Allow running docker container as non-root

.github/workflows/publish-docker-image.yml

@@ -28,6 +28,10 @@ jobs:
           - runtime: 'openswoole'
             tag-suffix: 'openswoole'
             platforms: 'linux/arm/v7,linux/arm64/v8,linux/amd64'
+          - runtime: 'rr'
+            tag-suffix: 'non-root'
+            platforms: 'linux/arm64/v8,linux/amd64'
+            user-id: '1001'
     uses: shlinkio/github-actions/.github/workflows/docker-build-and-publish.yml@main
     secrets: inherit
     with:
@@ -37,3 +41,4 @@ jobs:
       tags-suffix: ${{ matrix.tag-suffix }}
       extra-build-args: |
         SHLINK_RUNTIME=${{ matrix.runtime }}
+        SHLINK_USER_ID=${{ matrix.user-id && matrix.user-id || 'root' }}

Dockerfile

@@ -4,11 +4,14 @@ ARG SHLINK_VERSION=latest
 ENV SHLINK_VERSION ${SHLINK_VERSION}
 ARG SHLINK_RUNTIME=rr
 ENV SHLINK_RUNTIME ${SHLINK_RUNTIME}
+ARG SHLINK_USER_ID='root'
+ENV SHLINK_USER_ID ${SHLINK_USER_ID}
+
 ENV OPENSWOOLE_VERSION 22.0.0
 ENV PDO_SQLSRV_VERSION 5.10.1
 ENV MS_ODBC_DOWNLOAD 'b/9/f/b9f3cce4-3925-46d4-9f46-da08869c6486'
 ENV MS_ODBC_SQL_VERSION 18_18.1.1.1
-ENV LC_ALL "C"
+ENV LC_ALL 'C'
 
 WORKDIR /etc/shlink
 
@@ -48,7 +51,7 @@ RUN apk add --no-cache git && \
     if [ "$SHLINK_RUNTIME" == 'openswoole' ]; then \
         php composer.phar remove spiral/roadrunner spiral/roadrunner-jobs spiral/roadrunner-cli spiral/roadrunner-http --with-all-dependencies --update-no-dev --optimize-autoloader --no-progress --no-interaction ; \
     elif [ "$SHLINK_RUNTIME" == 'rr' ]; then \
-        php composer.phar remove mezzio/mezzio-swoole --with-all-dependencies --update-no-dev --optimize-autoloader --no-progress --no-interaction ; \
+        php composer.phar remove mezzio/mezzio-swoole --with-all-dependencies --update-no-dev --optimize-autoloader --no-progress --no-interaction --ignore-platform-req=ext-openswoole ; \
     fi; \
     php composer.phar clear-cache && \
     rm -r docker composer.* && \
@@ -59,7 +62,7 @@ RUN apk add --no-cache git && \
 FROM base
 LABEL maintainer="Alejandro Celaya <alejandro@alejandrocelaya.com>"
 
-COPY --from=builder /etc/shlink .
+COPY --from=builder --chown=${SHLINK_USER_ID} /etc/shlink .
 RUN ln -s /etc/shlink/bin/cli /usr/local/bin/shlink && \
     if [ "$SHLINK_RUNTIME" == 'rr' ]; then \
       php ./vendor/bin/rr get --no-interaction --no-config --location bin/ && chmod +x bin/rr ; \
@@ -73,14 +76,6 @@ COPY docker/docker-entrypoint.sh docker-entrypoint.sh
 COPY docker/config/shlink_in_docker.local.php config/autoload/shlink_in_docker.local.php
 COPY docker/config/php.ini ${PHP_INI_DIR}/conf.d/
 
-# Change the ownership of /etc/shlink/data to be writable, then change the user to non-root
-# FIXME Disabled for now, as it conflicts with ENABLE_PERIODIC_VISIT_LOCATE, which is used to configure a cron as root.
-#       Ref: https://github.com/shlinkio/shlink/issues/1132
-#RUN chown 1001 /etc/shlink/data
-#RUN chown 1001 /etc/shlink/data/locks
-#RUN chown 1001 /etc/shlink/data/proxies
-#RUN chown 1001 /etc/shlink/data/cache
-#RUN chown 1001 /etc/shlink/data/log
-#USER 1001
+USER ${SHLINK_USER_ID}
 
 ENTRYPOINT ["/bin/sh", "./docker-entrypoint.sh"]

docker/docker-entrypoint.sh

@@ -24,8 +24,8 @@ if [ ! -z "${GEOLITE_LICENSE_KEY}" ] && [ "${SKIP_INITIAL_GEOLITE_DOWNLOAD}" !=
   php bin/cli visit:download-db -n ${flags}
 fi
 
-# Periodically run visit:locate every hour, if ENABLE_PERIODIC_VISIT_LOCATE=true was provided
-if [ "${ENABLE_PERIODIC_VISIT_LOCATE}" = "true" ]; then
+# Periodically run visit:locate every hour, if ENABLE_PERIODIC_VISIT_LOCATE=true was provided and running as root
+if [ "${ENABLE_PERIODIC_VISIT_LOCATE}" = "true" ] && [ "${SHLINK_USER_ID}" = "root" ]; then
   echo "Configuring periodic visit location..."
   echo "0 * * * * php /etc/shlink/bin/cli visit:locate -q" > /etc/crontabs/root
   /usr/sbin/crond &