Adding support for non-root containers

base/Dockerfile

@@ -4,32 +4,41 @@ ARG JITSI_RELEASE=stable
 ARG TARGETPLATFORM
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 
-COPY rootfs /
+RUN groupadd --gid 1000 noroot; \
+  useradd --uid 1000 --gid 1000 -m noroot
+
+COPY --chown=noroot:noroot rootfs /
 
 RUN case ${TARGETPLATFORM} in \
          "linux/amd64")  TPL_ARCH=amd64  ;; \
          "linux/arm64")  TPL_ARCH=arm64  ;; \
     esac && \
     case ${TARGETPLATFORM} in \
-         "linux/amd64")  S6_ARCH=amd64  ;; \
+         "linux/amd64")  S6_ARCH=x86_64  ;; \
          "linux/arm64")  S6_ARCH=aarch64  ;; \
     esac && \
     apt-dpkg-wrap apt-get update && \
-    apt-dpkg-wrap apt-get install -y apt-transport-https apt-utils ca-certificates gnupg wget && \
+    apt-dpkg-wrap apt-get install -y apt-transport-https apt-utils ca-certificates gnupg wget xz-utils && \
     wget -qO /usr/bin/tpl https://github.com/jitsi/tpl/releases/download/v1.0.4/tpl-linux-${TPL_ARCH} && \
-    wget -qO - https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-${S6_ARCH}.tar.gz | tar xfz - -C / && \
+    wget -qO - https://github.com/just-containers/s6-overlay/releases/download/v3.1.5.0/s6-overlay-${S6_ARCH}.tar.xz | tar -xJp -C / && \
+    wget -qO - https://github.com/just-containers/s6-overlay/releases/download/v3.1.5.0/s6-overlay-noarch.tar.xz | tar -xJp -C / && \
     wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmour > /etc/apt/trusted.gpg.d/jitsi.gpg && \
     echo "deb https://download.jitsi.org $JITSI_RELEASE/" > /etc/apt/sources.list.d/jitsi.list && \
     echo "deb http://ftp.debian.org/debian bullseye-backports main" > /etc/apt/sources.list.d/backports.list && \
     apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get dist-upgrade -y && \
     apt-cleanup && \
-    chmod +x /usr/bin/tpl
-
+    chown -R noroot:noroot /usr/bin/tpl && \
+    chown -R noroot:noroot /etc/cont-init.d && \
+    chown -R noroot:noroot /etc/services.d && \
+    chown -R noroot:noroot /etc/timezone && \
+    chmod +x /usr/bin/tpl && \
+    chmod +x /etc/cont-init.d/*
+
 RUN [ "$JITSI_RELEASE" = "unstable" ] && \
     apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get install -y jq procps curl vim iputils-ping net-tools && \
     apt-cleanup || \
     true
 
-ENTRYPOINT [ "/init" ]
+ENTRYPOINT [ "/init" ]

base/rootfs/etc/cont-init.d/01-set-timezone

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 if [[ ! -z "$TZ" ]]; then
     if [[ -f /usr/share/zoneinfo/$TZ ]]; then

jibri/Dockerfile

@@ -15,12 +15,38 @@ ARG USE_CHROMIUM=0
 ARG CHROME_RELEASE=114.0.5735.90
 ARG CHROMEDRIVER_MAJOR_RELEASE=114
 
-COPY rootfs/ /
+COPY --chown=noroot:noroot rootfs/ /
 
 RUN apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" jibri libgl1-mesa-dri procps jitsi-upload-integrations jitsi-autoscaler-sidecar jq pulseaudio dbus dbus-x11 rtkit unzip fonts-noto && \
     /usr/bin/install-chrome.sh && \
-    apt-cleanup && \
-    adduser jibri rtkit
+    apt-cleanup
+
+RUN mkdir -p /etc/jitsi/autoscaler-sidecar && \
+    mkdir -p /config/logs && \
+    mkdir -p /config/recordings && \
+    mkdir -p /home/jibri && chown -R noroot:noroot /home/jibri
+
+RUN chown -R noroot:noroot /etc/cont-init.d && \
+    chown -R noroot:noroot /etc/services.d && \
+    chown -R noroot:noroot /etc/jitsi && \
+    chown -R noroot:noroot /run && \
+    chown -R noroot:noroot /config && \
+    chown -R noroot:noroot /var && \
+    chown -R noroot:noroot /opt/jitsi && \
+    chown -R noroot:noroot /tmp && \
+    chown -R noroot:noroot /defaults && \
+    chown -R noroot:noroot /usr/bin
+
+RUN chmod +x /etc/cont-init.d/* && \
+    chmod +x /etc/services.d/10-xorg/* && \
+    chmod +x /etc/services.d/20-icewm/* && \
+    chmod +x /etc/services.d/30-pulse/* && \
+    chmod +x /etc/services.d/40-jibri/* && \
+    chmod +x /etc/services.d/50-autoscaler-sidecar/* && \
+    chmod +x /opt/jitsi/jibri/launch.sh
+
+
+USER noroot
 
 VOLUME /config

jibri/rootfs/etc/cont-init.d/10-config

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then
     echo 'FATAL ERROR: Jibri recorder password and auth password must be set'
@@ -52,7 +52,6 @@ if [ -n "$AUTOSCALER_URL" ]; then
         [ -z "$AUTOSCALER_SIDECAR_GROUP_NAME" ] && export AUTOSCALER_SIDECAR_GROUP_NAME="docker-jibri"
         [ -z "$LOCAL_ADDRESS" ] && export LOCAL_ADDRESS="$(ip route get 1 | grep -oP '(?<=src ).*' | awk '{ print $1 '})"
 
-        mkdir -p /etc/jitsi/autoscaler-sidecar
         tpl /defaults/autoscaler-sidecar.config > /etc/jitsi/autoscaler-sidecar/config
     else
         echo "No key file at $AUTOSCALER_SIDECAR_KEY_FILE, leaving autoscaler sidecar disabled"
@@ -66,12 +65,8 @@ tpl /defaults/jibri.conf > /etc/jitsi/jibri/jibri.conf
 tpl /defaults/logging.properties > /etc/jitsi/jibri/logging.properties
 tpl /defaults/xorg-video-dummy.conf > /etc/jitsi/jibri/xorg-video-dummy.conf
 
-# make recording dir
+# set recording dir
 [ -z "${JIBRI_RECORDING_DIR}" ] && export JIBRI_RECORDING_DIR=/config/recordings
-mkdir -p ${JIBRI_RECORDING_DIR}
-chown -R jibri ${JIBRI_RECORDING_DIR}
 
-# make logs dir
+# set logs dir
 JIBRI_LOGS_DIR=/config/logs
-mkdir -p ${JIBRI_LOGS_DIR}
-chown -R jibri ${JIBRI_LOGS_DIR}

jibri/rootfs/etc/services.d/10-xorg/run

@@ -1,5 +1,5 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 DAEMON="/usr/bin/Xorg -nocursor -noreset  +extension RANDR +extension RENDER -logfile /tmp/xorg.log  -config /etc/jitsi/jibri/xorg-video-dummy.conf ${DISPLAY}"
-exec s6-setuidgid jibri /bin/bash -c "exec $DAEMON"
+exec /bin/bash -c "exec $DAEMON"
 

jibri/rootfs/etc/services.d/20-icewm/run

@@ -1,5 +1,5 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 DAEMON="/usr/bin/icewm-session"
-exec s6-setuidgid jibri /bin/bash -c "exec $DAEMON"
+exec /bin/bash -c "exec $DAEMON"
 

jibri/rootfs/etc/services.d/30-pulse/run

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 HOME=/home/jibri
-exec s6-setuidgid jibri /bin/bash -c "exec /usr/bin/pulseaudio"
+exec /bin/bash -c "exec /usr/bin/pulseaudio"

jibri/rootfs/etc/services.d/40-jibri/finish

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 # When jibri is shutdown (or gracefully shutdown), it exits with code 255.
 # In this case, we don't want S6 to restart the service. We want to stop all

jibri/rootfs/etc/services.d/40-jibri/run

@@ -1,10 +1,10 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 # we have to set it, otherwise chrome won't find ~/.asoundrc file
 HOME=/home/jibri
 
 DAEMON=/opt/jitsi/jibri/launch.sh
 # pre-warm google chrome before jibri launches to ensure fast chrome launch during recordings
-s6-setuidgid jibri /usr/bin/google-chrome --timeout=1000 --headless about:blank
-exec s6-setuidgid jibri /bin/bash -c "exec $DAEMON"
+/usr/bin/google-chrome --timeout=1000 --headless about:blank
+exec /bin/bash -c "exec $DAEMON"
 

jibri/rootfs/etc/services.d/50-autoscaler-sidecar/run

@@ -1,8 +1,8 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/etc/jitsi/autoscaler-sidecar/config" ]]; then
     DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js"
-    exec s6-setuidgid autoscaler-sidecar /bin/bash -c ". /etc/jitsi/autoscaler-sidecar/config && exec $DAEMON"
+    exec autoscaler-sidecar /bin/bash -c ". /etc/jitsi/autoscaler-sidecar/config && exec $DAEMON"
 else
     # if autoscaler-sidecar should not be started,
     # prevent s6 from restarting this script again and again

jicofo/Dockerfile

@@ -12,6 +12,21 @@ RUN apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get install -y jicofo && \
     apt-cleanup
 
-COPY rootfs/ /
+COPY --chown=noroot:noroot rootfs/ /
+
+RUN chown -R noroot:noroot /etc/cont-init.d && \
+    chown -R noroot:noroot /etc/services.d && \
+    chown -R noroot:noroot /run && \
+    chown -R noroot:noroot /var && \
+    chown -R noroot:noroot /usr/share/jicofo && \
+    chown -R noroot:noroot /etc/jitsi && \
+    chown -R noroot:noroot /etc/jitsi/jicofo && \
+    mkdir -p /config && chown -R noroot:noroot /config
+
+RUN chmod +x /usr/share/jicofo/jicofo.sh && \
+    chmod +x /etc/cont-init.d/* && \
+    chmod +x /etc/services.d/jicofo/*
+
+USER noroot
 
 VOLUME /config

jicofo/rootfs/etc/cont-init.d/10-config

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 export SENTRY_RELEASE="${SENTRY_RELEASE:-$(apt-cache policy jicofo | sed -n '/Installed/p' | sed -e 's/[^:]*: //')}"
 
@@ -15,5 +15,3 @@ fi
 
 tpl /defaults/logging.properties > /config/logging.properties
 tpl /defaults/jicofo.conf > /config/jicofo.conf
-
-chown -R jicofo:jitsi /config

jicofo/rootfs/etc/services.d/jicofo/run

@@ -1,7 +1,7 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 JAVA_SYS_PROPS="-Djava.util.logging.config.file=/config/logging.properties -Dconfig.file=/config/jicofo.conf"
 DAEMON=/usr/share/jicofo/jicofo.sh
 DAEMON_DIR=/usr/share/jicofo/
 
-exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON"
+exec /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON"

jigasi/Dockerfile

@@ -14,6 +14,19 @@ RUN apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get install -y jigasi jq && \
     apt-cleanup
 
-COPY rootfs/ /
+COPY --chown=noroot:noroot rootfs/ /
 
-VOLUME ["/config", "/tmp/transcripts"]
+RUN chown -R noroot:noroot /etc/cont-init.d && \
+    chown -R noroot:noroot /etc/services.d && \
+    chown -R noroot:noroot /usr/share && \
+    chown -R noroot:noroot /defaults && \
+    mkdir -pm777 /config/transcripts && \
+    mkdir -p /config && chown -R noroot:noroot /config
+
+RUN chmod +x /etc/cont-init.d/* && \
+    chmod +x /etc/services.d/jigasi/* && \
+    chmod +x /usr/share/jigasi/jigasi.sh
+
+USER noroot
+
+VOLUME /config

jigasi/rootfs/defaults/sip-communicator.properties

@@ -160,7 +160,7 @@ net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED=true
 # Transcription config
 org.jitsi.jigasi.ENABLE_TRANSCRIPTION=true
 org.jitsi.jigasi.transcription.ENABLE_TRANSLATION=true
-org.jitsi.jigasi.transcription.DIRECTORY=/tmp/transcripts
+org.jitsi.jigasi.transcription.DIRECTORY=/config/transcripts
 org.jitsi.jigasi.transcription.BASE_URL={{ .Env.PUBLIC_URL }}/transcripts
 org.jitsi.jigasi.transcription.jetty.port=-1
 org.jitsi.jigasi.transcription.ADVERTISE_URL={{ .Env.JIGASI_TRANSCRIBER_ADVERTISE_URL | default "false"}}

jigasi/rootfs/etc/cont-init.d/10-config

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 export SENTRY_RELEASE="${SENTRY_RELEASE:-$(apt-cache policy jigasi | sed -n '/Installed/p' | sed -e 's/[^:]*: //')}"
 
@@ -20,8 +20,6 @@ if [[ -f /config/custom-sip-communicator.properties ]]; then
     cat /config/custom-sip-communicator.properties >> /config/sip-communicator.properties
 fi
 
-mkdir -pm777 /tmp/transcripts
-chown jigasi:jitsi /tmp/transcripts
 
 # Create Google Cloud Credentials
 if [[ $ENABLE_TRANSCRIPTIONS -eq 1 || $ENABLE_TRANSCRIPTIONS == "true" ]]; then

jigasi/rootfs/etc/services.d/jigasi/run

@@ -1,8 +1,8 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 JAVA_SYS_PROPS="-Djava.util.logging.config.file=/config/logging.properties"
 
 DAEMON=/usr/share/jigasi/jigasi.sh
 DAEMON_OPTS="--nocomponent=true --configdir=/ --configdirname=config --min-port=${JIGASI_PORT_MIN:-20000} --max-port=${JIGASI_PORT_MAX:-20050}"
 
-exec s6-setuidgid jigasi /bin/bash -c "JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"
+exec /bin/bash -c "JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"

jvb/Dockerfile

@@ -12,6 +12,17 @@ RUN apt-dpkg-wrap apt-get update && \
     apt-dpkg-wrap apt-get install -y jitsi-videobridge2 jq curl iproute2 dnsutils && \
     apt-cleanup
 
-COPY rootfs/ /
+COPY --chown=noroot:noroot rootfs/ /
+
+RUN chown -R noroot:noroot /etc/cont-init.d && \
+    chown -R noroot:noroot /etc/services.d && \
+    chown -R noroot:noroot /run && \
+    chown -R noroot:noroot /var && \
+    mkdir -p /config && chown -R noroot:noroot /config
+
+RUN chmod +x /etc/cont-init.d/* && \
+    chmod +x /etc/services.d/jvb/*
+
+USER noroot
 
 VOLUME /config

jvb/rootfs/etc/cont-init.d/10-config

@@ -1,4 +1,4 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 if [[ -z $JVB_AUTH_PASSWORD ]]; then
     echo 'FATAL ERROR: JVB auth password must be set'
@@ -38,10 +38,8 @@ fi
 tpl /defaults/logging.properties > /config/logging.properties
 tpl /defaults/jvb.conf > /config/jvb.conf
 
-chown -R jvb:jitsi /config
-
 # Configuration checks
 if [[ (-z $ENABLE_COLIBRI_WEBSOCKET || $ENABLE_COLIBRI_WEBSOCKET == "0") && $ENABLE_OCTO == "1"  ]]; then
-  echo "ERROR: In order to enable Octo relays (with ENABLE_OCTO=1), you MUST enable Colibri websockets (with ENABLE_COLIBRI_WEBSOCKET=1)";
-  exit 1;
+    echo "ERROR: In order to enable Octo relays (with ENABLE_OCTO=1), you MUST enable Colibri websockets (with ENABLE_COLIBRI_WEBSOCKET=1)";
+    exit 1;
 fi

jvb/rootfs/etc/services.d/jvb/run

@@ -1,7 +1,7 @@
-#!/usr/bin/with-contenv bash
+#!/command/with-contenv bash
 
 export JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/ -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=config -Djava.util.logging.config.file=/config/logging.properties -Dconfig.file=/config/jvb.conf"
 
 DAEMON=/usr/share/jitsi-videobridge/jvb.sh
 
-exec s6-setuidgid jvb /bin/bash -c "exec $DAEMON"
+exec /bin/bash -c "exec $DAEMON"

prosody/Dockerfile

@@ -61,11 +61,36 @@ RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody
     mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_matrix_power_sync.lua /prosody-plugins && \
     rm -rf prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz
 
-COPY rootfs/ /
+COPY --chown=noroot:noroot rootfs/ /
 
-COPY --from=builder /usr/local/lib/lua/5.4 /usr/local/lib/lua/5.4
-COPY --from=builder /usr/local/share/lua/5.4 /usr/local/share/lua/5.4
+COPY --chown=noroot:noroot --from=builder /usr/local/lib/lua/5.4 /usr/local/lib/lua/5.4
+COPY --chown=noroot:noroot --from=builder /usr/local/share/lua/5.4 /usr/local/share/lua/5.4
+
+RUN mkdir -pm777 /var/run/saslauthd && \
+    mkdir -p /config/noroot_data && \
+    mkdir -p /config/certs && \
+    mkdir -p /config/conf.d && \
+    mkdir -p /prosody-plugins-custom
+
+RUN chown -R noroot:noroot /etc/cont-init.d && \
+    chown -R noroot:noroot /etc/services.d && \
+    chown -R noroot:noroot /etc/ldap && \
+    chown -R noroot:noroot /run && \
+    chown -R noroot:noroot /var && \
+    chown -R noroot:noroot /defaults && \
+    chown -R noroot:noroot /prosody-plugins && \
+    chown -R noroot:noroot /prosody-plugins-custom && \
+    mkdir -p /config/saslauthd
+
+RUN chmod +x /etc/cont-init.d/* && \
+    chmod +x /etc/services.d/10-saslauthd/* && \
+    chmod +x /etc/services.d/prosody/*
+
+RUN cp -r /defaults/* /config
+RUN chown -R noroot:noroot /config
 
 EXPOSE 5222 5280
 
+USER noroot
+
 VOLUME ["/config", "/prosody-plugins-custom"]

prosody/rootfs/defaults/prosody.cfg.lua

@@ -215,7 +215,7 @@ http_interfaces = { "*", "::" }
 http_interfaces = { "*" }
 {{ end }}
 
-data_path = "/config/data"
+data_path = "/config/noroot_data"
 
 smacks_max_unacked_stanzas = 5;
 smacks_hibernation_time = 60;