Allow for non-root operation

lorenzschmid · Sep 13, 2024 · 681e527 · 681e527
1 parent 99f7a3f
commit 681e527
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -21,5 +21,18 @@ RUN mkdir -p /data
 # Expose the port the sync server runs on
 EXPOSE 8080
 
+# Use PUID and PGID if set, otherwise fallback to default user and group
+ARG PUID=1000
+ARG PGID=1000
+
+# Create group and user based on PUID and PGID
+RUN groupadd -g ${PGID} anki && useradd -u ${PUID} -g anki -m anki
+
+# Set ownership of the working directory and data directory to the new user
+RUN chown -R anki:anki /app && chown -R anki:anki /data
+
+# Switch to the non-root user
+USER anki
+
 # Run the script to update the package and start the server
 CMD ["/app/start.sh"]
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ At least the following environmental variables has to be set outside of the cont
 
 - `SYNC_USER1`: The username and password for the first user in the format `user:password`.
 
+In case of using `PASSWORDS_HASHED=1` and hashing `password` with [pbkdf2](https://git.sr.ht/~laalsaas/pbkdf2-password-hash), please take care to correctly escape any dollar signs (`$`) before using them in the terminal or an `.env` file.
 
 ## Running the Docker Container
 
@@ -24,6 +25,7 @@ To start the Anki sync server in a Docker container:
 docker run \
   -d \
   --name anki-syncserver \
+  --user anki:docker \
   -p 8080:8080 \
   -v ./data:/data \
   -e SYNC_USER1=user:password \
@@ -32,6 +34,7 @@ docker run \
 
 - `-d`: Runs the container in detached mode.
 - `--name`: Assigns a name to the container (`anki-syncserver`).
+- `--user`: Assigns the user and group under which the container should run (rootless).
 - `-p 8080:8080`: Maps port `8080` on the host to port `8080` in the container.
 - `-v ./data:/data`: Mounts the host directory `./data` to the container’s `/data` directory for data persistence.
 - `-e SYNC_USER1=user:password`: Sets the `SYNC_USER1` environment variable to configure the sync server’s username and password.
@@ -45,6 +48,7 @@ services:
   anki-syncserver:
     image: ghcr.io/lorenzschmid/anki-syncserver
     container_name: anki-syncserver
+    user: "anki:docker"  # Replace with your desired user_id:group_id
     environment:
       SYNC_USER1: "user:password"  # Replace with your desired username:password
     ports: