From 516e00f15fb210f65c6db3860f707fa7ab4da370 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AE=89=E6=AD=A3=E8=B6=85?= Date: Wed, 20 Aug 2025 23:32:03 +0800 Subject: [PATCH] fix: Dockerfile with error permission change. (#436) * fix: dockerfile and permission error. * fix: dockerfile and permission error. --- Dockerfile | 26 ++++---------------------- entrypoint.sh | 24 +----------------------- 2 files changed, 5 insertions(+), 45 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6b803078..c8f1f14d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,3 @@ -# ------------------- -# Build stage -# ------------------- FROM alpine:3.22 AS build ARG TARGETARCH @@ -9,9 +6,6 @@ ARG RELEASE=latest RUN apk add --no-cache ca-certificates curl unzip WORKDIR /build -# Download and extract release package matching current TARGETARCH -# - If RELEASE=latest: take first tag_name from /releases (may include pre-releases) -# - Otherwise use specified tag (e.g. v0.1.2) RUN set -eux; \ case "$TARGETARCH" in \ amd64) ARCH_SUBSTR="x86_64-musl" ;; \ @@ -46,9 +40,6 @@ RUN set -eux; \ rm -rf rustfs.zip /build/.tmp || true -# ------------------- -# Runtime stage -# ------------------- FROM alpine:3.22 ARG RELEASE=latest @@ -67,22 +58,16 @@ LABEL name="RustFS" \ url="https://rustfs.com" \ license="Apache-2.0" -# Install only runtime requirements: certificates and coreutils (provides chroot --userspec) -RUN apk add --no-cache ca-certificates coreutils && \ - addgroup -g 1000 rustfs && \ - adduser -u 1000 -G rustfs -s /sbin/nologin -D rustfs +RUN apk add --no-cache ca-certificates coreutils -# Copy binary and entry script (ensure fixed entrypoint.sh exists in repository) COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=build /build/rustfs /usr/bin/rustfs COPY entrypoint.sh /entrypoint.sh RUN chmod +x /usr/bin/rustfs /entrypoint.sh && \ mkdir -p /data /logs && \ - chown rustfs:rustfs /data /logs && \ chmod 0750 /data /logs -# Default environment (can be overridden in docker run/compose) ENV RUSTFS_ADDRESS=":9000" \ RUSTFS_ACCESS_KEY="rustfsadmin" \ RUSTFS_SECRET_KEY="rustfsadmin" \ @@ -90,14 +75,11 @@ ENV RUSTFS_ADDRESS=":9000" \ RUSTFS_VOLUMES="/data" \ RUST_LOG="warn" \ RUSTFS_OBS_LOG_DIRECTORY="/logs" \ - RUSTFS_SINKS_FILE_PATH="/logs" \ - RUSTFS_USERNAME="rustfs" \ - RUSTFS_GROUPNAME="rustfs" \ - RUSTFS_UID="1000" \ - RUSTFS_GID="1000" + RUSTFS_SINKS_FILE_PATH="/logs" EXPOSE 9000 VOLUME ["/data", "/logs"] ENTRYPOINT ["/entrypoint.sh"] -CMD ["/usr/bin/rustfs"] + +CMD ["rustfs"] diff --git a/entrypoint.sh b/entrypoint.sh index e7351870..20adef69 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -55,27 +55,5 @@ if [ "${RUSTFS_ACCESS_KEY}" = "rustfsadmin" ] || [ "${RUSTFS_SECRET_KEY}" = "rus echo "!!!WARNING: Using default RUSTFS_ACCESS_KEY or RUSTFS_SECRET_KEY. Override them in production!" fi -# 4) Start with specified user -docker_switch_user() { - if [ -n "${RUSTFS_USERNAME}" ] && [ -n "${RUSTFS_GROUPNAME}" ]; then - if [ -n "${RUSTFS_UID}" ] && [ -n "${RUSTFS_GID}" ]; then - # Execute with numeric UID:GID directly (doesn't depend on user existing in system) - exec chroot --userspec="${RUSTFS_UID}:${RUSTFS_GID}" / "$@" - else - # When only names are provided, create minimal passwd/group entries with 1000:1000; deduplicate before writing - if ! grep -q "^${RUSTFS_USERNAME}:" /etc/passwd 2>/dev/null; then - echo "${RUSTFS_USERNAME}:x:1000:1000:${RUSTFS_USERNAME}:/nonexistent:/sbin/nologin" >> /etc/passwd - fi - if ! grep -q "^${RUSTFS_GROUPNAME}:" /etc/group 2>/dev/null; then - echo "${RUSTFS_GROUPNAME}:x:1000:" >> /etc/group - fi - exec chroot --userspec="${RUSTFS_USERNAME}:${RUSTFS_GROUPNAME}" / "$@" - fi - else - # If no user is specified, keep as root (container has minimal privilege practices that can be configured separately) - exec "$@" - fi -} - echo "Starting: $*" -docker_switch_user "$@" +exec "$@"