diff --git a/build/Containerfile.dev b/build/Containerfile.dev index 1b4a7f9c..b416d1ac 100644 --- a/build/Containerfile.dev +++ b/build/Containerfile.dev @@ -23,6 +23,7 @@ LABEL io.alcove.init="s6" ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=30000 +ENV S6_READ_ONLY_ROOT=1 # Install xz-utils (needed to extract s6-overlay tarballs) RUN apt-get update && apt-get install -y --no-install-recommends xz-utils && rm -rf /var/lib/apt/lists/* @@ -49,21 +50,28 @@ RUN apt-get update && \ RUN curl -fsSL https://github.com/nats-io/nats-server/releases/download/v2.11.1/nats-server-v2.11.1-linux-amd64.tar.gz \ | tar xz --strip-components=1 -C /usr/local/bin nats-server-v2.11.1-linux-amd64/nats-server +# Create non-root user for all services +RUN groupadd -g 1001 alcove && \ + useradd -u 1001 -g alcove -d /home/alcove -m alcove + # Pre-cache Go modules COPY go.mod go.sum /tmp/gomod/ RUN cd /tmp/gomod && go mod download && rm -rf /tmp/gomod -# Initialize PostgreSQL data directory at build time +# Initialize PostgreSQL data directory at build time as the alcove user # Use listen_addresses='' (Unix socket only) and dynamic_shared_memory_type=posix # for compatibility with container build environments. RUN mkdir -p /var/lib/postgresql/data /var/run/postgresql && \ - chown -R postgres:postgres /var/lib/postgresql/data /var/run/postgresql && \ - su postgres -c "/usr/lib/postgresql/16/bin/initdb -D /var/lib/postgresql/data" && \ + chown -R 1001:1001 /var/lib/postgresql/data /var/run/postgresql + +USER 1001 +RUN /usr/lib/postgresql/16/bin/initdb -D /var/lib/postgresql/data && \ echo "host all all 0.0.0.0/0 trust" >> /var/lib/postgresql/data/pg_hba.conf && \ echo "local all all trust" >> /var/lib/postgresql/data/pg_hba.conf && \ - su postgres -c "/usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -o '-c listen_addresses=\"\" -c dynamic_shared_memory_type=posix' -w start" && \ - su postgres -c "/usr/lib/postgresql/16/bin/createdb -h /var/run/postgresql -p 5432 alcove" && \ - su postgres -c "/usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -w stop" + /usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -o '-c listen_addresses="" -c dynamic_shared_memory_type=posix' -w start && \ + /usr/lib/postgresql/16/bin/createdb -h /var/run/postgresql -p 5432 alcove && \ + /usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -w stop +USER root # Copy s6-rc service definitions COPY build/s6-services/postgres /etc/s6-overlay/s6-rc.d/postgres @@ -74,7 +82,12 @@ COPY build/s6-services/user /etc/s6-overlay/s6-rc.d/user # Copy the compiled shim binary COPY --from=builder /out/alcove-shim /usr/local/bin/alcove-shim -# Create workspace directory -RUN mkdir -p /workspace && chmod 777 /workspace +# Create workspace directory and set ownership for all runtime dirs. +# /run/s6 is needed by s6-overlay at startup — it must be writable by the +# non-root user since the container runs as USER 1001. +RUN mkdir -p /workspace /run/s6 && \ + chown -R 1001:1001 /var/lib/postgresql /var/run/postgresql /workspace /run/s6 + +USER 1001 ENTRYPOINT ["/init"] diff --git a/build/s6-services/postgres/run b/build/s6-services/postgres/run index 3d195e77..bf3cb87d 100755 --- a/build/s6-services/postgres/run +++ b/build/s6-services/postgres/run @@ -1,2 +1,2 @@ #!/bin/sh -exec su postgres -c "/usr/lib/postgresql/16/bin/postgres -D /var/lib/postgresql/data" +exec /usr/lib/postgresql/16/bin/postgres -D /var/lib/postgresql/data