michael_dileo/Keybard-Vagabond-Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove chown so that fsgroup can be applied to the security context

Browse Source
This commit is contained in:
Michael DiLeo
2026-01-14 22:59:28 +02:00
parent 43fc195249
commit 6bef6b3b6a
3 changed files with 236 additions and 229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
build/piefed/piefed-base/Dockerfile
View File

@@ -60,11 +60,14 @@ RUN apk add --no-cache \
bash
# Create piefed user and set up directories in a single layer
# Note: /app/app/static/media is volume-mounted in K8s, fsGroup handles permissions there
# Other directories need explicit ownership for logging and temp files
RUN addgroup -g 1000 piefed \
&& adduser -u 1000 -G piefed -s /bin/sh -D piefed \
&& mkdir -p /app/logs /app/app/static/tmp /app/app/static/media \
/var/log/piefed /var/run/piefed \
&& chown -R piefed:piefed /var/log/piefed /var/run/piefed
&& chown -R piefed:piefed /app/logs /app/app/static/tmp \
/var/log/piefed /var/run/piefed
# Set working directory
WORKDIR /app
@@ -75,7 +78,7 @@ COPY --from=builder --chown=piefed:piefed /app /app
# Compile translations and set permissions in a single layer
RUN source /app/venv/bin/activate \
&& (pybabel compile -d app/translations || true) \
&& chmod 755 /app/logs /app/app/static/tmp /app/app/static/media
&& chmod 755 /app/logs /app/app/static/tmp
# Copy shared entrypoint utilities
COPY entrypoint-common.sh /usr/local/bin/entrypoint-common.sh