sneak/routewatch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix container to run app as routewatch user

Browse Source 
Use runuser to drop privileges and execute the app as the routewatch
user (uid 1000). Fix data directory permissions at runtime since host
mounts may have incorrect ownership.
This commit is contained in:
Jeffrey Paul 2025-12-31 16:17:59 -08:00
parent f788a0dbf9
commit c6fa2b0fbd
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@ -51,15 +51,15 @@ COPY --from=builder /routewatch-source.tar.zst /app/source/routewatch-source.tar
# Set ownership # Set ownership
RUN chown -R routewatch:routewatch /app RUN chown -R routewatch:routewatch /app
USER routewatch
ENV XDG_DATA_HOME=/var/lib ENV XDG_DATA_HOME=/var/lib
# Expose HTTP port # Expose HTTP port
EXPOSE 8080 EXPOSE 8080
COPY ./entrypoint.sh /entrypoint.sh
# Health check using the health endpoint # Health check using the health endpoint
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD curl -sf http://localhost:8080/.well-known/healthcheck.json || exit 1 CMD curl -sf http://localhost:8080/.well-known/healthcheck.json || exit 1
ENTRYPOINT ["/app/routewatch"] ENTRYPOINT ["/bin/bash", "/entrypoint.sh" ]

7
entrypoint.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
cd /var/lib/berlin.sneak.app.routewatch
chown -R routewatch:routewatch .
chmod 700 .
exec runuser -u routewatch -- /app/routewatch