feat: build non-root image variants

.github/workflows/build.yml

@@ -29,14 +29,32 @@ jobs:
             test-files: 'apache-postgres'
             docker-tag: roundcube/roundcubemail:1.6.x-apache,roundcube/roundcubemail:1.6.9-apache,roundcube/roundcubemail:latest-apache,roundcube/roundcubemail:latest
             test-tag: roundcube/roundcubemail:latest-apache
+            target: 'root'
           - variant: 'fpm'
             test-files: 'fpm-postgres'
             docker-tag: roundcube/roundcubemail:1.6.x-fpm,roundcube/roundcubemail:1.6.9-fpm,roundcube/roundcubemail:latest-fpm
             test-tag: roundcube/roundcubemail:latest-fpm
+            target: 'root'
           - variant: 'fpm-alpine'
             test-files: 'fpm-postgres'
             docker-tag: roundcube/roundcubemail:1.6.x-fpm-alpine,roundcube/roundcubemail:1.6.9-fpm-alpine,roundcube/roundcubemail:latest-fpm-alpine
             test-tag: roundcube/roundcubemail:latest-fpm-alpine
+            target: 'root'
+          - variant: 'apache'
+            test-files: 'apache-postgres'
+            docker-tag: roundcube/roundcubemail:1.6.x-apache-nonroot,roundcube/roundcubemail:1.6.9-apache-nonroot,roundcube/roundcubemail:latest-apache-nonroot,roundcube/roundcubemail:latest-nonroot
+            test-tag: roundcube/roundcubemail:latest-apache-nonroot
+            target: 'nonroot'
+          - variant: 'fpm'
+            test-files: 'apache-postgres'
+            docker-tag: roundcube/roundcubemail:1.6.x-fpm-nonroot,roundcube/roundcubemail:1.6.9-fpm-nonroot,roundcube/roundcubemail:latest-fpm-nonroot
+            test-tag: roundcube/roundcubemail:latest-fpm-nonroot
+            target: 'nonroot'
+          - variant: 'fpm-alpine'
+            test-files: 'apache-postgres'
+            docker-tag: roundcube/roundcubemail:1.6.x-fpm-alpine-nonroot,roundcube/roundcubemail:1.6.9-fpm-alpine-nonroot,roundcube/roundcubemail:latest-fpm-alpine-nonroot
+            test-tag: roundcube/roundcubemail:latest-fpm-alpine-nonroot
+            target: 'nonroot'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -64,6 +82,7 @@ jobs:
           platforms: "linux/arm64,linux/arm/v6,linux/arm/v7,linux/s390x,linux/ppc64le,linux/386,linux/amd64,"
           push: true
           tags: ${{ matrix.docker-tag }}
+          target: ${{ matrix.target }}
           # does not work linux/arm/v5 AND linux/mips64le - composer does not support  mips64le or armv5 nor does the php image support them on the alpine variant
 
       - name: Run tests

.github/workflows/test.yml

@@ -20,12 +20,28 @@ jobs:
           - variant: 'apache'
             test-files: 'apache-postgres'
             docker-tag: roundcube/roundcubemail:test-apache
+            target: 'root'
           - variant: 'fpm'
             test-files: 'fpm-postgres'
             docker-tag: roundcube/roundcubemail:test-fpm
+            target: 'root'
           - variant: 'fpm-alpine'
             test-files: 'fpm-postgres'
             docker-tag: roundcube/roundcubemail:test-fpm-alpine
+            target: 'root'
+          - variant: 'apache'
+            test-files: 'apache-postgres'
+            docker-tag: roundcube/roundcubemail:test-apache-nonroot
+            target: 'nonroot'
+            http-port: '8000'
+          - variant: 'fpm'
+            test-files: 'fpm-postgres'
+            docker-tag: roundcube/roundcubemail:test-fpm-nonroot
+            target: 'nonroot'
+          - variant: 'fpm-alpine'
+            test-files: 'fpm-postgres'
+            docker-tag: roundcube/roundcubemail:test-fpm-alpine-nonroot
+            target: 'nonroot'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -39,11 +55,12 @@ jobs:
           username: ${{ secrets.DOCKER_PULL_USERNAME }}
           password: ${{ secrets.DOCKER_PULL_PASSWORD }}
 
-      - name: Build image for "${{ matrix.variant }}"
-        run: cd ${{ matrix.variant }} && docker buildx build ./ -t ${{ matrix.docker-tag }}
+      - name: Build image for "${{ matrix.variant }} / ${{ matrix.target }}"
+        run: cd ${{ matrix.variant }} && docker buildx build ./ -t ${{ matrix.docker-tag }} --target ${{ matrix.target }}
       - name: Run tests
         env:
           ROUNDCUBEMAIL_TEST_IMAGE: ${{ matrix.docker-tag }}
+          HTTP_PORT: ${{ matrix.http-port || '80' }}
         run: |
           set -exu;
           for testFile in ${{ join(matrix.test-files, ' ') }};

apache/Dockerfile

@@ -1,4 +1,4 @@
-FROM php:8.1-apache
+FROM php:8.1-apache as root
 LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
@@ -113,7 +113,24 @@ RUN set -ex; \
 	rm -rf /usr/src/roundcubemail/installer; \
 	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
 # Create the config dir
-	mkdir -p /var/roundcube/config /var/roundcube/enigma
+	mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+	chown -R www-data:www-data /var/roundcube; \
+	chmod +t /var/roundcube
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["apache2-foreground"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+# Prepare locale config for locale-gen
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen; \
+	/usr/sbin/locale-gen
+
+RUN sed -i 's/^Listen 80$/Listen 8000/' /etc/apache2/ports.conf
+
+EXPOSE 8000
+
+USER 33:33

apache/docker-entrypoint.sh

@@ -189,9 +189,8 @@ if  [[ "$1" == apache2* || "$1" == php-fpm || "$1" == bin* ]]; then
 
   : "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
 
-  if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
-    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
-    /usr/sbin/locale-gen
+  if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
   fi
 
   if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then

apache/nonroot-add.txt

@@ -0,0 +1,3 @@
+RUN sed -i 's/^Listen 80$/Listen 8000/' /etc/apache2/ports.conf
+
+EXPOSE 8000

fpm-alpine/Dockerfile

@@ -1,4 +1,4 @@
-FROM php:8.1-fpm-alpine
+FROM php:8.1-fpm-alpine as root
 LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
@@ -107,7 +107,16 @@ RUN set -ex; \
 	rm -rf /usr/src/roundcubemail/installer; \
 	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
 # Create the config dir
-	mkdir -p /var/roundcube/config /var/roundcube/enigma
+	mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+	chown -R www-data:www-data /var/roundcube; \
+	chmod +t /var/roundcube
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["php-fpm"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+USER 82:82

fpm-alpine/docker-entrypoint.sh

@@ -189,9 +189,8 @@ if  [[ "$1" == apache2* || "$1" == php-fpm || "$1" == bin* ]]; then
 
   : "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
 
-  if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
-    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
-    /usr/sbin/locale-gen
+  if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
   fi
 
   if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then

fpm/Dockerfile

@@ -1,4 +1,4 @@
-FROM php:8.1-fpm
+FROM php:8.1-fpm as root
 LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
@@ -113,7 +113,20 @@ RUN set -ex; \
 	rm -rf /usr/src/roundcubemail/installer; \
 	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
 # Create the config dir
-	mkdir -p /var/roundcube/config /var/roundcube/enigma
+	mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+	chown -R www-data:www-data /var/roundcube; \
+	chmod +t /var/roundcube
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["php-fpm"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+# Prepare locale config for locale-gen
+RUN	echo "en_US.UTF-8 UTF-8" > /etc/locale.gen; \
+	/usr/sbin/locale-gen
+
+USER 33:33

fpm/docker-entrypoint.sh

@@ -189,9 +189,8 @@ if  [[ "$1" == apache2* || "$1" == php-fpm || "$1" == bin* ]]; then
 
   : "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
 
-  if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
-    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
-    /usr/sbin/locale-gen
+  if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
   fi
 
   if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then

templates/Dockerfile-alpine.templ

@@ -1,4 +1,4 @@
-FROM php:8.1-%%VARIANT%%
+FROM php:8.1-%%VARIANT%% as root
 LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
@@ -107,7 +107,16 @@ RUN set -ex; \
 	rm -rf /usr/src/roundcubemail/installer; \
 	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
 # Create the config dir
-	mkdir -p /var/roundcube/config /var/roundcube/enigma
+	mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+	chown -R www-data:www-data /var/roundcube; \
+	chmod +t /var/roundcube
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["%%CMD%%"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+USER 82:82

templates/Dockerfile-debian.templ

@@ -1,4 +1,4 @@
-FROM php:8.1-%%VARIANT%%
+FROM php:8.1-%%VARIANT%% as root
 LABEL maintainer="Thomas Bruederli <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemail-docker"
 
@@ -113,7 +113,22 @@ RUN set -ex; \
 	rm -rf /usr/src/roundcubemail/installer; \
 	chown -R www-data:www-data /usr/src/roundcubemail/logs; \
 # Create the config dir
-	mkdir -p /var/roundcube/config /var/roundcube/enigma
+	mkdir -p /var/roundcube/config /var/roundcube/enigma; \
+	chown -R www-data:www-data /var/roundcube; \
+	chmod +t /var/roundcube
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["%%CMD%%"]
+
+
+#### non-root stage
+
+FROM root as nonroot
+
+# Prepare locale config for locale-gen
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen; \
+	/usr/sbin/locale-gen
+
+%%NONROOT_ADD%%
+
+USER 33:33

templates/docker-entrypoint.sh

@@ -189,9 +189,8 @@ if  [[ "$1" == apache2* || "$1" == php-fpm || "$1" == bin* ]]; then
 
   : "${ROUNDCUBEMAIL_LOCALE:=en_US.UTF-8 UTF-8}"
 
-  if [ -e /usr/sbin/locale-gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
-    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen
-    /usr/sbin/locale-gen
+  if [ -e /usr/sbin/locale-gen ] && [ ! -f /etc/locale.gen ] && [ ! -z "${ROUNDCUBEMAIL_LOCALE}" ]; then
+    echo "${ROUNDCUBEMAIL_LOCALE}" > /etc/locale.gen && /usr/sbin/locale-gen
   fi
 
   if [ ! -z "${ROUNDCUBEMAIL_ASPELL_DICTS}" ]; then

tests/docker-compose.test-apache-postgres.yml

@@ -3,9 +3,11 @@ version: "2"
 services:
   roundcubemail:
     image: ${ROUNDCUBEMAIL_TEST_IMAGE:-roundcube/roundcubemail:latest-apache}
+    ports:
+      - 80:${HTTP_PORT:-80}
     healthcheck:
       # To make it obvious in logs "ping=ping" is added
-      test: ["CMD", "curl", "--fail", "http://localhost/?ping=ping"]
+      test: ["CMD", "curl", "--fail", "http://localhost:${HTTP_PORT:-80}/?ping=ping"]
       interval: 2s
       timeout: 3s
       retries: 30

update.sh

@@ -31,6 +31,12 @@ for variant in apache fpm fpm-alpine; do
 		s/%%CMD%%/'"${CMD[$variant]}"'/;
 	' $template | tr '¬' '\n' > "$dir/Dockerfile"
 
+	if [[ -f "$dir/nonroot-add.txt" ]]; then
+		sed -i -e '/%%NONROOT_ADD%%/ {' -e 'r '"$dir/nonroot-add.txt" -e 'd' -e '}' $dir/Dockerfile
+	else
+		sed -i 's/%%NONROOT_ADD%%//' $dir/Dockerfile
+	fi
+
 	echo "✓ Wrote $dir/Dockerfile"
 done