From b6030ba713e8d8ec9025bae02257bcd3cae37b71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?= =?UTF-8?q?=C9=B4?= Date: Wed, 7 Jan 2026 10:33:27 -0500 Subject: [PATCH] docker-next: fix up Git user home directory and permission issue (#8081) --- .github/workflows/docker.yml | 2 +- Dockerfile.next | 17 +++++++++-------- docker-next/README.md | 32 +++++++++++++++++++++----------- docker-next/start.sh | 8 ++++++++ 4 files changed, 39 insertions(+), 20 deletions(-) create mode 100644 docker-next/start.sh diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 6291c05df..57564d926 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -414,7 +414,7 @@ jobs: secrets: inherit digitalocean-gc-pull-request: - if: ${{ github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request' && github.repository == 'gogs/gogs' }} needs: buildx-next-pull-request permissions: contents: read diff --git a/Dockerfile.next b/Dockerfile.next index 0736c5f4a..1a031cdfb 100644 --- a/Dockerfile.next +++ b/Dockerfile.next @@ -1,4 +1,4 @@ -FROM golang:alpine3.22 AS binarybuilder +FROM golang:alpine3.23 AS binarybuilder RUN apk --no-cache --no-progress add --virtual \ build-deps \ build-base \ @@ -11,7 +11,7 @@ COPY . . RUN ./docker/build/install-task.sh RUN TAGS="cert pam" task build -FROM alpine:3.22 +FROM alpine:3.23 # Create git user and group with fixed UID/GID at build time for better K8s security context support. # Using 1000:1000 as it's a common non-root UID/GID that works well with most volume permission setups. @@ -32,10 +32,11 @@ ENV GOGS_CUSTOM=/data/gogs WORKDIR /app/gogs COPY --from=binarybuilder /gogs.io/gogs/gogs . - -# Create data directories and set ownership -RUN mkdir -p /data/gogs /data/git /backup && \ - chown -R git:git /app/gogs /data /backup +COPY docker-next/start.sh . +RUN chmod +x start.sh && \ + mkdir -p /data && \ + ln -s /data/git /home/git && \ + chown -R git:git /app/gogs /data # Configure Docker Container VOLUME ["/data", "/backup"] @@ -45,5 +46,5 @@ HEALTHCHECK CMD (curl -o /dev/null -sS http://localhost:3000/healthcheck) || exi # Run as non-root user by default for better K8s security context support. USER git:git -ENTRYPOINT ["/app/gogs/gogs"] -CMD ["web"] +ENTRYPOINT ["/app/gogs/start.sh"] +CMD ["/app/gogs/gogs", "web"] diff --git a/docker-next/README.md b/docker-next/README.md index e2c0c4a4f..2d5f4d112 100644 --- a/docker-next/README.md +++ b/docker-next/README.md @@ -18,17 +18,27 @@ This Docker image is designed with Kubernetes security best practices in mind: ### Kubernetes Security Context example +In the deployment YAML, make sure the following snippets exist: + ```yaml -securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL +spec: + template: + spec: + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + containers: + - name: gogs + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL ``` ### Custom UID/GID at build time @@ -83,7 +93,7 @@ $ docker run --name=gogs -p 10022:2222 -p 10880:3000 -v gogs-data:/data gogs/gog Most of the settings are obvious and easy to understand, but there are some settings can be confusing by running Gogs inside Docker: -- **Repository Root Path**: keep it as default value `/home/git/gogs-repositories` +- **Repository Root Path**: either `/data/git/gogs-repositories` or `/home/git/gogs-repositories` works. - **Run User**: default `git` (UID 1000) - **Domain**: fill in with Docker container IP (e.g. `192.168.99.100`). But if you want to access your Gogs instance from a different physical machine, please fill in with the hostname or IP address of the Docker host machine. - **SSH Port**: Use the exposed port from Docker container. For example, your SSH server listens on `2222` inside Docker, **but** you expose it by `10022:2222`, then use `10022` for this value. diff --git a/docker-next/start.sh b/docker-next/start.sh new file mode 100644 index 000000000..6de0d2227 --- /dev/null +++ b/docker-next/start.sh @@ -0,0 +1,8 @@ +#!/bin/sh +set -ex + +# Create data directories at runtime (needed when /data is a mounted volume) +mkdir -p /data/gogs /data/git + +# Execute the main command +exec "$@"