feat: non-root self hosted images for standard deployment (#5701)

* Use IHttpMessageHandlerFactory For HTTP Communication Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * feat: allow custom app-id.json location for rootless Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fix: new build context wont allow copying git context * feat: allow images to run as non-root user * fix: build failures caused by bad merge * build: we don't need to copy the `.git` dir * Revert "build: we don't need to copy the `.git` dir" This reverts commit 32c2f6236a. * Use `IHttpClientFactory` in more places * update build workflow * fix: compatibility with the existin run.sh script * fix: compatibility with existing run.sh script * Add SelfHosted GlobalSettings for Setup * Fix my build error * Add other services * Add IConfiguration * fix: missing gosu command for rootful mode * fix: try using .net core certificate handling * fix: add `SSL_CERT_DIR` to remaining images * Remove X509ChainCustomization activation code * Revert "Use IHttpMessageHandlerFactory For HTTP Communication" This reverts commit c93be6d52b. * Revert "fix: build failures caused by bad merge" This reverts commit 3e4639489b. * Revert "Use `IHttpClientFactory` in more places" This reverts commit 284501a493. * remove unused code * re-add error log for installation id * remove missing error message in log * build: remove duplicate docker+qemu setup steps Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> * build: optimize for simpler builds over caching * build: restore previous method for getting the GIT_HASH * fix: add missing build args to remaining images * fix: rm extraneous source revision id arg * fmt: apply consistent spacing and rm redundant WORKDIR directive * build: update migrator to use simpler build; apply consistent spacing * fix: merge conflicts; simplify changes * fix: add publish branch check back --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com>
2025-06-30 07:36:14 -05:00 · 2025-05-30 10:29:47 -07:00
parent 0b2b573bd3
commit 63f5811aa9
41 changed files with 1045 additions and 478 deletions
--- a/util/Attachments/Dockerfile
+++ b/util/Attachments/Dockerfile
@ -1,16 +1,62 @@
-FROM ghcr.io/bitwarden/server
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build

+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+    RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+    RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+    RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy required project files
+WORKDIR /source
+COPY . ./
+
+# Restore project dependencies and tools
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Build project
+WORKDIR /source/util/Server
+RUN . /tmp/rid.txt && dotnet publish \
+    -c release \
+    --no-restore \
+    --self-contained \
+    /p:PublishSingleFile=true \
+    -r $RID \
+    -o out
+
+###############################################
+#                  App stage                  #
+###############################################
+FROM mcr.microsoft.com/dotnet/aspnet:8.0
+
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS=http://+:5000
+ENV SSL_CERT_DIR=/etc/bitwarden/ca-certificates
+EXPOSE 5000

 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
-        gosu \
-        curl \
+    gosu \
+    curl \
    && rm -rf /var/lib/apt/lists/*

-ENV ASPNETCORE_URLS http://+:5000
-EXPOSE 5000
-COPY entrypoint.sh /
+# Copy app from the build stage
+WORKDIR /bitwarden_server
+COPY --from=build /source/util/Server/out /bitwarden_server
+COPY util/Attachments/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1
--- a/util/Attachments/entrypoint.sh
+++ b/util/Attachments/entrypoint.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash

 # Setup

@ -19,19 +19,27 @@ then
    LGID=65534
 fi

-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group

-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME

-# The rest...
+    # The rest...

-chown -R $USERNAME:$GROUPNAME /bitwarden_server
-mkdir -p /etc/bitwarden/core/attachments
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    chown -R $USERNAME:$GROUPNAME /bitwarden_server
+    mkdir -p /etc/bitwarden/core/attachments
+    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi

-exec gosu $USERNAME:$GROUPNAME dotnet /bitwarden_server/Server.dll \
-    /contentRoot=/etc/bitwarden/core/attachments /webRoot=. /serveUnknown=true
+exec $gosu_cmd /bitwarden_server/Server \
+    /contentRoot=/etc/bitwarden/core/attachments \
+    /webRoot=. \
+    /serveUnknown=true
--- a/util/MsSql/Dockerfile
+++ b/util/MsSql/Dockerfile
@ -10,9 +10,9 @@ RUN apt-get update \
    tzdata \
    && rm -rf /var/lib/apt/lists/*

-COPY backup-db.sql /
-COPY backup-db.sh /
-COPY entrypoint.sh /
+COPY util/MsSql/backup-db.sql /
+COPY util/MsSql/backup-db.sh /
+COPY util/MsSql/entrypoint.sh /

 RUN chmod +x /entrypoint.sh \
    && chmod +x /backup-db.sh
--- a/util/MsSqlMigratorUtility/Dockerfile
+++ b/util/MsSqlMigratorUtility/Dockerfile
@ -1,8 +1,52 @@
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+    RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+    RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+    RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy required project files
+WORKDIR /source
+COPY . ./
+
+# Restore project dependencies and tools
+WORKDIR /source/util/MsSqlMigratorUtility
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Build project
+WORKDIR /source/util/MsSqlMigratorUtility
+RUN . /tmp/rid.txt && dotnet publish \
+    -c release \
+    --no-restore \
+    --self-contained \
+    /p:PublishSingleFile=true \
+    -r $RID \
+    -o out
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:8.0

+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"

-WORKDIR /app
-COPY obj/build-output/publish .
+ENV SSL_CERT_DIR=/etc/bitwarden/ca-certificates

-ENTRYPOINT ["sh", "-c", "dotnet /app/MsSqlMigratorUtility.dll \"${MSSQL_CONN_STRING}\" ${@}", "--" ]
+# Copy app from the build stage
+WORKDIR /app
+COPY --from=build /source/util/MsSqlMigratorUtility/out /app
+
+ENTRYPOINT ["sh", "-c", "/app/MsSqlMigratorUtility \"${MSSQL_CONN_STRING}\" ${@}", "--" ]
--- a/util/Nginx/Dockerfile
+++ b/util/Nginx/Dockerfile
@ -1,20 +1,23 @@
-FROM nginx:stable
+FROM --platform=$BUILDPLATFORM nginx:stable

+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"

+ENV SSL_CERT_DIR=/etc/bitwarden/ca-certificates
+
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
-        gosu \
-        curl \
+    gosu \
+    curl \
    && rm -rf /var/lib/apt/lists/*

-COPY nginx.conf /etc/nginx
-COPY proxy.conf /etc/nginx
-COPY mime.types /etc/nginx
-COPY security-headers.conf /etc/nginx
-COPY security-headers-ssl.conf /etc/nginx
-COPY logrotate.sh /
-COPY entrypoint.sh /
+COPY util/Nginx/nginx.conf /etc/nginx
+COPY util/Nginx/proxy.conf /etc/nginx
+COPY util/Nginx/mime.types /etc/nginx
+COPY util/Nginx/security-headers.conf /etc/nginx
+COPY util/Nginx/security-headers-ssl.conf /etc/nginx
+COPY util/Nginx/logrotate.sh /
+COPY util/Nginx/entrypoint.sh /

 EXPOSE 8080
 EXPOSE 8443
--- a/util/Server/Dockerfile
+++ b/util/Server/Dockerfile
@ -1,5 +0,0 @@
-FROM mcr.microsoft.com/dotnet/aspnet:8.0
-
-LABEL com.bitwarden.product="bitwarden"
-
-COPY obj/build-output/publish /bitwarden_server
--- a/util/Server/Startup.cs
+++ b/util/Server/Startup.cs
@ -26,7 +26,8 @@ public class Startup

    public void Configure(
        IApplicationBuilder app,
-        IConfiguration configuration)
+        IConfiguration configuration,
+        ILogger<Startup> logger)
    {
        if (configuration.GetValue<bool?>("serveUnknown") ?? false)
        {
@ -44,6 +45,22 @@ public class Startup
        }
        else if (configuration.GetValue<bool?>("webVault") ?? false)
        {
+            var appIdLocation = configuration.GetValue<string>("appIdLocation");
+
+            if (!string.IsNullOrEmpty(appIdLocation))
+            {
+                app.UseRouting();
+                app.UseEndpoints(endpoints =>
+                {
+                    endpoints.MapGet("/app-id.json", async context =>
+                    {
+                        var appId = await File.ReadAllTextAsync(appIdLocation);
+                        context.Response.ContentType = "application/json";
+                        await context.Response.WriteAsync(appId);
+                    });
+                });
+            }
+
            // TODO: This should be removed when asp.net natively support avif
            var provider = new FileExtensionContentTypeProvider { Mappings = { [".avif"] = "image/avif" } };

--- a/util/Setup/Dockerfile
+++ b/util/Setup/Dockerfile
@ -1,16 +1,60 @@
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+    RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+    RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+    RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy required project files
+WORKDIR /source
+COPY . ./
+
+# Restore project dependencies and tools
+WORKDIR /source/util/Setup
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Build project
+WORKDIR /source/util/Setup
+RUN . /tmp/rid.txt && dotnet publish \
+    -c release \
+    --no-restore \
+    --self-contained \
+    /p:PublishSingleFile=true \
+    -r $RID \
+    -o out
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:8.0

+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden" com.bitwarden.project="setup"

+ENV SSL_CERT_DIR=/etc/bitwarden/ca-certificates
+
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
    openssl \
    gosu \
    && rm -rf /var/lib/apt/lists/*

+# Copy app from the build stage
 WORKDIR /app
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
+COPY --from=build /source/util/Setup/out .
+COPY util/Setup/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

 ENTRYPOINT ["/entrypoint.sh"]
--- a/util/Setup/entrypoint.sh
+++ b/util/Setup/entrypoint.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash

 # Setup

@ -19,27 +19,31 @@ then
    LGID=65534
 fi

-# Create user and group
+if [ "$(id -u)" = "0" ]
+then
+    # Create user and group

-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
+    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+    mkhomedir_helper $USERNAME

-# The rest...
+    # The rest...

-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /bitwarden/env
-mkdir -p /bitwarden/docker
-mkdir -p /bitwarden/ssl
-mkdir -p /bitwarden/letsencrypt
-mkdir -p /bitwarden/identity
-mkdir -p /bitwarden/nginx
-mkdir -p /bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /bitwarden
+    chown -R $USERNAME:$GROUPNAME /app
+    mkdir -p /bitwarden/env
+    mkdir -p /bitwarden/docker
+    mkdir -p /bitwarden/ssl
+    mkdir -p /bitwarden/letsencrypt
+    mkdir -p /bitwarden/identity
+    mkdir -p /bitwarden/nginx
+    mkdir -p /bitwarden/ca-certificates
+    chown -R $USERNAME:$GROUPNAME /bitwarden

-cp /bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
-    && update-ca-certificates
+    gosu_cmd="gosu $USERNAME:$GROUPNAME"
+else
+    gosu_cmd=""
+fi

-exec gosu $USERNAME:$GROUPNAME "$@"
+exec $gosu_cmd "$@"