From 0ba30b5525d90be9f1805cd2f39db7b6a7fcce82 Mon Sep 17 00:00:00 2001 From: Sedetius Date: Mon, 11 Aug 2025 11:36:54 +0200 Subject: [PATCH 1/5] Adapted Kiwix Serve Dockerfile for rootless Docker support --- docker/server/Dockerfile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile index 0d4b19e..864c6ec 100644 --- a/docker/server/Dockerfile +++ b/docker/server/Dockerfile @@ -2,7 +2,7 @@ ARG VERSION=latest # kiwix-tools is multi-arch FROM ghcr.io/kiwix/kiwix-tools:$VERSION -LABEL org.opencontainers.image.source https://github.com/openzim/kiwix-tools +LABEL org.opencontainers.image.source=https://github.com/openzim/kiwix-tools # expose kiwix-serve default port and workdir EXPOSE 8080 @@ -11,4 +11,11 @@ WORKDIR /data COPY ./start.sh /usr/local/bin/ +# Create non-root user for better security +RUN addgroup -S kiwix && adduser -S kiwix -G kiwix +# Change ownership of the start script to the new user +RUN chown kiwix:kiwix /usr/local/bin/start.sh +# Switch to the non-root user +USER kiwix + ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/start.sh"] From 463015da452e8f4f5a8464eaac8d9ffe33dae7c0 Mon Sep 17 00:00:00 2001 From: Sedetius Date: Mon, 11 Aug 2025 13:21:06 +0200 Subject: [PATCH 2/5] Changed default user name in kiwix-serve Dockerfile to avoid confusion with other kiwix services. --- docker/server/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile index 864c6ec..65501c0 100644 --- a/docker/server/Dockerfile +++ b/docker/server/Dockerfile @@ -12,10 +12,10 @@ WORKDIR /data COPY ./start.sh /usr/local/bin/ # Create non-root user for better security -RUN addgroup -S kiwix && adduser -S kiwix -G kiwix +RUN addgroup -S user && adduser -S user -G user # Change ownership of the start script to the new user -RUN chown kiwix:kiwix /usr/local/bin/start.sh +RUN chown user:user /usr/local/bin/start.sh # Switch to the non-root user -USER kiwix +USER user ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/start.sh"] From 40d32cfc32387f452eac202325abe63af0e9f882 Mon Sep 17 00:00:00 2001 From: Sedetius Date: Sat, 23 Aug 2025 12:16:13 +0200 Subject: [PATCH 3/5] Switched from legacy dockerfile LABEL key value format to new one. --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 7a8d980..506789a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:3.18 -LABEL org.opencontainers.image.source https://github.com/openzim/kiwix-tools +LABEL org.opencontainers.image.source=https://github.com/openzim/kiwix-tools # TARGETPLATFORM is injected by docker build ARG TARGETPLATFORM From ae1640736c95a197476ee0dd298f50e38dc57e8b Mon Sep 17 00:00:00 2001 From: Sedetius Date: Sat, 23 Aug 2025 12:28:06 +0200 Subject: [PATCH 4/5] Moved user creation in kiwix-serve dockerfile before COPY start.sh to automatically use the new users file permissions. --- docker/server/Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile index 65501c0..6726494 100644 --- a/docker/server/Dockerfile +++ b/docker/server/Dockerfile @@ -9,13 +9,11 @@ EXPOSE 8080 VOLUME /data WORKDIR /data -COPY ./start.sh /usr/local/bin/ - # Create non-root user for better security RUN addgroup -S user && adduser -S user -G user -# Change ownership of the start script to the new user -RUN chown user:user /usr/local/bin/start.sh # Switch to the non-root user USER user +COPY ./start.sh /usr/local/bin/ + ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/start.sh"] From 869b08cf7123fe1a2d256742eef9e1cf018ea3bc Mon Sep 17 00:00:00 2001 From: rgaudin Date: Wed, 27 Aug 2025 13:32:58 +0000 Subject: [PATCH 5/5] Minor comment wording --- docker/server/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile index 6726494..03bdb73 100644 --- a/docker/server/Dockerfile +++ b/docker/server/Dockerfile @@ -9,9 +9,8 @@ EXPOSE 8080 VOLUME /data WORKDIR /data -# Create non-root user for better security +# running as a named unprivileged user RUN addgroup -S user && adduser -S user -G user -# Switch to the non-root user USER user COPY ./start.sh /usr/local/bin/