockerfile
+ else
+ sed -i 's/%%NONROOT_ADD%%//' $dir/Dockerfile
+ fi
+
echo "✓ Wrote $dir/Dockerfile"
done
git.99rst.org / roundcube-roundcubemail-docker.git / commitdiff