Add rootless (alpine) images

.cspell.json

@@ -10,6 +10,8 @@
   ],
   "words": [
     "abool",
+    "addgroup",
+    "adduser",
     "anbraten",
     "antfu",
     "apimachinery",

.woodpecker/docker.yaml

@@ -125,7 +125,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: woodpeckerci/woodpecker-server
-      dockerfile: docker/Dockerfile.server.alpine.multiarch
+      dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
       logins: *publish_logins
@@ -142,7 +142,7 @@ steps:
     settings:
       dry_run: true
       repo: woodpeckerci/woodpecker-server
-      dockerfile: docker/Dockerfile.server.multiarch
+      dockerfile: docker/Dockerfile.server.multiarch.rootless
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}
     when: &when-dryrun
@@ -156,7 +156,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_server
-      dockerfile: docker/Dockerfile.server.multiarch
+      dockerfile: docker/Dockerfile.server.multiarch.rootless
       platforms: *platforms_server
       tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
       logins: *publish_logins
@@ -171,7 +171,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_server
-      dockerfile: docker/Dockerfile.server.alpine.multiarch
+      dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
       platforms: *platforms_alpine
       tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
       logins: *publish_logins
@@ -183,7 +183,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_server
-      dockerfile: docker/Dockerfile.server.multiarch
+      dockerfile: docker/Dockerfile.server.multiarch.rootless
       platforms: *platforms_server
       tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}']
       logins: *publish_logins
@@ -196,7 +196,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_server
-      dockerfile: docker/Dockerfile.server.alpine.multiarch
+      dockerfile: docker/Dockerfile.server.alpine.multiarch.rootless
       platforms: *platforms_alpine
       tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins
@@ -212,7 +212,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: woodpeckerci/woodpecker-agent
-      dockerfile: docker/Dockerfile.agent.alpine.multiarch
+      dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
       build_args: *build_args
@@ -226,7 +226,7 @@ steps:
     settings:
       dry_run: true
       repo: woodpeckerci/woodpecker-agent
-      dockerfile: docker/Dockerfile.agent.multiarch
+      dockerfile: docker/Dockerfile.agent.multiarch.rootless
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}
       build_args: *build_args
@@ -241,7 +241,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.multiarch
+      dockerfile: docker/Dockerfile.agent.multiarch.rootless
       platforms: *platforms_release
       tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
       logins: *publish_logins
@@ -260,7 +260,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.alpine.multiarch
+      dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
       platforms: *platforms_alpine
       tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
       logins: *publish_logins
@@ -276,7 +276,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.multiarch
+      dockerfile: docker/Dockerfile.agent.multiarch.rootless
       platforms: *platforms_release
       tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
       logins: *publish_logins
@@ -292,7 +292,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.alpine.multiarch
+      dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
       platforms: *platforms_alpine
       tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins
@@ -310,7 +310,7 @@ steps:
     settings:
       dry_run: true
       repo: woodpeckerci/woodpecker-cli
-      dockerfile: docker/Dockerfile.cli.multiarch
+      dockerfile: docker/Dockerfile.cli.multiarch.rootless
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}
       build_args: *build_args
@@ -325,7 +325,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_cli
-      dockerfile: docker/Dockerfile.cli.multiarch
+      dockerfile: docker/Dockerfile.cli.multiarch.rootless
       platforms: *platforms_release
       tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
       logins: *publish_logins
@@ -341,7 +341,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_cli
-      dockerfile: docker/Dockerfile.cli.alpine.multiarch
+      dockerfile: docker/Dockerfile.cli.alpine.multiarch.rootless
       platforms: *platforms_alpine
       tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
       logins: *publish_logins
@@ -357,7 +357,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_cli
-      dockerfile: docker/Dockerfile.cli.multiarch
+      dockerfile: docker/Dockerfile.cli.multiarch.rootless
       platforms: *platforms_release
       tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
       logins: *publish_logins
@@ -373,7 +373,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_cli
-      dockerfile: docker/Dockerfile.cli.alpine.multiarch
+      dockerfile: docker/Dockerfile.cli.alpine.multiarch.rootless
       platforms: *platforms_alpine
       tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins

docker/Dockerfile.agent.alpine.multiarch → docker/Dockerfile.agent.alpine.multiarch.rootless

@@ -15,7 +15,12 @@ ENV WOODPECKER_IN_CONTAINER=true
 EXPOSE 3000
 
 COPY --from=build /src/dist/woodpecker-agent /bin/
-RUN mkdir -p /etc/woodpecker
+
+RUN mkdir -p /etc/woodpecker && \
+  addgroup -S woodpecker && adduser -S woodpecker -G woodpecker && \
+  mkdir -p /etc/woodpecker && chown -R woodpecker:woodpecker /etc/woodpecker
+
+USER woodpecker
 
 HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
 ENTRYPOINT ["/bin/woodpecker-agent"]

docker/Dockerfile.agent.multiarch → docker/Dockerfile.agent.multiarch.rootless

@@ -1,4 +1,8 @@
-FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS builder
+
+RUN adduser woodpecker && \
+  mkdir -p /var/lib/woodpecker && \
+  chown -R woodpecker:woodpecker /var/lib/woodpecker
 
 WORKDIR /src
 COPY . .
@@ -15,10 +19,14 @@ ENV WOODPECKER_IN_CONTAINER=true
 EXPOSE 3000
 
 # copy certs from build image
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 # copy agent binary
-COPY --from=build /src/dist/woodpecker-agent /bin/
-COPY --from=build /etc/woodpecker /etc
+COPY --from=builder /src/dist/woodpecker-agent /bin/
+COPY --from=builder /etc/woodpecker /etc
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+
+USER woodpecker
 
 HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
 ENTRYPOINT ["/bin/woodpecker-agent"]

docker/Dockerfile.cli.alpine.multiarch → docker/Dockerfile.cli.alpine.multiarch.rootless

@@ -17,5 +17,10 @@ ENV WOODPECKER_DISABLE_UPDATE_CHECK=true
 
 COPY --from=build /src/dist/woodpecker-cli /bin/
 
+RUN addgroup -S woodpecker && \
+  adduser -S woodpecker -G woodpecker
+
+USER woodpecker
+
 HEALTHCHECK CMD ["/bin/woodpecker-cli", "ping"]
 ENTRYPOINT ["/bin/woodpecker-cli"]

docker/Dockerfile.cli.multiarch → docker/Dockerfile.cli.multiarch.rootless

@@ -1,4 +1,6 @@
-FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS build
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS builder
+
+RUN adduser woodpecker
 
 WORKDIR /src
 COPY . .
@@ -14,9 +16,13 @@ ENV GODEBUG=netdns=go
 ENV WOODPECKER_DISABLE_UPDATE_CHECK=true
 
 # copy certs from build image
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 # copy cli binary
-COPY --from=build /src/dist/woodpecker-cli /bin/
+COPY --from=builder /src/dist/woodpecker-cli /bin/
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+
+USER woodpecker
 
 HEALTHCHECK CMD ["/bin/woodpecker-cli", "ping"]
 ENTRYPOINT ["/bin/woodpecker-cli"]

docker/Dockerfile.server.alpine.multiarch → docker/Dockerfile.server.alpine.multiarch.rootless

@@ -11,5 +11,11 @@ EXPOSE 8000 9000 80 443
 
 COPY dist/server/${TARGETOS}_${TARGETARCH}/woodpecker-server /bin/
 
+RUN addgroup -S woodpecker && adduser -S woodpecker -G woodpecker && \
+  mkdir -p /var/lib/woodpecker && \
+  chown -R woodpecker:woodpecker /var/lib/woodpecker
+
+USER woodpecker
+
 HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
 ENTRYPOINT ["/bin/woodpecker-server"]

docker/Dockerfile.server.multiarch → docker/Dockerfile.server.multiarch.rootless

@@ -1,4 +1,8 @@
-FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS certs
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.23 AS builder
+
+RUN adduser woodpecker && \
+  mkdir -p /var/lib/woodpecker && \
+  chown -R woodpecker:woodpecker /var/lib/woodpecker
 
 FROM scratch
 ARG TARGETOS TARGETARCH
@@ -10,9 +14,14 @@ ENV XDG_DATA_HOME=/var/lib/woodpecker
 EXPOSE 8000 9000 80 443
 
 # copy certs from certs image
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 # copy server binary
 COPY dist/server/${TARGETOS}_${TARGETARCH}/woodpecker-server /bin/
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder /var/lib/woodpecker /var/lib/woodpecker
+
+USER woodpecker
 
 HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
 ENTRYPOINT ["/bin/woodpecker-server"]

docs/docs/30-administration/04-image-variants.md

@@ -0,0 +1,30 @@
+# Image variants
+
+:::info
+The `latest` tag has been deprecated as of v3.0 and will be completely removed in the future.
+This was done to prevent accidental major version upgrades.
+:::
+
+- `vX.Y.Z`: Sem-ver tags for specific releases, no entrypoint shell (scratch image)
+  - `vX.Y`
+  - `vX`
+- `vX.Y.Z-alpine`: Sem-ver tags for specific releases, based on Alpine, rootless (as of v3.0).
+  - `vX.Y-alpine`
+  - `vX-alpine`
+- `next`: Built from the `main` branch
+- `pull_<PR_ID>`: Images built from Pull Request branches.
+
+## Image registries
+
+Images are pushed to DockerHub and Quay.
+
+[woodpecker-server (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-server)
+[woodpecker-server (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-server)
+
+[woodpecker-agent (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-agent)
+[woodpecker-agent (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-agent)
+
+[woodpecker-cli (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/woodpecker-cli)
+[woodpecker-cli (Quay)](https://quay.io/repository/woodpeckerci/woodpecker-cli)
+
+[woodpecker-autoscaler (DockerHub)](https://hub.docker.com/repository/docker/woodpeckerci/autoscaler)

docs/docs/92-development/07-guides.md

@@ -40,7 +40,7 @@ export PLATFORMS='linux|amd64'
 make cross-compile-server
 
 ### build the image
-docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch --push .
+docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch.rootless --push .
 ```
 
 :::info
@@ -55,7 +55,7 @@ You can try to use the `build-server` rule instead, however this one fails for s
 make build-agent
 
 ### build the image
-docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push .
+docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch.rootless --push .
 ```
 
 ### CLI
@@ -65,5 +65,5 @@ docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Docker
 make build-cli
 
 ### build the image
-docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.cli.multiarch --push .
+docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.cli.multiarch.rootless --push .
 ```

docs/src/pages/migrations.md

@@ -172,6 +172,11 @@ The following restructuring was done to achieve a more consistent grouping:
 
 - Webhook signatures now use the `rfc9421` protocol
 
+#### Rootless images
+
+From 3.0 onward, all Woodpecker images use a non-privileged user (`woodpecker`) by default.
+If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`.
+
 ## User migrations
 
 - `gated` has been replaced by `require-approval`