From 87270490def38e53855aa93686b9f3d113b4f0f6 Mon Sep 17 00:00:00 2001 From: Tyler Koenig Date: Mon, 1 Jun 2026 11:46:05 -0400 Subject: [PATCH 1/3] fix(docker): non-root user, supply chain attestations, build cleanup BREAKING: Container now runs as UID 1000 (uptop) instead of root. Existing volumes with root-owned files need migration: docker run --rm -v :/data alpine chown -R 1000:1000 /data - Add uptop user (UID/GID 1000) with entrypoint writability check - Enable SBOM and provenance attestations for Docker Scout compliance - Prune dangling images and build cache after release builds --- .gitea/workflows/release.yml | 8 ++++++++ Dockerfile | 8 +++++--- docker-entrypoint.sh | 12 ++++++++++++ 3 files changed, 25 insertions(+), 3 deletions(-) create mode 100755 docker-entrypoint.sh diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index dfd8712..20901a5 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -66,6 +66,8 @@ jobs: context: . push: true platforms: linux/amd64,linux/arm64 + sbom: true + provenance: mode=max tags: | lerkolabs/uptop:${{ github.ref_name }} lerkolabs/uptop:latest @@ -80,3 +82,9 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} repository: lerkolabs/uptop + + - name: Cleanup Docker artifacts + if: always() + run: | + docker image prune -f + docker builder prune -f --keep-storage=2GB diff --git a/Dockerfile b/Dockerfile index 3dbab66..edfc4dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,12 +18,12 @@ RUN --mount=type=cache,target=/go/pkg/mod \ FROM alpine:3.23 WORKDIR /app RUN apk add --no-cache ca-certificates && apk upgrade --no-cache -RUN mkdir /data +RUN addgroup -g 1000 -S uptop && adduser -u 1000 -S uptop -G uptop +RUN mkdir /data && chown uptop:uptop /data COPY --from=builder /app/uptop . +COPY docker-entrypoint.sh /usr/local/bin/ -# Set Default Configuration via ENV -# Docker users can override these in docker-compose.yml ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true ENV UPTOP_DB_TYPE=sqlite ENV UPTOP_DB_DSN=/data/uptop.db @@ -31,4 +31,6 @@ ENV UPTOP_KEYS=/data/authorized_keys ENV UPTOP_PORT=23234 EXPOSE 23234 +USER uptop +ENTRYPOINT ["docker-entrypoint.sh"] CMD ["./uptop"] \ No newline at end of file diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 0000000..cef5bb2 --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +if [ ! -w /data ]; then + echo "ERROR: /data is not writable by uptop user (UID $(id -u))." >&2 + echo "" >&2 + echo "If upgrading from a previous version that ran as root:" >&2 + echo " docker run --rm -v :/data alpine chown -R 1000:1000 /data" >&2 + exit 1 +fi + +exec "$@" -- 2.52.0 From b254f6ea05c679548579fedae949624bd3908ba1 Mon Sep 17 00:00:00 2001 From: Tyler Koenig Date: Mon, 1 Jun 2026 15:33:52 -0400 Subject: [PATCH 2/3] fix(docker): move SSH host key path into /data for non-root user --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index edfc4dc..cf83835 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,6 +28,7 @@ ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true ENV UPTOP_DB_TYPE=sqlite ENV UPTOP_DB_DSN=/data/uptop.db ENV UPTOP_KEYS=/data/authorized_keys +ENV UPTOP_SSH_HOST_KEY=/data/.ssh/id_ed25519 ENV UPTOP_PORT=23234 EXPOSE 23234 -- 2.52.0 From 8d34524aa02b46a69622a31880a44561151cdf83 Mon Sep 17 00:00:00 2001 From: Tyler Koenig Date: Mon, 1 Jun 2026 15:56:45 -0400 Subject: [PATCH 3/3] fix(docker): create .ssh dir explicitly, ensure entrypoint is executable --- Dockerfile | 4 ++-- docker-entrypoint.sh | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index cf83835..f488e09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,10 +19,10 @@ FROM alpine:3.23 WORKDIR /app RUN apk add --no-cache ca-certificates && apk upgrade --no-cache RUN addgroup -g 1000 -S uptop && adduser -u 1000 -S uptop -G uptop -RUN mkdir /data && chown uptop:uptop /data +RUN mkdir -p /data/.ssh && chown -R uptop:uptop /data COPY --from=builder /app/uptop . -COPY docker-entrypoint.sh /usr/local/bin/ +COPY --chmod=755 docker-entrypoint.sh /usr/local/bin/ ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true ENV UPTOP_DB_TYPE=sqlite diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index cef5bb2..4d758ea 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -9,4 +9,6 @@ if [ ! -w /data ]; then exit 1 fi +mkdir -p /data/.ssh + exec "$@" -- 2.52.0