Merge pull request #755 from Sedetius/rootles-docker

kelson42 · web-flow · commit 90f456240873 · 2025-09-28T17:30:36.000+02:00
[Docker] kiwix-serve image to use unprivileged user
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,5 +1,5 @@
 FROM alpine:3.18
-LABEL org.opencontainers.image.source https://github.com/openzim/kiwix-tools
+LABEL org.opencontainers.image.source=https://github.com/openzim/kiwix-tools
 
 # TARGETPLATFORM is injected by docker build
 ARG TARGETPLATFORM
diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile
@@ -2,13 +2,17 @@ ARG VERSION=latest
 
 # kiwix-tools is multi-arch
 FROM ghcr.io/kiwix/kiwix-tools:$VERSION
-LABEL org.opencontainers.image.source https://github.com/openzim/kiwix-tools
+LABEL org.opencontainers.image.source=https://github.com/openzim/kiwix-tools
 
 # expose kiwix-serve default port and workdir
 EXPOSE 8080
 VOLUME /data
 WORKDIR /data
 
+# running as a named unprivileged user
+RUN addgroup -S user && adduser -S user -G user
+USER user
+
 COPY ./start.sh /usr/local/bin/
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/start.sh"]
