Skip to content

Commit 177809c

Browse files
deansheatherdeansheather
committed
fix: don't use adduser and addgroup for docker images
1 parent 8f3727d commit 177809c

File tree

2 files changed

+30
-13
lines changed

2 files changed

+30
-13
lines changed

Dockerfile

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
1-
FROM alpine
1+
# This is the multi-arch Dockerfile used for Coder. Since it's multi-arch and
2+
# cross-compiled, it cannot have ANY "RUN" commands. All binaries are built
3+
# using the go toolchain on the host and then copied into the build context by
4+
# scripts/build_docker.sh.
5+
FROM alpine:latest
26

37
# LABEL doesn't add any real layers so it's fine (and easier) to do it here than
48
# in the build script.
@@ -11,12 +15,12 @@ LABEL \
1115
org.opencontainers.image.version="$CODER_VERSION" \
1216
org.opencontainers.image.licenses="AGPL-3.0"
1317

18+
# Create coder group and user. We cannot use `addgroup` and `adduser` because
19+
# they won't work if we're building the image for a different architecture.
20+
COPY --chown=root:root --chmod=644 group passwd /etc/
21+
1422
# The coder binary is injected by scripts/build_docker.sh.
15-
ADD coder /opt/coder
23+
COPY --chown=coder:coder --chmod=755 coder /opt/coder
1624

17-
# Create coder group and user.
18-
RUN addgroup -g 1000 coder && \
19-
adduser -D -g "" -h /home/coder -G coder -u 1000 -S -s /bin/sh coder
2025
USER coder:coder
21-
2226
ENTRYPOINT [ "/opt/coder", "server" ]

scripts/build_docker.sh

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -95,14 +95,27 @@ ln -P Dockerfile "$temp_dir/"
9595

9696
cd "$temp_dir"
9797

98-
build_args=(
99-
--platform "$arch"
100-
--build-arg "CODER_VERSION=$version"
101-
--tag "$image_tag"
102-
)
103-
10498
log "--- Building Docker image for $arch ($image_tag)"
105-
docker buildx build "${build_args[@]}" . 1>&2
99+
100+
# Pull the base image, copy the /etc/group and /etc/passwd files out of it, and
101+
# add the coder group and user. We have to do this in a separate step instead of
102+
# using the RUN directive in the Dockerfile because you can't use RUN if you're
103+
# building the image for a different architecture than the host.
104+
docker pull --platform "$arch" alpine:latest
105+
106+
temp_container_id="$(docker create --platform "$arch" alpine:latest)"
107+
docker cp "$temp_container_id":/etc/group ./group
108+
docker cp "$temp_container_id":/etc/passwd ./passwd
109+
docker rm "$temp_container_id"
110+
111+
echo "coder:x:1000:coder" >> ./group
112+
echo "coder:x:1000:1000::/:/bin/sh" >> ./passwd
113+
114+
docker buildx build \
115+
--platform "$arch" \
116+
--build-arg "CODER_VERSION=$version" \
117+
--tag "$image_tag" \
118+
. 1>&2
106119

107120
cdroot
108121
rm -rf "$temp_dir"

0 commit comments

Comments
 (0)