starred/MediaManager-maxdorninger
1
0
Fork 0
mirror of https://github.com/maxdorninger/MediaManager.git synced 2026-04-17 15:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #314 from yangqi/fix-non-root-execution

Browse Source 
fix: allow container to run as non-root user
This commit is contained in:
Maximilian Dorninger
2025-12-27 14:40:27 +01:00
committed by GitHub
parent 4763a5a771 e405c9f8c2
commit 6eb8979bed
2 changed files with 42 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
Dockerfile
View File

@@ -22,11 +22,23 @@ RUN locale-gen
ENV LANG=en_US.UTF-8
ENV LC_ALL=en_US.UTF-8
# Create a non-root user and group
RUN groupadd -g 1000 mediamanager && \
useradd -m -u 1000 -g mediamanager mediamanager
FROM base AS dependencies
WORKDIR /app
# Ensure mediamanager owns /app
RUN chown mediamanager:mediamanager /app
COPY pyproject.toml uv.lock ./
RUN --mount=type=cache,target=/root/.cache/uv \
USER mediamanager
# Set uv cache to a writable home directory and use copy mode for volume compatibility
ENV UV_CACHE_DIR=/home/mediamanager/.cache/uv \
UV_LINK_MODE=copy
COPY --chown=mediamanager:mediamanager pyproject.toml uv.lock ./
RUN --mount=type=cache,target=/home/mediamanager/.cache/uv,uid=1000,gid=1000 \
uv sync --locked
FROM dependencies AS app
@@ -37,19 +49,19 @@ LABEL version=${VERSION}
LABEL description="Docker image for MediaManager"
ENV PUBLIC_VERSION=${VERSION} \
CONFIG_DIR="/app/config"\
BASE_PATH=${BASE_PATH}\
CONFIG_DIR="/app/config" \
BASE_PATH=${BASE_PATH} \
FRONTEND_FILES_DIR="/app/web/build"
COPY --chmod=755 mediamanager-startup.sh .
COPY config.example.toml .
COPY media_manager ./media_manager
COPY alembic ./alembic
COPY alembic.ini .
COPY --chown=mediamanager:mediamanager --chmod=755 mediamanager-startup.sh .
COPY --chown=mediamanager:mediamanager config.example.toml .
COPY --chown=mediamanager:mediamanager media_manager ./media_manager
COPY --chown=mediamanager:mediamanager alembic ./alembic
COPY --chown=mediamanager:mediamanager alembic.ini .
HEALTHCHECK CMD curl -f http://localhost:8000${BASE_PATH}/api/v1/health || exit 1
EXPOSE 8000
CMD ["/app/mediamanager-startup.sh"]
FROM app AS production
COPY --from=frontend-build /frontend/build /app/web/build
COPY --chown=mediamanager:mediamanager --from=frontend-build /frontend/build /app/web/build

24
metadata_relay/Dockerfile
View File

@@ -4,11 +4,27 @@ LABEL version=${VERSION}
ENV BASE_PATH=""
RUN apt-get update && apt-get install -y ca-certificates
RUN apt-get update && apt-get install -y ca-certificates && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Create a non-root user and group
RUN groupadd -g 1000 mediamanager && \
useradd -m -u 1000 -g mediamanager mediamanager
WORKDIR /app
COPY . .
RUN uv sync --locked
# Ensure mediamanager owns the app directory
RUN chown mediamanager:mediamanager /app
USER mediamanager
# Set uv cache to a writable home directory and use copy mode for volume compatibility
ENV UV_CACHE_DIR=/home/mediamanager/.cache/uv \
UV_LINK_MODE=copy
COPY --chown=mediamanager:mediamanager . .
RUN --mount=type=cache,target=/home/mediamanager/.cache/uv,uid=1000,gid=1000 \
uv sync --locked
EXPOSE 8000
CMD ["uv", "run", "fastapi", "run", "/app/main.py"]
CMD ["uv", "run", "fastapi", "run", "/app/main.py"]