From 6da77d83a1df4ad7cf7687dc5a802a5e0ee46c88 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Fri, 1 Mar 2024 14:58:42 +0100 Subject: [PATCH 1/5] chore: Specify uid for consistent uids over images --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1d1bc1b900..2a1a749a3d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -143,7 +143,7 @@ HEALTHCHECK --interval=5m --timeout=3s \ # Set up the 'atlantis' user and adjust permissions RUN addgroup atlantis && \ - adduser -S -G atlantis atlantis && \ + adduser -u 1000 -S -G atlantis atlantis && \ chown atlantis:root /home/atlantis/ && \ chmod u+rwx /home/atlantis/ @@ -183,7 +183,7 @@ HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -f http://localhost:${ATLANTIS_PORT:-4141}/healthz || exit 1 # Set up the 'atlantis' user and adjust permissions -RUN useradd --create-home --user-group --shell /bin/bash atlantis && \ +RUN useradd --uid 1000 --create-home --user-group --shell /bin/bash atlantis && \ chown atlantis:root /home/atlantis/ && \ chmod u+rwx /home/atlantis/ From 2bab703fec505c42f02b9e7dc7d2e01a54fc6217 Mon Sep 17 00:00:00 2001 From: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Fri, 1 Mar 2024 15:32:48 +0100 Subject: [PATCH 2/5] chore: Make Atlantis system user on Debian --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2a1a749a3d..6cacdf1a10 100644 --- a/Dockerfile +++ b/Dockerfile @@ -183,7 +183,7 @@ HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -f http://localhost:${ATLANTIS_PORT:-4141}/healthz || exit 1 # Set up the 'atlantis' user and adjust permissions -RUN useradd --uid 1000 --create-home --user-group --shell /bin/bash atlantis && \ +RUN useradd --uid 1000 --system --create-home --user-group --shell /bin/bash atlantis && \ chown atlantis:root /home/atlantis/ && \ chmod u+rwx /home/atlantis/ From 55691cfdf983b1ab130e57699d88d7337217e295 Mon Sep 17 00:00:00 2001 From: kvanzuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Fri, 1 Mar 2024 20:03:31 +0100 Subject: [PATCH 3/5] chore: Changed uid to 100 --- Dockerfile | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6cacdf1a10..661db33008 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,6 +43,11 @@ RUN --mount=type=cache,target=/go/pkg/mod \ FROM debian:${DEBIAN_TAG} as debian-base +# Set up the 'atlantis' user and adjust permissions +RUN useradd --uid 100 --system --create-home --user-group --shell /bin/bash atlantis && \ + chown atlantis:root /home/atlantis/ && \ + chmod u+rwx /home/atlantis/ + # Install packages needed to run Atlantis. # We place this last as it will bust less docker layer caches when packages update # hadolint ignore explanation @@ -143,7 +148,7 @@ HEALTHCHECK --interval=5m --timeout=3s \ # Set up the 'atlantis' user and adjust permissions RUN addgroup atlantis && \ - adduser -u 1000 -S -G atlantis atlantis && \ + adduser -u 100 -S -G atlantis atlantis && \ chown atlantis:root /home/atlantis/ && \ chmod u+rwx /home/atlantis/ @@ -168,7 +173,6 @@ RUN apk add --no-cache \ dumb-init~=1 \ gcompat~=1 - # Set the entry point to the atlantis user and run the atlantis command USER atlantis ENTRYPOINT ["docker-entrypoint.sh"] @@ -182,11 +186,6 @@ EXPOSE ${ATLANTIS_PORT:-4141} HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -f http://localhost:${ATLANTIS_PORT:-4141}/healthz || exit 1 -# Set up the 'atlantis' user and adjust permissions -RUN useradd --uid 1000 --system --create-home --user-group --shell /bin/bash atlantis && \ - chown atlantis:root /home/atlantis/ && \ - chmod u+rwx /home/atlantis/ - # copy atlantis binary COPY --from=builder /app/atlantis /usr/local/bin/atlantis # copy terraform binaries From a1d739c06abb1ed981fbd00d3958cb713392c351 Mon Sep 17 00:00:00 2001 From: kvanzuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Mon, 11 Mar 2024 14:57:16 +0100 Subject: [PATCH 4/5] chore: Added another user with uid 1000 --- Dockerfile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 661db33008..fc078ea62a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,12 +41,13 @@ RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=0 go build -trimpath -ldflags "-s -w -X 'main.version=${ATLANTIS_VERSION}' -X 'main.commit=${ATLANTIS_COMMIT}' -X 'main.date=${ATLANTIS_DATE}'" -v -o atlantis . -FROM debian:${DEBIAN_TAG} as debian-base +FROM debian:${DEBIAN_TAG} AS debian-base -# Set up the 'atlantis' user and adjust permissions +# Set up the 'atlantis' user and adjust permissions. User with uid 1000 is for backwards compatibility RUN useradd --uid 100 --system --create-home --user-group --shell /bin/bash atlantis && \ - chown atlantis:root /home/atlantis/ && \ - chmod u+rwx /home/atlantis/ + useradd --uid 1000 --system --home=/home/atlantis/ --groups atlantis --shell /bin/bash atlantis2 && \ + chown atlantis:atlantis /home/atlantis/ && \ + chmod ug+rwx /home/atlantis/ # Install packages needed to run Atlantis. # We place this last as it will bust less docker layer caches when packages update @@ -66,7 +67,7 @@ RUN apt-get update && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* -FROM debian-base as deps +FROM debian-base AS deps # Get the architecture the image is being built for ARG TARGETPLATFORM From 3a8196bba05a5a86b7ac0dd3e6e5d756eb7029b2 Mon Sep 17 00:00:00 2001 From: kvanzuijlen <8818390+kvanzuijlen@users.noreply.github.com> Date: Tue, 2 Apr 2024 21:55:42 +0200 Subject: [PATCH 5/5] chore: Pinned gid as well --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1b53e8a221..cc6ab75180 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,8 +47,9 @@ RUN --mount=type=cache,target=/go/pkg/mod \ FROM debian:${DEBIAN_TAG} AS debian-base # Set up the 'atlantis' user and adjust permissions. User with uid 1000 is for backwards compatibility -RUN useradd --uid 100 --system --create-home --user-group --shell /bin/bash atlantis && \ - useradd --uid 1000 --system --home=/home/atlantis/ --groups atlantis --shell /bin/bash atlantis2 && \ +RUN groupadd --gid 1000 atlantis && \ + useradd --uid 100 --system --create-home --gid 1000 --shell /bin/bash atlantis && \ + useradd --uid 1000 --system --home=/home/atlantis/ --gid 1000 --shell /bin/bash atlantis2 && \ chown atlantis:atlantis /home/atlantis/ && \ chmod ug+rwx /home/atlantis/ @@ -145,7 +146,7 @@ HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -f http://localhost:${ATLANTIS_PORT:-4141}/healthz || exit 1 # Set up the 'atlantis' user and adjust permissions -RUN addgroup atlantis && \ +RUN addgroup --gid 1000 atlantis && \ adduser -u 100 -S -G atlantis atlantis && \ chown atlantis:root /home/atlantis/ && \ chmod u+rwx /home/atlantis/