Merge pull request #5528 from nextcloud/enh/noid/add-user-ids

add user-IDs to all containers
2025-12-19 22:16:49 +00:00 · 2024-11-06 16:13:50 +01:00 · 2024-11-06 16:13:50 +01:00 · 8d81f56a9f
commit 8d81f56a9f
parent 1632e14380 bc36ce9aab
13 changed files with 35 additions and 11 deletions
--- a/.github/workflows/json-validator.yml
+++ b/.github/workflows/json-validator.yml
@ -21,7 +21,7 @@ jobs:
        run: |
          sudo apt-get update
          sudo apt-get install python3-pip -y --no-install-recommends
-          sudo pip3 install json-spec
+          sudo pip3 install json-spec --break-system-packages
          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
            exit 1
          fi
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@ -81,7 +81,7 @@ RUN set -ex; \
    \
    echo "root:$(openssl rand -base64 12)" | chpasswd

-USER www-data
+USER 33

 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@ -19,7 +19,7 @@ RUN set -ex; \

 VOLUME /var/lib/clamav

-USER clamav
+USER 100

 LABEL com.centurylinklabs.watchtower.enable="false"

--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@ -33,7 +33,7 @@ COPY --chmod=775 start.sh /start.sh

 ENV PORT=9000

-USER nobody
+USER 65534

 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
--- a/Containers/postgresql/Dockerfile
+++ b/Containers/postgresql/Dockerfile
@ -39,7 +39,7 @@ RUN set -ex; \

 VOLUME /mnt/data

-USER postgres
+USER 999
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@ -14,7 +14,7 @@ RUN set -ex; \
 # Get rid of unused binaries
    rm -f /usr/local/bin/gosu;

-USER redis
+USER 999
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
--- a/Containers/talk-recording/Dockerfile
+++ b/Containers/talk-recording/Dockerfile
@ -28,7 +28,7 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
-    useradd -d /tmp --system recording; \
+    useradd -d /tmp --system recording -u 122; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
    git clone --recursive https://github.com/nextcloud/nextcloud-talk-recording --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
@ -49,7 +49,7 @@ RUN set -ex; \
        linux-headers;

 WORKDIR /tmp
-USER recording
+USER 122
 ENTRYPOINT ["/start.sh"]
 CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]

--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@ -99,7 +99,7 @@ RUN set -ex; \
    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl

-USER eturnal
+USER 1000
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]

--- a/Containers/whiteboard/Dockerfile
+++ b/Containers/whiteboard/Dockerfile
@ -5,7 +5,7 @@ USER root
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash
-USER nobody
+USER 65534

 COPY --chmod=775 start.sh /start.sh

--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@ -20,6 +20,7 @@ services:
        condition: service_started
        required: false
    image: nextcloud/aio-apache:latest
+    user: 33
    init: true
    ports:
      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
@ -53,6 +54,7 @@ services:

  nextcloud-aio-database:
    image: nextcloud/aio-postgresql:latest
+    user: 999
    init: true
    expose:
      - "5432"
@ -161,6 +163,7 @@ services:

  nextcloud-aio-notify-push:
    image: nextcloud/aio-notify-push:latest
+    user: 33
    init: true
    expose:
      - "7867"
@ -183,6 +186,7 @@ services:

  nextcloud-aio-redis:
    image: nextcloud/aio-redis:latest
+    user: 999
    init: true
    expose:
      - "6379"
@ -198,6 +202,7 @@ services:

  nextcloud-aio-collabora:
    image: nextcloud/aio-collabora:latest
+    user: 100
    init: true
    expose:
      - "9980"
@ -219,6 +224,7 @@ services:

  nextcloud-aio-talk:
    image: nextcloud/aio-talk:latest
+    user: 1000
    init: true
    ports:
      - ${TALK_PORT}:${TALK_PORT}/tcp
@ -249,6 +255,7 @@ services:

  nextcloud-aio-talk-recording:
    image: nextcloud/aio-talk-recording:latest
+    user: 122
    init: true
    expose:
      - "1234"
@ -270,6 +277,7 @@ services:

  nextcloud-aio-clamav:
    image: nextcloud/aio-clamav:latest
+    user: 100
    init: false
    expose:
      - "3310"
@ -310,6 +318,7 @@ services:

  nextcloud-aio-imaginary:
    image: nextcloud/aio-imaginary:latest
+    user: 65534
    init: true
    expose:
      - "9000"
@ -353,6 +362,7 @@ services:

  nextcloud-aio-whiteboard:
    image: nextcloud/aio-whiteboard:latest
+    user: 65534
    init: true
    expose:
      - "3002"
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@ -19,6 +19,7 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].image_tag)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].networks)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].documentation)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
--- a/php/containers-schema.json
+++ b/php/containers-schema.json
@ -68,6 +68,9 @@
 					"stop_grace_period": {
 						"type": "integer"
 					},
+					"user": {
+						"type": "integer"
+					},
 					"ports": {
 						"type": "array",
 						"items": {
--- a/php/containers.json
+++ b/php/containers.json
@ -13,6 +13,7 @@
      ],
      "display_name": "Apache",
      "image": "nextcloud/aio-apache",
+      "user": 33,
      "init": true,
      "ports": [
        {
@ -78,6 +79,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Database",
      "image": "nextcloud/aio-postgresql",
+      "user": 999,
      "init": true,
      "expose": [
        "5432"
@ -251,6 +253,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Notify Push",
      "image": "nextcloud/aio-notify-push",
+      "user": 33,
      "init": true,
      "expose": [
        "7867"
@ -292,6 +295,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Redis",
      "image": "nextcloud/aio-redis",
+      "user": 999,
      "init": true,
      "expose": [
        "6379"
@ -328,6 +332,7 @@
      "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
      "display_name": "Collabora",
      "image": "nextcloud/aio-collabora",
+      "user": 100,
      "init": true,
      "expose": [
        "9980"
@ -366,6 +371,7 @@
      "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
      "display_name": "Talk",
      "image": "nextcloud/aio-talk",
+      "user": 1000,
      "init": true,
      "ports": [
        {
@ -422,6 +428,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Talk Recording",
      "image": "nextcloud/aio-talk-recording",
+      "user": 122,
      "init": true,
      "expose": [
        "1234"
@ -575,6 +582,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "ClamAV",
      "image": "nextcloud/aio-clamav",
+      "user": 100,
      "init": false,
      "expose": [
        "3310"
@ -655,6 +663,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Imaginary",
      "image": "nextcloud/aio-imaginary",
+      "user": 65534,
      "init": true,
      "expose": [
        "9000"
@ -760,6 +769,7 @@
      "image_tag": "%AIO_CHANNEL%",
      "display_name": "Whiteboard",
      "image": "nextcloud/aio-whiteboard",
+      "user": 65534,
      "init": true,
      "expose": [
        "3002"