aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docker/Dockerfile.go_build14
-rw-r--r--docker/Dockerfile.local15
-rw-r--r--docker/Dockerfile.rocksdb_large14
-rw-r--r--docker/Dockerfile.rocksdb_large_local14
4 files changed, 44 insertions, 13 deletions
diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build
index a52e74143..9f88f54b4 100644
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
RUN mkdir -p /etc/seaweedfs
COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /etc/seaweedfs/filer.toml
COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse # for weed mount
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse && \
+ addgroup -g 1000 seaweed && \
+ adduser -D -u 1000 -g seaweed seaweed
# volume server gprc port
EXPOSE 18080
@@ -34,11 +38,15 @@ EXPOSE 8333
# webdav server http port
EXPOSE 7333
-RUN mkdir -p /data/filerldb2
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filerldb2 && \
+ chown -R seaweed:seaweed /data && \
+ chmod 755 /entrypoint.sh
VOLUME /data
WORKDIR /data
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local
index 269a993b4..3af4a851d 100644
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@@ -6,8 +6,11 @@ COPY ./weed_sub* /usr/bin/
RUN mkdir -p /etc/seaweedfs
COPY ./filer.toml /etc/seaweedfs/filer.toml
COPY ./entrypoint.sh /entrypoint.sh
-RUN apk add fuse # for weed mount
-RUN apk add curl # for health checks
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse curl && \
+ addgroup -g 1000 seaweed && \
+ adduser -D -u 1000 -g seaweed seaweed
# volume server grpc port
EXPOSE 18080
@@ -26,11 +29,15 @@ EXPOSE 8333
# webdav server http port
EXPOSE 7333
-RUN mkdir -p /data/filerldb2
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filerldb2 && \
+ chown -R seaweed:seaweed /data && \
+ chmod 755 /entrypoint.sh
VOLUME /data
WORKDIR /data
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/Dockerfile.rocksdb_large b/docker/Dockerfile.rocksdb_large
index 2c3516fb0..e0cccd99f 100644
--- a/docker/Dockerfile.rocksdb_large
+++ b/docker/Dockerfile.rocksdb_large
@@ -32,7 +32,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
RUN mkdir -p /etc/seaweedfs
COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml
COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse snappy gflags
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse snappy gflags && \
+ addgroup -g 1000 seaweed && \
+ adduser -D -u 1000 -g seaweed seaweed
# volume server gprc port
EXPOSE 18080
@@ -51,12 +55,16 @@ EXPOSE 8333
# webdav server http port
EXPOSE 7333
-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+ chown -R seaweed:seaweed /data && \
+ chmod 755 /entrypoint.sh
VOLUME /data
WORKDIR /data
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/Dockerfile.rocksdb_large_local b/docker/Dockerfile.rocksdb_large_local
index b3b08dd0c..87aa15ef8 100644
--- a/docker/Dockerfile.rocksdb_large_local
+++ b/docker/Dockerfile.rocksdb_large_local
@@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
RUN mkdir -p /etc/seaweedfs
COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml
COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse snappy gflags tmux
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse snappy gflags tmux && \
+ addgroup -g 1000 seaweed && \
+ adduser -D -u 1000 -g seaweed seaweed
# volume server gprc port
EXPOSE 18080
@@ -34,12 +38,16 @@ EXPOSE 8333
# webdav server http port
EXPOSE 7333
-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+ chown -R seaweed:seaweed /data && \
+ chmod 755 /entrypoint.sh
VOLUME /data
WORKDIR /data
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
ENTRYPOINT ["/entrypoint.sh"]
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 09:15:29 +0000