From d03888899238c128b81f7f11c0dea3d2c8c2fe7a Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Wed, 25 Jun 2025 04:49:36 -0500 Subject: [PATCH 1/8] Update Dockerfile for fetch Initial patch for podman and SELinux contexts. --- src/fetch/Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/fetch/Dockerfile b/src/fetch/Dockerfile index 7e8824c471..de03aec62f 100644 --- a/src/fetch/Dockerfile +++ b/src/fetch/Dockerfile @@ -12,8 +12,8 @@ ENV UV_LINK_MODE=copy # Install the project's dependencies using the lockfile and settings RUN --mount=type=cache,target=/root/.cache/uv \ - --mount=type=bind,source=uv.lock,target=uv.lock \ - --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ + --mount=type=bind,source=uv.lock,target=uv.lock,Z \ + --mount=type=bind,source=pyproject.toml,target=pyproject.toml,Z \ uv sync --frozen --no-install-project --no-dev --no-editable # Then, add the rest of the project source code and install it @@ -27,6 +27,9 @@ FROM python:3.12-slim-bookworm WORKDIR /app COPY --from=uv /root/.local /root/.local + +# User app does not exist in base image (chown) +RUN useradd -rUM -s /usr/sbin/nologin app COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path From eb7be78494afb7c946a6f768795e9c101e77f1e0 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Wed, 25 Jun 2025 04:51:34 -0500 Subject: [PATCH 2/8] Update Dockerfile for time podman and SELinux --- src/time/Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/time/Dockerfile b/src/time/Dockerfile index bd62ea84a4..cb7bf2f057 100644 --- a/src/time/Dockerfile +++ b/src/time/Dockerfile @@ -12,8 +12,8 @@ ENV UV_LINK_MODE=copy # Install the project's dependencies using the lockfile and settings RUN --mount=type=cache,target=/root/.cache/uv \ - --mount=type=bind,source=uv.lock,target=uv.lock \ - --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ + --mount=type=bind,source=uv.lock,target=uv.lock,Z \ + --mount=type=bind,source=pyproject.toml,target=pyproject.toml,Z \ uv sync --frozen --no-install-project --no-dev --no-editable # Then, add the rest of the project source code and install it @@ -27,6 +27,9 @@ FROM python:3.12-slim-bookworm WORKDIR /app COPY --from=uv /root/.local /root/.local + +# User app does not exist in base image (chown) +RUN useradd -rUM -s /usr/sbin/nologin app COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path From a99e293b22e912525af3867f25e101abbd67e4f0 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Thu, 26 Jun 2025 17:47:40 -0500 Subject: [PATCH 3/8] Update Dockerfile --- src/git/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/git/Dockerfile b/src/git/Dockerfile index 2746d63419..bfbfbcb4a8 100644 --- a/src/git/Dockerfile +++ b/src/git/Dockerfile @@ -12,8 +12,8 @@ ENV UV_LINK_MODE=copy # Install the project's dependencies using the lockfile and settings RUN --mount=type=cache,target=/root/.cache/uv \ - --mount=type=bind,source=uv.lock,target=uv.lock \ - --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ + --mount=type=bind,source=uv.lock,target=uv.lock,Z \ + --mount=type=bind,source=pyproject.toml,target=pyproject.toml,Z \ uv sync --frozen --no-install-project --no-dev --no-editable # Then, add the rest of the project source code and install it From e5405f61ae0a39466d843ee1f31f1fa74813cad6 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Thu, 26 Jun 2025 17:57:47 -0500 Subject: [PATCH 4/8] Also include app user / group (securely) such that the build succeeds --- src/git/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/git/Dockerfile b/src/git/Dockerfile index bfbfbcb4a8..11e9e1a902 100644 --- a/src/git/Dockerfile +++ b/src/git/Dockerfile @@ -29,6 +29,9 @@ RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* WORKDIR /app COPY --from=uv /root/.local /root/.local + +# User app does not exist in base image (chown) +RUN useradd -rUM -s /usr/sbin/nologin app COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path From a54533f1c9b4785dadbe63077199baea114b7885 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Thu, 26 Jun 2025 18:20:52 -0500 Subject: [PATCH 5/8] Container app user optional add (#1) * Update Dockerfile git * Update Dockerfile fetch * Update Dockerfile time --- src/fetch/Dockerfile | 2 +- src/git/Dockerfile | 2 +- src/time/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/fetch/Dockerfile b/src/fetch/Dockerfile index de03aec62f..45daecc978 100644 --- a/src/fetch/Dockerfile +++ b/src/fetch/Dockerfile @@ -29,7 +29,7 @@ WORKDIR /app COPY --from=uv /root/.local /root/.local # User app does not exist in base image (chown) -RUN useradd -rUM -s /usr/sbin/nologin app +RUN id -u app &>/dev/null || useradd -rUM -s /usr/sbin/nologin app COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path diff --git a/src/git/Dockerfile b/src/git/Dockerfile index 11e9e1a902..69bd0e2b60 100644 --- a/src/git/Dockerfile +++ b/src/git/Dockerfile @@ -31,7 +31,7 @@ WORKDIR /app COPY --from=uv /root/.local /root/.local # User app does not exist in base image (chown) -RUN useradd -rUM -s /usr/sbin/nologin app +RUN id -u app &>/dev/null || useradd -rUM -s /usr/sbin/nologin app COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path diff --git a/src/time/Dockerfile b/src/time/Dockerfile index cb7bf2f057..d90235e873 100644 --- a/src/time/Dockerfile +++ b/src/time/Dockerfile @@ -29,7 +29,7 @@ WORKDIR /app COPY --from=uv /root/.local /root/.local # User app does not exist in base image (chown) -RUN useradd -rUM -s /usr/sbin/nologin app +RUN id -u app &>/dev/null || useradd -rUM -s /usr/sbin/nologin app COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path From e0021423fa0d7c96c9bf38fb1abcf9d4d69d67f1 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Sat, 28 Jun 2025 02:58:44 -0500 Subject: [PATCH 6/8] Update Dockerfile --- src/fetch/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/fetch/Dockerfile b/src/fetch/Dockerfile index 45daecc978..9a8759ad87 100644 --- a/src/fetch/Dockerfile +++ b/src/fetch/Dockerfile @@ -28,8 +28,9 @@ WORKDIR /app COPY --from=uv /root/.local /root/.local -# User app does not exist in base image (chown) -RUN id -u app &>/dev/null || useradd -rUM -s /usr/sbin/nologin app +RUN if ! id -u app >/dev/null 2>&1; then \ + useradd -rUM -s /usr/sbin/nologin app; \ + fi COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path From d786b9479f377440020b8cd558f43bd2b85d9fa4 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Sat, 28 Jun 2025 02:59:12 -0500 Subject: [PATCH 7/8] Update Dockerfile --- src/git/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/git/Dockerfile b/src/git/Dockerfile index 69bd0e2b60..da804f2aa7 100644 --- a/src/git/Dockerfile +++ b/src/git/Dockerfile @@ -30,8 +30,9 @@ WORKDIR /app COPY --from=uv /root/.local /root/.local -# User app does not exist in base image (chown) -RUN id -u app &>/dev/null || useradd -rUM -s /usr/sbin/nologin app +RUN if ! id -u app >/dev/null 2>&1; then \ + useradd -rUM -s /usr/sbin/nologin app; \ + fi COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path From d6b637c04982021450dcff1f04642dfe04af9494 Mon Sep 17 00:00:00 2001 From: Trent Apple Date: Sat, 28 Jun 2025 02:59:51 -0500 Subject: [PATCH 8/8] Update Dockerfile --- src/time/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/time/Dockerfile b/src/time/Dockerfile index d90235e873..cde12b470d 100644 --- a/src/time/Dockerfile +++ b/src/time/Dockerfile @@ -28,8 +28,9 @@ WORKDIR /app COPY --from=uv /root/.local /root/.local -# User app does not exist in base image (chown) -RUN id -u app &>/dev/null || useradd -rUM -s /usr/sbin/nologin app +RUN if ! id -u app >/dev/null 2>&1; then \ + useradd -rUM -s /usr/sbin/nologin app; \ + fi COPY --from=uv --chown=app:app /app/.venv /app/.venv # Place executables in the environment at the front of the path