Merge pull request #1923 from TriliumNext/feat/add-rootless-dockerfiles

eliandoran · web-flow · commit c82c01fb411b · 2025-05-27T20:07:55.000+03:00
feat(ci): add rootless dockerfiles
diff --git a/.editorconfig b/.editorconfig
@@ -8,6 +8,9 @@ indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 
+[*.sh]
+end_of_line = lf
+
 [{server,translation}.json]
 charset = utf-8
 end_of_line = lf
diff --git a/.gitattributes b/.gitattributes
@@ -14,4 +14,6 @@ demo/**/*.txt eol=lf
 demo/**/*.js eol=lf
 demo/**/*.css eol=lf
 
+*.sh eol=lf
+
 apps/client/src/libraries/** linguist-vendored
diff --git a/apps/server/Dockerfile b/apps/server/Dockerfile
@@ -1,28 +1,28 @@
 FROM node:22.16.0-bullseye-slim AS builder
-    RUN corepack enable
+RUN corepack enable
 
-    # Install native dependencies since we might be building cross-platform.
-    WORKDIR /usr/src/app/build
-    COPY ./docker/package.json ./docker/pnpm-workspace.yaml /usr/src/app/
-    # We have to use --no-frozen-lockfile due to CKEditor patches
-    RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
+# Install native dependencies since we might be building cross-platform.
+WORKDIR /usr/src/app/build
+COPY ./docker/package.json ./docker/pnpm-workspace.yaml /usr/src/app/
+# We have to use --no-frozen-lockfile due to CKEditor patches
+RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
 
 FROM node:22.16.0-bullseye-slim
-    # Install only runtime dependencies
-    RUN apt-get update && \
-        apt-get install -y --no-install-recommends \
-        gosu && \
-        rm -rf \
-        /var/lib/apt/lists/* \
-        /var/cache/apt/*
+# Install only runtime dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    gosu && \
+    rm -rf \
+    /var/lib/apt/lists/* \
+    /var/cache/apt/*
 
-    WORKDIR /usr/src/app
-    COPY ./dist /usr/src/app
-    RUN rm -rf /usr/src/app/node_modules/better-sqlite3
-    COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /usr/src/app/node_modules/better-sqlite3
-    COPY ./start-docker.sh /usr/src/app
+WORKDIR /usr/src/app
+COPY ./dist /usr/src/app
+RUN rm -rf /usr/src/app/node_modules/better-sqlite3
+COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /usr/src/app/node_modules/better-sqlite3
+COPY ./start-docker.sh /usr/src/app
 
-    # Configure container
-    EXPOSE 8080
-    CMD [ "sh", "./start-docker.sh" ]
-    HEALTHCHECK --start-period=10s CMD exec gosu node node /usr/src/app/docker_healthcheck.cjs
+# Configure container
+EXPOSE 8080
+CMD [ "sh", "./start-docker.sh" ]
+HEALTHCHECK --start-period=10s CMD exec gosu node node /usr/src/app/docker_healthcheck.cjs
diff --git a/apps/server/Dockerfile.alpine b/apps/server/Dockerfile.alpine
@@ -1,26 +1,26 @@
 FROM node:22.16.0-alpine AS builder
-    RUN corepack enable
+RUN corepack enable
 
-    # Install native dependencies since we might be building cross-platform.
-    WORKDIR /usr/src/app
-    COPY ./docker/package.json  ./docker/pnpm-workspace.yaml /usr/src/app/
-    # We have to use --no-frozen-lockfile due to CKEditor patches
-    RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
+# Install native dependencies since we might be building cross-platform.
+WORKDIR /usr/src/app
+COPY ./docker/package.json ./docker/pnpm-workspace.yaml /usr/src/app/
+# We have to use --no-frozen-lockfile due to CKEditor patches
+RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
 
 FROM node:22.16.0-alpine
-    # Install runtime dependencies
-    RUN apk add --no-cache su-exec shadow
+# Install runtime dependencies
+RUN apk add --no-cache su-exec shadow
 
-    WORKDIR /usr/src/app
-    COPY ./dist /usr/src/app
-    RUN rm -rf /usr/src/app/node_modules/better-sqlite3
-    COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /usr/src/app/node_modules/better-sqlite3
-    COPY ./start-docker.sh /usr/src/app
+WORKDIR /usr/src/app
+COPY ./dist /usr/src/app
+RUN rm -rf /usr/src/app/node_modules/better-sqlite3
+COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /usr/src/app/node_modules/better-sqlite3
+COPY ./start-docker.sh /usr/src/app
 
-    # Add application user
-    RUN adduser -s /bin/false node; exit 0
+# Add application user
+RUN adduser -s /bin/false node; exit 0
 
-    # Configure container
-    EXPOSE 8080
-    CMD [ "sh", "./start-docker.sh" ]
-    HEALTHCHECK --start-period=10s CMD exec su-exec node node /usr/src/app/docker_healthcheck.cjs
+# Configure container
+EXPOSE 8080
+CMD [ "sh", "./start-docker.sh" ]
+HEALTHCHECK --start-period=10s CMD exec su-exec node node /usr/src/app/docker_healthcheck.cjs
diff --git a/apps/server/Dockerfile.alpine.rootless b/apps/server/Dockerfile.alpine.rootless
@@ -0,0 +1,50 @@
+FROM node:22.15.0-alpine AS builder
+RUN corepack enable
+
+# Install native dependencies since we might be building cross-platform.
+WORKDIR /usr/src/app
+COPY ./docker/package.json ./docker/pnpm-workspace.yaml /usr/src/app/
+# We have to use --no-frozen-lockfile due to CKEditor patches
+RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
+
+FROM node:22.15.0-alpine
+# Create a non-root user with configurable UID/GID
+ARG USER=trilium
+ARG UID=1001
+ARG GID=1001
+ENV USER=${USER}
+ENV UID=${UID}
+ENV GID=${GID}
+
+# Install runtime dependencies and create user with specific UID/GID
+RUN apk add --no-cache dumb-init && \
+    apk add --no-cache bash && \
+    # Alpine uses addgroup/adduser (from busybox) instead of groupadd/useradd
+    addgroup -g ${GID} ${USER} && \
+    adduser -u ${UID} -G ${USER} -s /bin/sh -D -h /home/${USER} ${USER}
+
+WORKDIR /home/${USER}/app
+COPY ./dist /home/${USER}/app
+# Also copy the rootless entrypoint script
+COPY rootless-entrypoint.sh /home/${USER}/app/
+RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3
+COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3
+RUN chown -R ${USER}:${USER} /home/${USER}
+
+# Configure container
+USER ${USER}
+EXPOSE 8080
+
+# By default, use UID/GID that was set during build
+# These can be overridden at runtime
+ENV TRILIUM_UID=${UID}
+ENV TRILIUM_GID=${GID}
+ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data
+
+# Use dumb-init as entrypoint to handle signals properly
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+
+# Use the entrypoint script
+CMD [ "bash", "./rootless-entrypoint.sh" ]
+
+HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js
diff --git a/apps/server/Dockerfile.rootless b/apps/server/Dockerfile.rootless
@@ -0,0 +1,48 @@
+FROM node:22.15.0-bullseye-slim AS builder
+RUN corepack enable
+
+# Install native dependencies since we might be building cross-platform.
+WORKDIR /usr/src/app/build
+COPY ./docker/package.json ./docker/pnpm-workspace.yaml /usr/src/app/
+# We have to use --no-frozen-lockfile due to CKEditor patches
+RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild
+
+FROM node:22.15.0-bullseye-slim
+# Create a non-root user with configurable UID/GID
+ARG USER=trilium
+ARG UID=1001
+ARG GID=1001
+ENV USER=${USER}
+ENV UID=${UID}
+ENV GID=${GID}
+
+# Install only runtime dependencies
+RUN rm -rf \
+    /var/lib/apt/lists/* \
+    /var/cache/apt/* && \
+    # Create the user/group with the default UID/GID
+    groupadd -g ${GID} ${USER} && \
+    useradd -u ${UID} -g ${USER} -s /bin/sh -m ${USER}
+
+WORKDIR /home/${USER}/app
+COPY ./dist /home/${USER}/app
+# Also copy the rootless entrypoint script
+COPY rootless-entrypoint.sh /home/${USER}/app/
+RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3
+COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3
+RUN chown -R ${USER}:${USER} /home/${USER}
+
+# Configure container
+USER ${USER}
+EXPOSE 8080
+
+# By default, use UID/GID that was set during build
+# These can be overridden at runtime
+ENV TRILIUM_UID=${UID}
+ENV TRILIUM_GID=${GID}
+ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data
+
+# Use the entrypoint script
+CMD [ "bash", "./rootless-entrypoint.sh" ]
+
+HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js
diff --git a/apps/server/package.json b/apps/server/package.json
@@ -154,6 +154,12 @@
           },
           "alpine": {
             "command": "docker build . -t triliumnext-alpine -f Dockerfile.alpine"
+          },
+          "rootless-debian": {
+            "command": "docker build . -t triliumnext-rootless-debian -f Dockerfile.rootless"
+          },
+          "rootless-alpine": {
+            "command": "docker build . -t triliumnext-rootless-alpine -f Dockerfile.alpine.rootless"
           }
         }
       },
@@ -169,6 +175,12 @@
           },
           "alpine": {
             "command": "docker run -p 8081:8080 triliumnext-alpine"
+          },
+          "rootless-debian": {
+            "command": "docker run -p 8081:8080 triliumnext-rootless-debian"
+          },
+          "rootless-alpine": {
+            "command": "docker run -p 8081:8080 triliumnext-rootless-alpine"
           }
         }
       },
diff --git a/apps/server/rootless-entrypoint.sh b/apps/server/rootless-entrypoint.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# Rootless entrypoint script for Trilium Notes
+# Works with both Debian and Alpine-based images
+
+# Check if runtime UID/GID match the expected values
+if [ "${TRILIUM_UID}" != "$(id -u)" ] || [ "${TRILIUM_GID}" != "$(id -g)" ]; then
+  echo "Detected UID:GID mismatch (current: $(id -u):$(id -g), expected: ${TRILIUM_UID}:${TRILIUM_GID})"
+  # Check GID mismatch
+  if [ "${TRILIUM_GID}" != "$(id -g)" ]; then
+    echo "ERROR: Cannot change GID at runtime in rootless mode."
+    echo "       Current GID: $(id -g), Expected GID: ${TRILIUM_GID}"
+    echo "       Please use docker run with --user $(id -u):$(id -g) instead."
+    exit 1
+  fi
+  # Check UID mismatch
+  if [ "${TRILIUM_UID}" != "$(id -u)" ]; then
+    echo "ERROR: Cannot change UID at runtime in rootless mode."
+    echo "       Current UID: $(id -u), Expected UID: ${TRILIUM_UID}"
+    echo "       Please use docker run with --user $(id -u):$(id -g) instead."
+    exit 1
+  fi
+fi
+
+# Make sure data directory has correct permissions
+mkdir -p "${TRILIUM_DATA_DIR}"
+
+# Start the app
+exec node ./main.cjs
diff --git a/apps/server/src/assets/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/1. Installing the server/Using Docker.html b/apps/server/src/assets/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/1. Installing the server/Using Docker.html
diff --git a/docker-compose.rootless.yml b/docker-compose.rootless.yml
diff --git a/docs/Release Notes/Release Notes/v0.94.0.md b/docs/Release Notes/Release Notes/v0.94.0.md
diff --git a/docs/User Guide/User Guide/Installation & Setup/Server Installation/1. Installing the server/Using Docker.md b/docs/User Guide/User Guide/Installation & Setup/Server Installation/1. Installing the server/Using Docker.md
