mirror of
https://github.com/TriliumNext/Notes.git
synced 2025-07-26 01:12:30 +08:00
feat(ci): add rootless dockerfiles
This commit is contained in:
perf3ct
parent
ae83f0a1c7
commit
0298c62ec7
65
apps/server/Dockerfile.alpine.rootless
Normal file
65
apps/server/Dockerfile.alpine.rootless
Normal file
@ -0,0 +1,65 @@
|
||||
FROM node:22.15.0-alpine AS builder
|
||||
RUN corepack enable
|
||||
|
||||
# Install native dependencies since we might be building cross-platform.
|
||||
WORKDIR /usr/src/app
|
||||
COPY ./dist/package.json ./dist/pnpm-lock.yaml ./docker/pnpm-workspace.yaml /usr/src/app/
|
||||
# We have to use --no-frozen-lockfile due to CKEditor patches
|
||||
RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
|
||||
|
||||
FROM node:22.15.0-alpine
|
||||
# Create a non-root user with configurable UID/GID
|
||||
ARG USER=trilium
|
||||
ARG UID=1001
|
||||
ARG GID=1001
|
||||
ENV USER=${USER}
|
||||
ENV UID=${UID}
|
||||
ENV GID=${GID}
|
||||
|
||||
# Install runtime dependencies and create user with specific UID/GID
|
||||
RUN apk add --no-cache dumb-init && \
|
||||
# Alpine uses addgroup/adduser (from busybox) instead of groupadd/useradd
|
||||
addgroup -g ${GID} ${USER} && \
|
||||
adduser -u ${UID} -G ${USER} -s /bin/sh -D -h /home/${USER} ${USER}
|
||||
|
||||
WORKDIR /home/${USER}/app
|
||||
COPY ./dist /home/${USER}/app
|
||||
RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3
|
||||
COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3
|
||||
RUN chown -R ${USER}:${USER} /home/${USER}
|
||||
|
||||
# Configure container
|
||||
USER ${USER}
|
||||
EXPOSE 8080
|
||||
|
||||
# By default, use UID/GID that was set during build
|
||||
# These can be overridden at runtime
|
||||
ENV TRILIUM_UID=${UID}
|
||||
ENV TRILIUM_GID=${GID}
|
||||
ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data
|
||||
|
||||
# Use dumb-init as entrypoint to handle signals properly
|
||||
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
|
||||
|
||||
# This script will handle UID/GID checks and start the app
|
||||
CMD [ "sh", "-c", "\
|
||||
if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ] || [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \
|
||||
echo \"Detected UID:GID mismatch\"; \
|
||||
if [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \
|
||||
echo \"ERROR: Cannot change GID at runtime in rootless mode.\"; \
|
||||
echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \
|
||||
exit 1; \
|
||||
fi; \
|
||||
if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ]; then \
|
||||
echo \"ERROR: Cannot change UID at runtime in rootless mode.\"; \
|
||||
echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \
|
||||
exit 1; \
|
||||
fi; \
|
||||
fi; \
|
||||
# Make sure data directory has correct permissions \
|
||||
mkdir -p \"${TRILIUM_DATA_DIR}\"; \
|
||||
# Start the app \
|
||||
exec node ./main \
|
||||
" ]
|
||||
|
||||
HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js
|
||||
66
apps/server/Dockerfile.rootless
Normal file
66
apps/server/Dockerfile.rootless
Normal file
@ -0,0 +1,66 @@
|
||||
FROM node:22.15.0-bullseye-slim AS builder
|
||||
RUN corepack enable
|
||||
|
||||
# Install native dependencies since we might be building cross-platform.
|
||||
WORKDIR /usr/src/app/build
|
||||
COPY ./dist/package.json ./dist/pnpm-lock.yaml ./docker/pnpm-workspace.yaml /usr/src/app/
|
||||
# We have to use --no-frozen-lockfile due to CKEditor patches
|
||||
RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
|
||||
|
||||
FROM node:22.15.0-bullseye-slim
|
||||
# Create a non-root user with configurable UID/GID
|
||||
ARG USER=trilium
|
||||
ARG UID=1001
|
||||
ARG GID=1001
|
||||
ENV USER=${USER}
|
||||
ENV UID=${UID}
|
||||
ENV GID=${GID}
|
||||
|
||||
# Install only runtime dependencies
|
||||
RUN rm -rf \
|
||||
/var/lib/apt/lists/* \
|
||||
/var/cache/apt/* && \
|
||||
# Create the user/group with the default UID/GID
|
||||
groupadd -g ${GID} ${USER} && \
|
||||
useradd -u ${UID} -g ${USER} -s /bin/sh -m ${USER}
|
||||
|
||||
WORKDIR /home/${USER}/app
|
||||
COPY ./dist /home/${USER}/app
|
||||
RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3
|
||||
COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3
|
||||
RUN chown -R ${USER}:${USER} /home/${USER}
|
||||
|
||||
# Configure container
|
||||
USER ${USER}
|
||||
EXPOSE 8080
|
||||
|
||||
# By default, use UID/GID that was set during build
|
||||
# These can be overridden at runtime
|
||||
ENV TRILIUM_UID=${UID}
|
||||
ENV TRILIUM_GID=${GID}
|
||||
ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data
|
||||
|
||||
# This script will handle UID/GID remapping if needed and then start the app
|
||||
CMD [ "sh", "-c", "\
|
||||
if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ] || [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \
|
||||
echo \"Remapping user ${USER} to UID:GID ${TRILIUM_UID}:${TRILIUM_GID}\"; \
|
||||
# Use 'id -u' and 'id -g' to get current UID and GID \
|
||||
if [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \
|
||||
# Need root to modify user/group, but we can't use sudo, so we need to exit \
|
||||
echo \"ERROR: Cannot change GID at runtime in rootless mode.\"; \
|
||||
echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \
|
||||
exit 1; \
|
||||
fi; \
|
||||
if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ]; then \
|
||||
echo \"ERROR: Cannot change UID at runtime in rootless mode.\"; \
|
||||
echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \
|
||||
exit 1; \
|
||||
fi; \
|
||||
fi; \
|
||||
# Make sure data directory has correct permissions \
|
||||
mkdir -p \"${TRILIUM_DATA_DIR}\"; \
|
||||
# Start the app \
|
||||
exec node ./main \
|
||||
" ]
|
||||
|
||||
HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js
|
||||
31
docker-compose.rootless.yml
Normal file
31
docker-compose.rootless.yml
Normal file
@ -0,0 +1,31 @@
|
||||
version: '3.8'
|
||||
|
||||
# Running `docker-compose -f docker-compose.rootless.yml up` will create/use the "trilium-data" directory in the user home
|
||||
# Run `TRILIUM_DATA_DIR=/path/of/your/choice docker-compose -f docker-compose.rootless.yml up` to set a different directory
|
||||
# To run in the background, use `docker-compose -f docker-compose.rootless.yml up -d`
|
||||
# To use the Alpine-based image, run with `TRILIUM_VARIANT=alpine docker-compose -f docker-compose.rootless.yml up`
|
||||
services:
|
||||
trilium:
|
||||
# Optionally, replace `latest` with a version tag like `v0.90.3`
|
||||
# Using `latest` may cause unintended updates to the container
|
||||
image: triliumnext/notes:rootless
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- TRILIUM_DATA_DIR=/home/trilium/trilium-data
|
||||
# Set the desired UID/GID for the Trilium process. Will be used during docker run
|
||||
# These should match the owner of your data directory on the host
|
||||
- TRILIUM_UID=${TRILIUM_UID:-1001}
|
||||
- TRILIUM_GID=${TRILIUM_GID:-1001}
|
||||
# Use the specified UID/GID for the container process
|
||||
user: ${TRILIUM_UID:-1001}:${TRILIUM_GID:-1001}
|
||||
ports:
|
||||
# By default, Trilium will be available at http://localhost:8080
|
||||
# It will also be accessible at http://<host-ip>:8080
|
||||
# You might want to limit this with something like Docker Networks, reverse proxies, or firewall rules
|
||||
- '8080:8080'
|
||||
volumes:
|
||||
# Unless TRILIUM_DATA_DIR is set, the data will be stored in the "trilium-data" directory in the home directory.
|
||||
# This can also be changed by replacing the line below with `- /path/of/your/choice:/home/trilium/trilium-data
|
||||
- ${TRILIUM_DATA_DIR:-~/trilium-data}:/home/trilium/trilium-data
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
Loading…
x
Reference in New Issue
Block a user