feat: improved docker image volumes and permissions (#5160)

.dockerignore

@@ -1,5 +1,3 @@
 *
 !docker/*
-!healthcheck.sh
-!docker_config.json
 !filebrowser

.goreleaser.yml

@@ -19,31 +19,30 @@ builds:
       - freebsd
     goarch:
       - amd64
-      - 386
+      - "386"
       - arm
       - arm64
       - riscv64
     goarm:
-      - 5
+      - "5"
-      - 6
+      - "6"
-      - 7
+      - "7"
     ignore:
       - goos: darwin
-        goarch: 386
+        goarch: "386"
       - goos: freebsd
         goarch: arm
 
 archives:
-  -
+  - name_template: "{{.Os}}-{{.Arch}}{{if .Arm}}v{{.Arm}}{{end}}-{{ .ProjectName }}"
-    name_template: "{{.Os}}-{{.Arch}}{{if .Arm}}v{{.Arm}}{{end}}-{{ .ProjectName }}"
+    formats: ["tar.gz"]
-    formats: [ 'tar.gz' ]
     format_overrides:
       - goos: windows
-        formats: [ 'zip' ]
+        formats: ["zip"]
 
 dockers:
-  -
+  # Alpine docker images
-    dockerfile: Dockerfile
+  - dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -59,10 +58,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-amd64"
       - "filebrowser/filebrowser:v{{ .Major }}-amd64"
     extra_files:
-      - docker_config.json
+      - docker
-      - healthcheck.sh
+  - dockerfile: Dockerfile
-  -
-    dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -78,10 +75,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-arm64"
       - "filebrowser/filebrowser:v{{ .Major }}-arm64"
     extra_files:
-      - docker_config.json
+      - docker
-      - healthcheck.sh
+  - dockerfile: Dockerfile
-  -
-    dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -93,15 +88,13 @@ dockers:
       - "--platform=linux/arm/v6"
     goos: linux
     goarch: arm
-    goarm: '6'
+    goarm: "6"
     image_templates:
       - "filebrowser/filebrowser:{{ .Tag }}-armv6"
       - "filebrowser/filebrowser:v{{ .Major }}-armv6"
     extra_files:
-      - docker_config.json
+      - docker
-      - healthcheck.sh
+  - dockerfile: Dockerfile
-  -
-    dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -113,16 +106,15 @@ dockers:
       - "--platform=linux/arm/v7"
     goos: linux
     goarch: arm
-    goarm: '7'
+    goarm: "7"
     image_templates:
       - "filebrowser/filebrowser:{{ .Tag }}-armv7"
       - "filebrowser/filebrowser:v{{ .Major }}-armv7"
     extra_files:
-      - docker_config.json
+      - docker
-      - healthcheck.sh
+
-## s6 based docker images
+  ## s6-overlay docker images
-  -
+  - dockerfile: Dockerfile.s6
-    dockerfile: Dockerfile.s6
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -138,10 +130,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-amd64-s6"
       - "filebrowser/filebrowser:v{{ .Major }}-amd64-s6"
     extra_files:
-      - docker/root
+      - docker
-      - healthcheck.sh
+  - dockerfile: Dockerfile.s6.aarch64
-  -
-    dockerfile: Dockerfile.s6.aarch64
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -157,8 +147,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-arm64-s6"
       - "filebrowser/filebrowser:v{{ .Major }}-arm64-s6"
     extra_files:
-      - docker/root
+      - docker
-      - healthcheck.sh
+
 docker_manifests:
   - name_template: "filebrowser/filebrowser:latest"
     image_templates:
@@ -199,11 +189,6 @@ homebrew_casks:
       email: robot@filebrowser.org
     homepage: https://github.com/filebrowser/filebrowser
     description: File Browser is a create-your-own-cloud-kind of software where you can install it on a server, direct it to a path and then access your files through a nice web interface
-    license: "MIT"
-    # make the old formula conflict with the cask:
-    conflicts:
-      - formula: filebrowser
-    # if your app/binary isn't signed and notarized, you'll need this:
     hooks:
       post:
         install: |

Dockerfile

@@ -1,19 +1,33 @@
-FROM alpine:latest
+FROM alpine:3.22
-RUN apk --update add ca-certificates \
-                     mailcap \
-                     curl \
-                     jq
 
-COPY healthcheck.sh /healthcheck.sh
+RUN apk update && \
-RUN chmod +x /healthcheck.sh  # Make the script executable
+  apk --no-cache add ca-certificates mailcap curl jq tini
 
-HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \
+# Make user and create necessary directories
-    CMD /healthcheck.sh || exit 1
+ENV UID=1000
+ENV GID=1000
+
+RUN addgroup -g $GID user && \
+  adduser -D -u $UID -G user user && \
+  mkdir -p /config /database /srv && \
+  chown -R user:user /config /database /srv
+
+# Copy files and set permissions
+COPY filebrowser /bin/filebrowser
+COPY docker/common/ /
+COPY docker/alpine/ /
+
+RUN chown -R user:user /bin/filebrowser /defaults healthcheck.sh init.sh
+
+# Define healthcheck script
+HEALTHCHECK --start-period=2s --interval=5s --timeout=3s CMD /healthcheck.sh
+
+# Set the user, volumes and exposed ports
+USER user
+
+VOLUME /srv /config /database
 
-VOLUME /srv
 EXPOSE 80
 
-COPY docker_config.json /.filebrowser.json
+ENTRYPOINT [ "tini", "--", "/init.sh" ]
-COPY filebrowser /filebrowser
+CMD [ "filebrowser", "--config", "/config/settings.json" ]
-
-ENTRYPOINT [ "/filebrowser" ]

Dockerfile.s6

@@ -1,21 +1,23 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.22
 
-RUN apk --update add ca-certificates \
+RUN apk update && \
-                     mailcap \
+  apk --no-cache add ca-certificates mailcap curl jq
-                     curl \
-                     jq
 
-COPY healthcheck.sh /healthcheck.sh
+# Make user and create necessary directories
-RUN chmod +x /healthcheck.sh  # Make the script executable
+RUN mkdir -p /config /database /srv && \
+  chown -R abc:abc /config /database /srv
 
-HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \
+# Copy files and set permissions
-    CMD /healthcheck.sh || exit 1
+COPY filebrowser /bin/filebrowser
+COPY docker/common/ /
+COPY docker/s6/ /
 
-# copy local files
+RUN chown -R abc:abc /bin/filebrowser /defaults healthcheck.sh
-COPY docker/root/ /
-RUN ln -s /config/settings.json /.filebrowser.json
-COPY filebrowser /usr/bin/filebrowser
 
-# ports and volumes
+# Define healthcheck script
+HEALTHCHECK --start-period=2s --interval=5s --timeout=3s CMD /healthcheck.sh
+
+# Set the volumes and exposed ports
 VOLUME /srv /config /database
+
 EXPOSE 80

Dockerfile.s6.aarch64

@@ -1,21 +1,23 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.22
 
-RUN apk --update add ca-certificates \
+RUN apk update && \
-                     mailcap \
+  apk --no-cache add ca-certificates mailcap curl jq
-                     curl \
-                     jq
 
-COPY healthcheck.sh /healthcheck.sh
+# Make user and create necessary directories
-RUN chmod +x /healthcheck.sh  # Make the script executable
+RUN mkdir -p /config /database /srv && \
+  chown -R abc:abc /config /database /srv
 
-HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \
+# Copy files and set permissions
-    CMD /healthcheck.sh || exit 1
+COPY filebrowser /bin/filebrowser
+COPY docker/common/ /
+COPY docker/s6/ /
 
-# copy local files
+RUN chown -R abc:abc /bin/filebrowser /defaults healthcheck.sh
-COPY docker/root/ /
-RUN ln -s /config/settings.json /.filebrowser.json
-COPY filebrowser /usr/bin/filebrowser
 
-# ports and volumes
+# Define healthcheck script
+HEALTHCHECK --start-period=2s --interval=5s --timeout=3s CMD /healthcheck.sh
+
+# Set the volumes and exposed ports
 VOLUME /srv /config /database
+
 EXPOSE 80

docker/alpine/init.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+set -e
+
+# Backwards compatibility for old Docker image
+if [ -f "/.filebrowser.json" ]; then
+  ln -s /.filebrowser.json /config/settings.json
+
+  echo ""
+  echo "!!!!!!!!!!!!!!!!!!!!! IMPORTANT INFORMATION !!!!!!!!!!!!!!!!!!!!!"
+  echo "Symlinking /.filebrowser.json to /config/settings.json for backwards compatibility."
+  echo ""
+  echo "The volume mount configuration has changed in the latest release."
+  echo "Please rename .filebrowser.json to settings.json and mount the parent directory to /config".
+  echo "Read more on https://github.com/filebrowser/filebrowser/blob/master/docs/installation.md#docker"
+  echo ""
+  echo "This workaround will be removed in a future release."
+  echo ""
+fi
+
+# Backwards compatibility for old Docker image
+if [ -f "/database.db" ]; then
+  ln -s /database.db /database/filebrowser.db
+  
+  echo ""
+  echo "!!!!!!!!!!!!!!!!!!!!! IMPORTANT INFORMATION !!!!!!!!!!!!!!!!!!!!!"
+  echo ""
+  echo "The volume mount configuration has changed in the latest release."
+  echo "Please rename database.db to filebrowser.db and mount the parent directory to /database".
+  echo "Read more on https://github.com/filebrowser/filebrowser/blob/master/docs/installation.md#docker"
+  echo ""
+  echo "This workaround will be removed in a future release."
+  echo ""
+fi
+
+# Ensure configuration exists
+if [ ! -f "/config/settings.json" ]; then
+  cp -a /defaults/settings.json /config/settings.json
+fi
+
+exec "$@"

docker/common/healthcheck.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+PORT=${FB_PORT:-$(jq -r .port /config/settings.json)}
+ADDRESS=${FB_ADDRESS:-$(jq -r .address /config/settings.json)}
+ADDRESS=${ADDRESS:-localhost}
+
+curl -f http://$ADDRESS:$PORT/health || exit 1

docker/root/etc/services.d/filebrowser/run

@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-exec s6-setuidgid abc filebrowser -c /config/settings.json -d /database/filebrowser.db;

docker/s6/custom-cont-init.d/20-config

@@ -1,9 +1,6 @@
 #!/usr/bin/with-contenv bash
 
-# make folders
+# Ensure configuration exists
-mkdir -p /database
-
-# copy config
 if [ ! -f "/config/settings.json" ]; then
   cp -a /defaults/settings.json /config/settings.json
 fi

docker/s6/etc/services.d/filebrowser/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+exec s6-setuidgid abc filebrowser -c /config/settings.json;

docs/installation.md

@@ -46,23 +46,12 @@ File Browser is available as two different Docker images, which can be found on
 ```sh
 docker run \
   -v /path/to/srv:/srv \
-  -v /path/to/filebrowser.db:/database.db \
+  -v /path/to/database:/database \
-  -v /path/to/.filebrowser.json:/.filebrowser.json \
+  -v /path/to/config:/config \
-  -u $(id -u):$(id -g) \
   -p 8080:80 \
   filebrowser/filebrowser
 ```
 
-Where:
-
-- `/path/to/srv` contains the files root directory for File Browser
-- `/path/to/filebrowser.db` is the `database.db`
-- `/path/to/database` is the `.filebrowser.json`
-
-> [!Warning]
->
-> To use this image correctly, you need to first initialize a File Browser database outside of the Docker image and then start the Docker image with the database mounted. Otherwise, Docker will create an empty directory at the mounting point and fail to start.
-
 ### s6 overlay
 
 The `s6` image is based on LinuxServer and leverages the [s6-overlay](https://github.com/just-containers/s6-overlay) system for a standard, highly customizable image. It should be used as follows:
@@ -78,8 +67,12 @@ docker run \
   filebrowser/filebrowser:s6
 ```
 
+### Notes
+
 Where:
 
 - `/path/to/srv` contains the files root directory for File Browser
 - `/path/to/config` contains a `settings.json` file
 - `/path/to/database` contains a `filebrowser.db` file
+
+Both `settings.json` and `filebrowser.db` will automatically be initialized if they don't exist.

healthcheck.sh

@@ -1,5 +0,0 @@
-#!/bin/sh
-PORT=${FB_PORT:-$(jq -r .port /.filebrowser.json)}
-ADDRESS=${FB_ADDRESS:-$(jq -r .address /.filebrowser.json)}
-ADDRESS=${ADDRESS:-localhost}
-curl -f http://$ADDRESS:$PORT/health || exit 1

settings.json

@@ -3,6 +3,6 @@
   "baseURL": "",
   "address": "",
   "log": "stdout",
-  "database": "/database.db",
+  "database": "/database/filebrowser.db",
   "root": "/srv"
 }