Container image cannot start rootless

[lesinigo]

Description

If the container image from docker.io/hemmeligapp/hemmelig:v7.4.8 is run with tight rootless settings in Kubernetes it fails to start due to how the entrypoint script works.

The container logs something about gosu failing to switch to the app user and exits.

Kubernetes container config snippet:

    spec:
      containers:
        - name: hemmelig
          image: docker.io/hemmeligapp/hemmelig:v7.4.8
          securityContext:
            runAsNonRoot: true
            runAsUser: 999
            allowPrivilegeEscalation: false
            capabilities: {drop: ["ALL"]}

Succesful workaround: override the entrypoint to skip operations that require root privileges and directly start unprivileged. Working Kubernetes container config snippet for a Deployment or StatefulSet or similar:

    spec:
      containers:
        - name: hemmelig
          image: docker.io/hemmeligapp/hemmelig:v7.4.8
          command: ["/bin/sh", "-c"]
          args: ["npx prisma migrate deploy && exec npx tsx server.ts"]
          securityContext:
            runAsNonRoot: true
            runAsUser: 999
            allowPrivilegeEscalation: false
            capabilities: {drop: ["ALL"]}

IMHO correct fix would be:

• drop chown and gosu from the entrypoint, container images should not require starting as root to try fixing operator errors
• add USER: app near the end of the Dockerfile so it starts rootless by default

Screenshots

No response

Additional information

No response