Docker image should run non-root (#153)

Changed the Dockerfile so that there is a Inbucket user (and group). This will allow the container to be executed a the Inbucket user in stead of ROOT (security best practices) If the user wants to use a different greeting.html file he can use the environment variable to define a different one. For now we just use the greeting.html from the defaults directory. * Permissions for /start-inbucket.sh file * Added timezone data so you can set the timezone in the image * Updated Docker greeting.html file to include some basic instructions * Updated to alpine 3.11 * Updated to golang 1.14 * Updated the required packages
2025-12-17 17:47:03 +00:00 · 2020-06-26 17:38:27 +02:00
parent 62dd540be5
commit 3372ade61b
3 changed files with 33 additions and 25 deletions
--- a/7
+++ b/7
@@ -25,6 +25,7 @@ RUN npm run build

 # Run in minimal image
 FROM alpine:3.11
+RUN apk --no-cache add tzdata
 WORKDIR /opt/inbucket
 RUN mkdir bin defaults ui
 COPY --from=builder /build/inbucket bin
@@ -36,7 +37,7 @@ COPY etc/docker/defaults/start-inbucket.sh /
 ENV INBUCKET_SMTP_DISCARDDOMAINS bitbucket.local
 ENV INBUCKET_SMTP_TIMEOUT 30s
 ENV INBUCKET_POP3_TIMEOUT 30s
-ENV INBUCKET_WEB_GREETINGFILE /config/greeting.html
+ENV INBUCKET_WEB_GREETINGFILE /opt/inbucket/defaults/greeting.html
 ENV INBUCKET_WEB_COOKIEAUTHKEY secret-inbucket-session-cookie-key
 ENV INBUCKET_WEB_UIDIR=ui
 ENV INBUCKET_STORAGE_TYPE file
@@ -54,5 +55,9 @@ EXPOSE 2500 9000 1100
 VOLUME /config
 VOLUME /storage

+RUN addgroup -g 1000 inbucket && adduser -G inbucket -u 1000 -D inbucket && chown -R inbucket:inbucket /opt/inbucket/ && chmod 774 /opt/inbucket/ -R && chown /start-inbucket.sh && chmod +x /start-inbucket.sh
+
+USER inbucket
+
 ENTRYPOINT ["/start-inbucket.sh"]
 CMD ["-logjson"]
--- a/etc/docker/defaults/greeting.html
+++ b/etc/docker/defaults/greeting.html
@@ -1,17 +1,35 @@
 <h1>Welcome to Inbucket</h1>

 <p>Inbucket is an email testing service; it will accept email for any email
-address and make it available to view without a password.</p>
+    address and make it available to view without a password.
+</p>

 <p>To view messages for a particular address, enter the username portion
-of the address into the box on the upper right and click <em>View</em>.</p>
+    of the address into the box on the upper right and click <em>View</em>.
+</p>

 <p>This instance of Inbucket is running inside of a <a
      href="https://www.docker.com/" target="_blank">Docker</a> container.  It is
-configured to retain messages for a maximum of 3 days, and will enforce a limit
-of 300 messages per mailbox - the oldest messages will be deleted to stay under
-that limit.</p>
+    configured to retain messages for a maximum of 3 days, and </br>
+    will enforce a limit of 300 messages per mailbox - the oldest messages will
+    be deleted to stay under that limit.
+</p>

-<p>Messages addressed to any recipient in the <code>@bitbucket.local</code>
-domain will be accepted but not written to disk.  Use this domain for load or
-soak testing your application.</p>
+<p>
+    Messages addressed to any recipient in the <code>@bitbucket.local</code>
+    domain will be accepted but not written to disk. </br>Use this domain for load or
+    soak testing your application.
+</p>
+
+<p> You can modify this greetings page by changing the Docker environment variable
+    'INBUCKET_WEB_GREETINGFILE' </br>to point to a different greetings.html. If for
+    example you have a greetings file on your local machine and want to mount that
+    you could </br>that file using the docker '--volume' parameter to add your local
+    greetings.html file to the directory '/custom/greetings.html'. </br>You will then
+    set the environment variable INBUCKET_WEB_GREETINGFILE to
+    '/custom/greetings.html'. </br>Your customized file will then be loaded after you
+    start the Docker container.</p>
+<p>
+    This exact greetings file can be found at:
+    https://github.com/inbucket/inbucket/blob/master/etc/docker/defaults/greeting.html.
+</p>
--- a/etc/docker/defaults/start-inbucket.sh
+++ b/etc/docker/defaults/start-inbucket.sh
@@ -3,22 +3,7 @@
 # description: start inbucket (runs within a docker container)

 INBUCKET_HOME="/opt/inbucket"
-CONF_SOURCE="$INBUCKET_HOME/defaults"
-CONF_TARGET="/config"

 set -eo pipefail

-install_default_config() {
-  local file="$1"
-  local source="$CONF_SOURCE/$file"
-  local target="$CONF_TARGET/$file"
-
-  if [ ! -e "$target" ]; then
-    echo "Installing default $file to $CONF_TARGET"
-    install "$source" "$target"
-  fi
-}
-
-install_default_config "greeting.html"
-
 exec "$INBUCKET_HOME/bin/inbucket" $*