2121
2222# ## START: Container build time args for Elemental Server
2323# #
24+ # Names of the Linux user account and group to run the Elemental Server service under
25+ ARG ELEMENTAL_SERVER_SERVICE_ACCOUNT="edb01"
26+ ARG ELEMENTAL_SERVER_SERVICE_GROUP="edb01"
27+
2428# Elemental data cache size
2529ARG ELEMENTAL_SERVER_CACHE_MEM="256"
2630# Elemental maximum number of database brokers
@@ -43,6 +47,10 @@ ARG ADDITIONAL_JAVA_TOOL_OPTIONS
4347# Install latest JRE 21 in Chainguard Wolfi temporary builder image
4448FROM cgr.dev/chainguard/wolfi-base AS builder
4549
50+ # Inherit global args to this build stage
51+ ARG ELEMENTAL_SERVER_SERVICE_ACCOUNT
52+ ARG ELEMENTAL_SERVER_SERVICE_GROUP
53+
4654RUN apk update && apk upgrade
4755# Install dependencies needed for JRE
4856RUN apk add tzdata zlib libjpeg-turbo libpng lcms2 freetype ttf-dejavu fontconfig-config libfontconfig1 expat libuuid libbrotlicommon1 libbrotlidec1 libbrotlienc1 libcrypt1
@@ -51,11 +59,17 @@ RUN apk add ca-certificates java-cacerts
5159# Install latest JRE
5260RUN apk add openjdk-21-jre
5361
62+ # Add Elemental Server service group and account
63+ RUN addgroup -S ${ELEMENTAL_SERVER_SERVICE_GROUP} \
64+ && adduser -S -G ${ELEMENTAL_SERVER_SERVICE_GROUP} -H -h /nonexistent -s /sbin/nologin -g "Elemental Database Server - Instance 01" ${ELEMENTAL_SERVER_SERVICE_ACCOUNT}
65+
5466
5567# Use Chainguard distroless glibc base for dynamically linked libraries
5668FROM cgr.dev/chainguard/glibc-dynamic:latest
5769
5870# Inherit global args to this build stage
71+ ARG ELEMENTAL_SERVER_SERVICE_ACCOUNT
72+ ARG ELEMENTAL_SERVER_SERVICE_GROUP
5973ARG ELEMENTAL_SERVER_CACHE_MEM
6074ARG ELEMENTAL_SERVER_MAX_BROKER
6175ARG JVM_MAX_RAM_PERCENTAGE
@@ -93,17 +107,22 @@ COPY --from=builder /usr/share/ca-certificates /usr/share/ca-certificates
93107# Copy over updated JRE from Wolfi
94108COPY --from=builder /usr/lib/jvm/java-21-openjdk /usr/lib/jvm/java-21-openjdk
95109
96- # Switch to nonroot user
97- USER nonroot
110+ # Copy Elemental Server service group and account
111+ COPY --from=builder --chown=root:root --chmod=0644 /etc/passwd /etc/passwd
112+ COPY --from=builder --chown=root:root --chmod=0644 /etc/group /etc/group
113+ COPY --from=builder --chown=root:root --chmod=0600 /etc/shadow /etc/shadow
114+
115+ # Switch to Elemental Server service account
116+ USER ${ELEMENTAL_SERVER_SERVICE_ACCOUNT}
98117
99118# Copy Elemental
100- COPY --chmod=0555 logs /elemental
101- COPY --chmod=0444 LICENSE /elemental/LICENSE
102- COPY --chmod=0570 autodeploy /elemental/autodeploy
103- COPY --chmod=0570 etc /elemental/etc
104- COPY --chmod=0550 lib /elemental/lib
105- COPY --chown=nonroot --chmod=0750 logs /elemental/logs
106- COPY --chown=nonroot --chmod=0750 logs /elemental/data
119+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0555 logs /elemental
120+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0444 LICENSE /elemental/LICENSE
121+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0570 autodeploy /elemental/autodeploy
122+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0570 etc /elemental/etc
123+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0550 lib /elemental/lib
124+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} --chmod=0750 logs /elemental/logs
125+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} --chmod=0750 logs /elemental/data
107126
108127# Build-time metadata as defined at http://label-schema.org
109128# and used by autobuilder @hooks/build
0 commit comments