User:Group

[modem7]

Would there be a way to implement a variable for User:Group rather than listing it in the docker run command?

Right now, all downloads save as root, and it might be worthwhile seeing if there's a way to make the container run as non-root + a variable to set what user it saves files as.

Currently, I'm running:
docker run --user 1000:997 --volume /my/backup/path/GitBackup:/backups ghcr.io/chappio/git-backup

This would not only secure the container by running it as non-root, but also allow for users to define a specific user + group to allow for easier data management.

I suspect that it might be doable by setting the dockerfile to have a USER value, and a ENV value, e.g.:

ENV UID=1000 \
    PID=1000 \

COPY --chown=$UID:$PID=${TARGETPLATFORM}/git-backup / #COPY is a better choice than ADD in this scenario

RUN chmod +x /git-backup

USER $UID:$PID

The above is totally untested.

[ChappIO]

It’s a bit more involved but possible. What’s wrong with the built in —user flag? Does it not serve you well?

How is the container more “secure” if the user isn’t running as root? It exposes no ports or entrypoints.

[ChappIO]

The reason that it’s more involved is because the Dockerfile runs at build time. Not runtime. I’d have to create an entrypoint bash script that does argument forwarding and user switching to make this happen.

I’m not saying I won’t but I don’t yet see the added value?

[modem7]

Heya,

The reason that it’s more involved is because the Dockerfile runs at build time. Not runtime.

Doi, of course. That's definitely my bad!

How is the container more “secure” if the user isn’t running as root? It exposes no ports or entrypoints.

Absolutely agreed with that, it's more so we can use env vars within docker scripts programmatically rather than hard setting the values within the commands (specifically $UID and $PID).

It's definitely not high priority at all, more a QoL improvement.

[ChappIO]

Fair enough, I don’t see a reason not to do it so I will take a look at the conventions used at linuxserver.io and copy those as I expect people are used to those by now.