Allow for non-root operation

lorenzschmid · Sep 5, 2024 · 157a707 · 157a707
1 parent d7994dc
commit 157a707
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -21,5 +21,18 @@ RUN mkdir -p /data
 # Expose the port the sync server runs on
 EXPOSE 8080
 
+# Use PUID and PGID if set, otherwise fallback to default user and group
+ARG PUID=1000
+ARG PGID=1000
+
+# Create group and user based on PUID and PGID
+RUN groupadd -g ${PGID} anki && useradd -u ${PUID} -g anki -m anki
+
+# Set ownership of the working directory and data directory to the new user
+RUN chown -R anki:anki /app && chown -R anki:anki /data
+
+# Switch to the non-root user
+USER anki
+
 # Run the script to update the package and start the server
 CMD ["/app/start.sh"]
diff --git a/README.md b/README.md
@@ -15,6 +15,11 @@ The following environmental variables has to be set outside of the container. Fa
 
 - `SYNC_USER1`: The username and password for the first user in the format `user:pass`.
 
+Optionally, the user and group ID can be set to use the docker container in a non-root manner:
+
+- `PUID`: User ID
+- `GID`: Group ID
+
 
 ## Running the Docker Container
 
@@ -26,6 +31,8 @@ docker run \
   --name anki-syncserver \
   -p 8080:8080 \
   -v ./data:/data \
+  -e PUID=$(id -u) \
+  -e PGID=$(id -g) \
   -e SYNC_USER1=user:pass \
   ghcr.io/lorenzschmid/anki-syncserver
 ```
@@ -34,6 +41,8 @@ docker run \
 - `--name`: Assigns a name to the container (`anki-syncserver`).
 - `-p 8080:8080`: Maps port `8080` on the host to port `8080` in the container.
 - `-v ./data:/data`: Mounts the host directory `./data` to the container’s `/data` directory for data persistence.
+- `-e PUID=$(id -u)`: Sets the `PUID` environment variable to the current user ID of the host.
+- `-e PGID=$(id -g)`: Sets the `PGID` environment variable to the current group ID of the host.
 - `-e SYNC_USER1=user:pass`: Sets the `SYNC_USER1` environment variable to configure the sync server’s username and password.
 
 or via docker compose:
@@ -46,7 +55,9 @@ services:
     image: ghcr.io/lorenzschmid/anki-syncserver
     container_name: anki-syncserver
     environment:
-      - SYNC_USER1=user:pass
+      PUID: "${PUID:-1000}"
+      PGID: "${PGID:-1000}"
+      SYNC_USER1: user:pass  # Replace with your desired username:password
     ports:
       - "8080:8080"
     volumes: