Add support for running Docker container as non-root user using docker-entrypoint.sh

[lmmendes]

EDIT: Renamed UID and GID to PUID and PGID, noticed that this was a convention used in another projects, and make sense since its "process" ID and process Group ID.

This pull request introduces a new feature that allows running the listmonk Docker container as a non-root user by specifying the PUID and PGID through environment variables.

This pull-request ensures backwards compatibility and super seeds pull-request #1891

Changes

Added a new script as the Docker entrypoint to handle user and group setup docker-entrypoint.sh with the added behavior:

• If the user does not supply PUID and PGID, the container runs as root.
• If the user supplies PUID and/or PGID, the script:
  • Creates the appropriate group and user if they do not already exist.
  • Applies the specified PUID and PGID.
  • Changes the ownership of the /listmonk directory to the specified user and group.

When the Docker image runs, it displays the PUID, PGID, USERNAME, and GROUP NAME that the Docker container is using.

docker run -e PUID=1001 -e PGID=1001 c1db2101ad2e
Launching listmonk with user=[app] group=[app] uid=[1001] gid=[1001]

Advantages

• Improved Security: Running containers as non-root users reduces the potential impact of security vulnerabilities. It limits the access permissions of the container, minimizing the risk of privilege escalation attacks.
• Compliance: Many security guidelines, best practices and bigger organizations don't allow running applications as the root user. This change helps in complying with such security standards.

Usage

Docker

docker run -e PUID=1001 -e PGID=1001 listmonk/listmonk

Kubernetes

apiVersion: v1
kind: Pod
metadata:
  name: listmonk
spec:
  containers:
  - name: listmonk
    image: listmonk/listmonk
    env:
    - name: PUID
      value: "1001"
    - name: PGID
      value: "1001"
    securityContext:
      runAsUser: 1001
      runAsGroup: 1001

Implementation notes

If user doesn't supply a PGID and PUID the docker-entrypoint.sh assumes the root user keeping the legacy implementation working as expected.

docker run listmonk/listmonk
Launching listmonk with user=[root] group=[root] uid=[0] gid=[0]

If the user specifies PUID and PGID that don't exist inside the /etc/passwd/ and /etc/groups the docker-entrypoint.sh creates the proper id's in this case PUID=1001 and PGID=1001 and assigned the user name app and group name app as default.

docker run -e PUID=1001 -e PGID=1001 listmonk/listmonk
Launching listmonk with user=[app] group=[app] uid=[1001] gid=[1001]

If the user supplies PUID and PGID that exist inside the /etc/passwd and /etc/groups the docker-entrypoint.sh respects the choose user id and groups and doesn't create them since they already exists but assume them.

docker run -e PUID=22 -e PGID=65534 listmonk/listmonk
Launching listmonk with user=[sshd] group=[nobody] uid=[22] gid=[65534]

This is an ls -la of the docker container we we can see that the last step of the script is applying to the /listmonk folder the appropriate user and permissions as specified by the PUID=22 and PGID=65534:

docker run -ti --rm  -e PUID=22 -e PGID=65534 listmonk/listmonk
Launching listmonk with user=[sshd] group=[nobody] uid=[22] gid=[65534]
/listmonk $ ls -la
total 17436
drwxr-xr-x    1 sshd     nobody        4096 Jun 10 16:00 .
drwxr-xr-x    1 root     root          4096 Jun 10 16:27 ..
-rw-r--r--    1 sshd     nobody         270 Jun  6 17:37 config-demo.toml
-rw-r--r--    1 sshd     nobody        1029 Jun  6 17:37 config.toml
-rwxr-xr-x    1 sshd     nobody    17833192 Jun 10 16:00 listmonk

[knadh]

@mr-karan could you please help review this?

[mr-karan]

Looks good! This is backward compatible as well, since existing setups will have UID/GID as 0. Just a note on added deps:

• shadow is required for adduser / groupadd
• su-exec to run this as a different user context.

Overall LGTM 👍 @lmmendes

[gonmmarques]

I was also looking forward to having this, thanks @lmmendes.

[knadh]

Thanks @lmmendes. If you could resolve the merge conflict, we could merge this PR.

[lmmendes]

@knadh Will have it fixed until end of the day.

[lmmendes]

@knadh merge conflicts are fixed as requested.

I did a small change to the pull-request to make things clear, ended up renaming UID and GID to PUID and PGID, the impact to existing users is none, since this change is part of this existing feature.