diff --git a/apps/server/Dockerfile.alpine.rootless b/apps/server/Dockerfile.alpine.rootless new file mode 100644 index 0000000000..ebafbabff6 --- /dev/null +++ b/apps/server/Dockerfile.alpine.rootless @@ -0,0 +1,65 @@ +FROM node:22.15.0-alpine AS builder +RUN corepack enable + +# Install native dependencies since we might be building cross-platform. +WORKDIR /usr/src/app +COPY ./dist/package.json ./dist/pnpm-lock.yaml ./docker/pnpm-workspace.yaml /usr/src/app/ +# We have to use --no-frozen-lockfile due to CKEditor patches +RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild + +FROM node:22.15.0-alpine +# Create a non-root user with configurable UID/GID +ARG USER=trilium +ARG UID=1001 +ARG GID=1001 +ENV USER=${USER} +ENV UID=${UID} +ENV GID=${GID} + +# Install runtime dependencies and create user with specific UID/GID +RUN apk add --no-cache dumb-init && \ + # Alpine uses addgroup/adduser (from busybox) instead of groupadd/useradd + addgroup -g ${GID} ${USER} && \ + adduser -u ${UID} -G ${USER} -s /bin/sh -D -h /home/${USER} ${USER} + +WORKDIR /home/${USER}/app +COPY ./dist /home/${USER}/app +RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3 +COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3 +RUN chown -R ${USER}:${USER} /home/${USER} + +# Configure container +USER ${USER} +EXPOSE 8080 + +# By default, use UID/GID that was set during build +# These can be overridden at runtime +ENV TRILIUM_UID=${UID} +ENV TRILIUM_GID=${GID} +ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data + +# Use dumb-init as entrypoint to handle signals properly +ENTRYPOINT ["/usr/bin/dumb-init", "--"] + +# This script will handle UID/GID checks and start the app +CMD [ "sh", "-c", "\ +if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ] || [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \ + echo \"Detected UID:GID mismatch\"; \ + if [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \ + echo \"ERROR: Cannot change GID at runtime in rootless mode.\"; \ + echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \ + exit 1; \ + fi; \ + if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ]; then \ + echo \"ERROR: Cannot change UID at runtime in rootless mode.\"; \ + echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \ + exit 1; \ + fi; \ +fi; \ +# Make sure data directory has correct permissions \ +mkdir -p \"${TRILIUM_DATA_DIR}\"; \ +# Start the app \ +exec node ./main \ +" ] + +HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js diff --git a/apps/server/Dockerfile.rootless b/apps/server/Dockerfile.rootless new file mode 100644 index 0000000000..40f8cda230 --- /dev/null +++ b/apps/server/Dockerfile.rootless @@ -0,0 +1,66 @@ +FROM node:22.15.0-bullseye-slim AS builder +RUN corepack enable + +# Install native dependencies since we might be building cross-platform. +WORKDIR /usr/src/app/build +COPY ./dist/package.json ./dist/pnpm-lock.yaml ./docker/pnpm-workspace.yaml /usr/src/app/ +# We have to use --no-frozen-lockfile due to CKEditor patches +RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild + +FROM node:22.15.0-bullseye-slim +# Create a non-root user with configurable UID/GID +ARG USER=trilium +ARG UID=1001 +ARG GID=1001 +ENV USER=${USER} +ENV UID=${UID} +ENV GID=${GID} + +# Install only runtime dependencies +RUN rm -rf \ + /var/lib/apt/lists/* \ + /var/cache/apt/* && \ + # Create the user/group with the default UID/GID + groupadd -g ${GID} ${USER} && \ + useradd -u ${UID} -g ${USER} -s /bin/sh -m ${USER} + +WORKDIR /home/${USER}/app +COPY ./dist /home/${USER}/app +RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3 +COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3 +RUN chown -R ${USER}:${USER} /home/${USER} + +# Configure container +USER ${USER} +EXPOSE 8080 + +# By default, use UID/GID that was set during build +# These can be overridden at runtime +ENV TRILIUM_UID=${UID} +ENV TRILIUM_GID=${GID} +ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data + +# This script will handle UID/GID remapping if needed and then start the app +CMD [ "sh", "-c", "\ +if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ] || [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \ + echo \"Remapping user ${USER} to UID:GID ${TRILIUM_UID}:${TRILIUM_GID}\"; \ + # Use 'id -u' and 'id -g' to get current UID and GID \ + if [ \"${TRILIUM_GID}\" != \"$(id -g)\" ]; then \ + # Need root to modify user/group, but we can't use sudo, so we need to exit \ + echo \"ERROR: Cannot change GID at runtime in rootless mode.\"; \ + echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \ + exit 1; \ + fi; \ + if [ \"${TRILIUM_UID}\" != \"$(id -u)\" ]; then \ + echo \"ERROR: Cannot change UID at runtime in rootless mode.\"; \ + echo \" Please use docker run with --user ${TRILIUM_UID}:${TRILIUM_GID} instead.\"; \ + exit 1; \ + fi; \ +fi; \ +# Make sure data directory has correct permissions \ +mkdir -p \"${TRILIUM_DATA_DIR}\"; \ +# Start the app \ +exec node ./main \ +" ] + +HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js diff --git a/docker-compose.rootless.yml b/docker-compose.rootless.yml new file mode 100644 index 0000000000..7d4afd5452 --- /dev/null +++ b/docker-compose.rootless.yml @@ -0,0 +1,31 @@ +version: '3.8' + +# Running `docker-compose -f docker-compose.rootless.yml up` will create/use the "trilium-data" directory in the user home +# Run `TRILIUM_DATA_DIR=/path/of/your/choice docker-compose -f docker-compose.rootless.yml up` to set a different directory +# To run in the background, use `docker-compose -f docker-compose.rootless.yml up -d` +# To use the Alpine-based image, run with `TRILIUM_VARIANT=alpine docker-compose -f docker-compose.rootless.yml up` +services: + trilium: + # Optionally, replace `latest` with a version tag like `v0.90.3` + # Using `latest` may cause unintended updates to the container + image: triliumnext/notes:rootless + restart: unless-stopped + environment: + - TRILIUM_DATA_DIR=/home/trilium/trilium-data + # Set the desired UID/GID for the Trilium process. Will be used during docker run + # These should match the owner of your data directory on the host + - TRILIUM_UID=${TRILIUM_UID:-1001} + - TRILIUM_GID=${TRILIUM_GID:-1001} + # Use the specified UID/GID for the container process + user: ${TRILIUM_UID:-1001}:${TRILIUM_GID:-1001} + ports: + # By default, Trilium will be available at http://localhost:8080 + # It will also be accessible at http://:8080 + # You might want to limit this with something like Docker Networks, reverse proxies, or firewall rules + - '8080:8080' + volumes: + # Unless TRILIUM_DATA_DIR is set, the data will be stored in the "trilium-data" directory in the home directory. + # This can also be changed by replacing the line below with `- /path/of/your/choice:/home/trilium/trilium-data + - ${TRILIUM_DATA_DIR:-~/trilium-data}:/home/trilium/trilium-data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro