Docker image should run non-root (#153)

Changed the Dockerfile so that there is a Inbucket user (and group). This will allow the container to be executed a the Inbucket user in stead of ROOT (security best practices) If the user wants to use a different greeting.html file he can use the environment variable to define a different one. For now we just use the greeting.html from the defaults directory. * Permissions for /start-inbucket.sh file * Added timezone data so you can set the timezone in the image * Updated Docker greeting.html file to include some basic instructions * Updated to alpine 3.11 * Updated to golang 1.14 * Updated the required packages
2025-12-17 09:37:02 +00:00 · 2020-06-26 17:38:27 +02:00
parent 62dd540be5
commit 3372ade61b
3 changed files with 33 additions and 25 deletions
--- a/7
+++ b/7
@@ -25,6 +25,7 @@ RUN npm run build

 # Run in minimal image
 FROM alpine:3.11
+RUN apk --no-cache add tzdata
 WORKDIR /opt/inbucket
 RUN mkdir bin defaults ui
 COPY --from=builder /build/inbucket bin
@@ -36,7 +37,7 @@ COPY etc/docker/defaults/start-inbucket.sh /
 ENV INBUCKET_SMTP_DISCARDDOMAINS bitbucket.local
 ENV INBUCKET_SMTP_TIMEOUT 30s
 ENV INBUCKET_POP3_TIMEOUT 30s
-ENV INBUCKET_WEB_GREETINGFILE /config/greeting.html
+ENV INBUCKET_WEB_GREETINGFILE /opt/inbucket/defaults/greeting.html
 ENV INBUCKET_WEB_COOKIEAUTHKEY secret-inbucket-session-cookie-key
 ENV INBUCKET_WEB_UIDIR=ui
 ENV INBUCKET_STORAGE_TYPE file
@@ -54,5 +55,9 @@ EXPOSE 2500 9000 1100
 VOLUME /config
 VOLUME /storage

+RUN addgroup -g 1000 inbucket && adduser -G inbucket -u 1000 -D inbucket && chown -R inbucket:inbucket /opt/inbucket/ && chmod 774 /opt/inbucket/ -R && chown /start-inbucket.sh && chmod +x /start-inbucket.sh
+
+USER inbucket
+
 ENTRYPOINT ["/start-inbucket.sh"]
 CMD ["-logjson"]