From 2f520494cc1d995740c9f5e99f40f4b16acc43b8 Mon Sep 17 00:00:00 2001 From: Massimiliano Cannarozzo Date: Tue, 9 Dec 2025 23:14:42 +0100 Subject: [PATCH 1/3] Reduce layers --- airconnect/Dockerfile | 10 +++++----- caddy/Dockerfile | 4 ++-- cloudflared/Dockerfile | 4 ++-- openvpn/Dockerfile | 4 ++-- subliminal/Dockerfile | 4 ++-- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/airconnect/Dockerfile b/airconnect/Dockerfile index 864cf2f..a0fb43f 100644 --- a/airconnect/Dockerfile +++ b/airconnect/Dockerfile @@ -8,11 +8,11 @@ ENV ARCH=${TARGETARCH/amd64/x86_64} ENV ARCH=${ARCH/386/x86} ENV ARCH=${ARCH/arm64/aarch64} -RUN wget -qO airconnect.zip $(wget -qO- https://api.github.com/repos/philippe44/AirConnect/releases | jq -r '[.[].assets[] | select( .name | test("AirConnect*"; "i"))][0] | .browser_download_url') -RUN unzip airconnect.zip -d /usr/bin aircast-${TARGETOS}-${ARCH}-static airupnp-${TARGETOS}-${ARCH}-static -RUN mv "/usr/bin/aircast-${TARGETOS}-${ARCH}-static" /usr/bin/aircast -RUN mv "/usr/bin/airupnp-${TARGETOS}-${ARCH}-static" /usr/bin/airupnp -RUN chmod u+x /usr/bin/aircast /usr/bin/airupnp +RUN wget -qO airconnect.zip $(wget -qO- https://api.github.com/repos/philippe44/AirConnect/releases | jq -r '[.[].assets[] | select( .name | test("AirConnect*"; "i"))][0] | .browser_download_url') \ + && unzip airconnect.zip -d /usr/bin aircast-${TARGETOS}-${ARCH}-static airupnp-${TARGETOS}-${ARCH}-static \ + && mv "/usr/bin/aircast-${TARGETOS}-${ARCH}-static" /usr/bin/aircast \ + && mv "/usr/bin/airupnp-${TARGETOS}-${ARCH}-static" /usr/bin/airupnp \ + && chmod u+x /usr/bin/aircast /usr/bin/airupnp FROM alpine LABEL maintainer="Massimiliano Cannarozzo " diff --git a/caddy/Dockerfile b/caddy/Dockerfile index 6f93bc5..376094d 100644 --- a/caddy/Dockerfile +++ b/caddy/Dockerfile @@ -4,8 +4,8 @@ RUN apk add --no-cache --update jq ARG TARGETOS TARGETARCH TARGETVARIANT -RUN wget -qO- $(wget -qO- https://api.github.com/repos/caddyserver/caddy/releases | jq -r '[.[].assets[] | select( .name | test("caddy_.*_'${TARGETOS}'_'${TARGETARCH}${TARGETVARIANT}'.tar.gz"; "i"))][0] | .browser_download_url') | tar -xz -C /usr/bin caddy -RUN chmod u+x /usr/bin/caddy +RUN wget -qO- $(wget -qO- https://api.github.com/repos/caddyserver/caddy/releases | jq -r '[.[].assets[] | select( .name | test("caddy_.*_'${TARGETOS}'_'${TARGETARCH}${TARGETVARIANT}'.tar.gz"; "i"))][0] | .browser_download_url') | tar -xz -C /usr/bin caddy \ + && chmod u+x /usr/bin/caddy FROM alpine LABEL maintainer="Massimiliano Cannarozzo " diff --git a/cloudflared/Dockerfile b/cloudflared/Dockerfile index f0b5791..83f4652 100644 --- a/cloudflared/Dockerfile +++ b/cloudflared/Dockerfile @@ -4,8 +4,8 @@ RUN apk add --no-cache --update jq ARG TARGETOS TARGETARCH -RUN wget -qO /usr/bin/cloudflared $(wget -qO- https://api.github.com/repos/cloudflare/cloudflared/releases | jq -r '[.[].assets[] | select( .name | test("cloudflared-'${TARGETOS}'-'${TARGETARCH}'"; "i"))][0] | .browser_download_url') -RUN chmod u+x /usr/bin/cloudflared +RUN wget -qO /usr/bin/cloudflared $(wget -qO- https://api.github.com/repos/cloudflare/cloudflared/releases | jq -r '[.[].assets[] | select( .name | test("cloudflared-'${TARGETOS}'-'${TARGETARCH}'"; "i"))][0] | .browser_download_url') \ + && chmod u+x /usr/bin/cloudflared FROM alpine LABEL maintainer="Massimiliano Cannarozzo " diff --git a/openvpn/Dockerfile b/openvpn/Dockerfile index 4d37b49..313f9df 100644 --- a/openvpn/Dockerfile +++ b/openvpn/Dockerfile @@ -3,8 +3,8 @@ LABEL maintainer="Massimiliano Cannarozzo " RUN apk add --no-cache --update openvpn iptables openssl -ADD ./run /sbin/run -ADD ./server.conf /etc/openvpn/server.conf.dist +COPY ./run /sbin/run +COPY ./server.conf /etc/openvpn/server.conf.dist VOLUME /etc/openvpn diff --git a/subliminal/Dockerfile b/subliminal/Dockerfile index 236db17..603793f 100644 --- a/subliminal/Dockerfile +++ b/subliminal/Dockerfile @@ -1,8 +1,8 @@ FROM python:alpine LABEL maintainer="Massimiliano Cannarozzo " -RUN pip install --upgrade pip -RUN pip install subliminal +RUN pip install --no-cache-dir --upgrade pip \ + && pip install --no-cache-dir subliminal ENTRYPOINT ["subliminal"] CMD ["--help"] From 0248da1bab654ebd6f33f4afe426f1d0a0d107f8 Mon Sep 17 00:00:00 2001 From: Massimiliano Cannarozzo Date: Tue, 9 Dec 2025 23:17:37 +0100 Subject: [PATCH 2/3] Use home dir --- transmission/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/transmission/Dockerfile b/transmission/Dockerfile index 905844b..d8687b0 100644 --- a/transmission/Dockerfile +++ b/transmission/Dockerfile @@ -4,7 +4,7 @@ LABEL maintainer="Massimiliano Cannarozzo " RUN apk add --no-cache --update transmission-daemon curl transmission-cli docker-cli bash jq RUN wget -qO- https://github.com/Secretmapper/combustion/archive/release.tar.gz | tar -xz -C $HOME -ENV TRANSMISSION_WEB_HOME="/root/combustion-release" +ENV TRANSMISSION_WEB_HOME="/$HOME/combustion-release" ENTRYPOINT ["transmission-daemon"] CMD ["-h"] From c26c257e5bfca431e6937d0b6dae7005f5f07e02 Mon Sep 17 00:00:00 2001 From: Massimiliano Cannarozzo Date: Tue, 9 Dec 2025 23:18:12 +0100 Subject: [PATCH 3/3] Drop privileges --- airconnect/Dockerfile | 7 +++++++ caddy/Dockerfile | 7 +++++++ cloudflared/Dockerfile | 7 +++++++ ffmpeg/Dockerfile | 6 ++++++ minidlna/Dockerfile | 6 ++++++ subliminal/Dockerfile | 6 ++++++ transmission/Dockerfile | 6 ++++++ 7 files changed, 45 insertions(+) diff --git a/airconnect/Dockerfile b/airconnect/Dockerfile index a0fb43f..1f97cd2 100644 --- a/airconnect/Dockerfile +++ b/airconnect/Dockerfile @@ -16,9 +16,16 @@ RUN wget -qO airconnect.zip $(wget -qO- https://api.github.com/repos/philippe44/ FROM alpine LABEL maintainer="Massimiliano Cannarozzo " + +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + COPY --from=build /usr/bin/aircast /usr/bin/aircast COPY --from=build /usr/bin/airupnp /usr/bin/airupnp +USER app + ENTRYPOINT ["aircast"] CMD ["-h"] diff --git a/caddy/Dockerfile b/caddy/Dockerfile index 376094d..cc8fe6d 100644 --- a/caddy/Dockerfile +++ b/caddy/Dockerfile @@ -9,7 +9,14 @@ RUN wget -qO- $(wget -qO- https://api.github.com/repos/caddyserver/caddy/release FROM alpine LABEL maintainer="Massimiliano Cannarozzo " + +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + COPY --from=build /usr/bin/caddy /usr/bin/caddy +USER app + ENTRYPOINT ["caddy"] CMD ["help"] diff --git a/cloudflared/Dockerfile b/cloudflared/Dockerfile index 83f4652..2b18271 100644 --- a/cloudflared/Dockerfile +++ b/cloudflared/Dockerfile @@ -9,7 +9,14 @@ RUN wget -qO /usr/bin/cloudflared $(wget -qO- https://api.github.com/repos/cloud FROM alpine LABEL maintainer="Massimiliano Cannarozzo " + +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + COPY --from=build /usr/bin/cloudflared /usr/bin/cloudflared +USER app + ENTRYPOINT ["cloudflared"] CMD ["-h"] diff --git a/ffmpeg/Dockerfile b/ffmpeg/Dockerfile index 5b4d17e..fd07e48 100644 --- a/ffmpeg/Dockerfile +++ b/ffmpeg/Dockerfile @@ -1,7 +1,13 @@ FROM alpine LABEL maintainer="Massimiliano Cannarozzo " +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + RUN apk add --no-cache --update ffmpeg +USER app + ENTRYPOINT ["ffmpeg"] CMD ["-h"] diff --git a/minidlna/Dockerfile b/minidlna/Dockerfile index 9147306..8f0712c 100644 --- a/minidlna/Dockerfile +++ b/minidlna/Dockerfile @@ -1,7 +1,13 @@ FROM alpine LABEL maintainer="Massimiliano Cannarozzo " +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + RUN apk add --no-cache --update minidlna +USER app + ENTRYPOINT ["minidlnad"] CMD ["-h"] diff --git a/subliminal/Dockerfile b/subliminal/Dockerfile index 603793f..279c2b7 100644 --- a/subliminal/Dockerfile +++ b/subliminal/Dockerfile @@ -1,8 +1,14 @@ FROM python:alpine LABEL maintainer="Massimiliano Cannarozzo " +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + RUN pip install --no-cache-dir --upgrade pip \ && pip install --no-cache-dir subliminal +USER app + ENTRYPOINT ["subliminal"] CMD ["--help"] diff --git a/transmission/Dockerfile b/transmission/Dockerfile index d8687b0..0b5f582 100644 --- a/transmission/Dockerfile +++ b/transmission/Dockerfile @@ -1,8 +1,14 @@ FROM alpine LABEL maintainer="Massimiliano Cannarozzo " +ARG PUID=1000 +ARG PGID=1000 +RUN addgroup -S -g ${PGID} app && adduser -S -u ${PUID} -G app app + RUN apk add --no-cache --update transmission-daemon curl transmission-cli docker-cli bash jq +USER app + RUN wget -qO- https://github.com/Secretmapper/combustion/archive/release.tar.gz | tar -xz -C $HOME ENV TRANSMISSION_WEB_HOME="/$HOME/combustion-release"