From 37fc39743e3a987eeafb6919e6f0ea3ab59728d7 Mon Sep 17 00:00:00 2001 From: Ivan P <2119240+i5okie@users.noreply.github.com> Date: Wed, 19 Nov 2025 14:19:27 -0800 Subject: [PATCH 1/8] Add rootless dockerfile templates Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com> --- Dockerfile.rootless-builder.tmpl | 47 +++++++++++++++++ Dockerfile.rootless.tmpl | 86 ++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 Dockerfile.rootless-builder.tmpl create mode 100644 Dockerfile.rootless.tmpl diff --git a/Dockerfile.rootless-builder.tmpl b/Dockerfile.rootless-builder.tmpl new file mode 100644 index 0000000..b074faa --- /dev/null +++ b/Dockerfile.rootless-builder.tmpl @@ -0,0 +1,47 @@ +{{ .base | strings.TrimSpace }} + +RUN apk add --no-cache \ + ca-certificates \ + git \ + libcap + +ENV XCADDY_VERSION v{{ .xcaddy_config.version }} +# Configures xcaddy to build with this version of Caddy +ENV CADDY_VERSION v{{ .config.caddy_version }} +# Configures xcaddy to not clean up post-build (unnecessary in a container) +ENV XCADDY_SKIP_CLEANUP 1 + +RUN set -eux; \ + apkArch="$(apk --print-arch)"; \ + case "$apkArch" in \ + x86_64) binArch='amd64'; checksum='{{ .xcaddy_checksums.amd64 }}' ;; \ + armhf) binArch='armv6'; checksum='{{ .xcaddy_checksums.arm32v6 }}' ;; \ + armv7) binArch='armv7'; checksum='{{ .xcaddy_checksums.arm32v7 }}' ;; \ + aarch64) binArch='arm64'; checksum='{{ .xcaddy_checksums.arm64v8 }}' ;; \ + ppc64el|ppc64le) binArch='ppc64le'; checksum='{{ .xcaddy_checksums.ppc64le }}' ;; \ + riscv64) binArch='riscv64'; checksum='{{ .xcaddy_checksums.riscv64 }}' ;; \ + s390x) binArch='s390x'; checksum='{{ .xcaddy_checksums.s390x }}' ;; \ + *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ + esac; \ + wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v{{ .xcaddy_config.version }}/xcaddy_{{ .xcaddy_config.version }}_linux_${binArch}.tar.gz"; \ + echo "$checksum /tmp/xcaddy.tar.gz" | sha512sum -c; \ + tar x -z -f /tmp/xcaddy.tar.gz -C /usr/bin xcaddy; \ + rm -f /tmp/xcaddy.tar.gz; \ + chmod +x /usr/bin/xcaddy; + +COPY caddy-builder.sh /usr/bin/caddy-builder + +# Create non-root user with UID 1001 and root group (GID 0) +# OpenShift will override the UID but keep GID=0 +RUN adduser -D -u 1001 -g 0 -H -h /usr/bin caddy + +# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility +RUN chown -R 1001:0 /usr/bin/xcaddy /usr/bin/caddy-builder + +# Make directories writable by the root group for OpenShift compatibility +RUN chmod -R g+w /usr/bin + +WORKDIR /usr/bin + +# Switch to non-root user +USER 1001 diff --git a/Dockerfile.rootless.tmpl b/Dockerfile.rootless.tmpl new file mode 100644 index 0000000..e0bdcd3 --- /dev/null +++ b/Dockerfile.rootless.tmpl @@ -0,0 +1,86 @@ +{{ .base | strings.TrimSpace }} + +RUN apk add --no-cache \ + ca-certificates \ + libcap \ + mailcap + +RUN set -eux; \ + mkdir -p \ + /config/caddy \ + /data/caddy \ + /etc/caddy \ + /usr/share/caddy \ + ; \ + wget -O /etc/caddy/Caddyfile "https://github.com/caddyserver/dist/raw/{{ .config.dist_commit }}/config/Caddyfile"; \ + wget -O /usr/share/caddy/index.html "https://github.com/caddyserver/dist/raw/{{ .config.dist_commit }}/welcome/index.html"; \ + sed -i 's/:80/:{\$CADDY_HTTP_PORT:8080}/g' /etc/caddy/Caddyfile + +# https://github.com/caddyserver/caddy/releases +ENV CADDY_VERSION v{{ .config.caddy_version }} + +RUN set -eux; \ + apkArch="$(apk --print-arch)"; \ + case "$apkArch" in \ + x86_64) binArch='amd64'; checksum='{{ .checksums.amd64 }}' ;; \ + armhf) binArch='armv6'; checksum='{{ .checksums.arm32v6 }}' ;; \ + armv7) binArch='armv7'; checksum='{{ .checksums.arm32v7 }}' ;; \ + aarch64) binArch='arm64'; checksum='{{ .checksums.arm64v8 }}' ;; \ + ppc64el|ppc64le) binArch='ppc64le'; checksum='{{ .checksums.ppc64le }}' ;; \ + riscv64) binArch='riscv64'; checksum='{{ .checksums.riscv64 }}' ;; \ + s390x) binArch='s390x'; checksum='{{ .checksums.s390x }}' ;; \ + *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ + esac; \ + wget -O /tmp/caddy.tar.gz "https://github.com/caddyserver/caddy/releases/download/v{{ .config.caddy_version }}/caddy_{{ .config.caddy_version }}_linux_${binArch}.tar.gz"; \ + echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \ + tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \ + rm -f /tmp/caddy.tar.gz; \ + chmod +x /usr/bin/caddy; \ + caddy version + +# Create non-root user with UID 1001 and root group (GID 0) +# OpenShift will override the UID but keep GID=0 +# The -D flag creates a system user without password +# The -H flag prevents creating a home directory +RUN adduser -D -u 1001 -g 0 -H -h /data caddy + +# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility +# OpenShift assigns arbitrary UIDs but always uses GID=0 (root group) +# The root group has no special privileges despite the name +RUN chown -R 1001:0 /data /config /etc/caddy /usr/share/caddy /usr/bin/caddy + +# Make directories writable by the root group for OpenShift compatibility +RUN chmod -R g+w /data /config /etc/caddy /usr/share/caddy + +# See https://caddyserver.com/docs/conventions#file-locations for details +ENV XDG_CONFIG_HOME /config +ENV XDG_DATA_HOME /data + +# Set default HTTP and HTTPS ports to non-privileged ports for rootless operation +ENV CADDY_HTTP_PORT=8080 +ENV CADDY_HTTPS_PORT=8443 + +LABEL org.opencontainers.image.version=v{{ .config.caddy_version }} +LABEL org.opencontainers.image.title=Caddy +LABEL org.opencontainers.image.description="a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go (rootless)" +LABEL org.opencontainers.image.url=https://caddyserver.com +LABEL org.opencontainers.image.documentation=https://caddyserver.com/docs +LABEL org.opencontainers.image.vendor="Light Code Labs" +LABEL org.opencontainers.image.licenses=Apache-2.0 +LABEL org.opencontainers.image.source="https://github.com/caddyserver/caddy-docker" + +# Expose non-privileged ports (rootless containers cannot bind to ports < 1024) +# Configure these ports in your Caddyfile with http_port and https_port directives +# 8080: HTTP, 8443: HTTPS (TCP), 8443/udp: HTTP/3 (QUIC), 2019: Admin API +EXPOSE 8080 +EXPOSE 8443 +EXPOSE 8443/udp +EXPOSE 2019 + +WORKDIR /srv + +# Switch to non-root user +# OpenShift will override this UID with an arbitrary one, but keep GID=0 +USER 1001 + +CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] From 065494bede76d3da47ba84a35ed00b5c7947de40 Mon Sep 17 00:00:00 2001 From: Ivan P <2119240+i5okie@users.noreply.github.com> Date: Wed, 19 Nov 2025 14:20:52 -0800 Subject: [PATCH 2/8] Update makefile, stackbrew and render template Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com> --- Makefile | 4 +++- render-dockerfiles.tmpl | 6 +++++- stackbrew-config.yaml | 10 +++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 5b5c19a..5f01aee 100644 --- a/Makefile +++ b/Makefile @@ -3,11 +3,13 @@ all: gen-dockerfiles library/caddy .github/dependabot.yml -gen-dockerfiles: render-dockerfiles.tmpl Dockerfile.tmpl Dockerfile.builder.tmpl Dockerfile.windows.tmpl Dockerfile.windows-builder.tmpl Dockerfile.nanoserver.tmpl */*/Dockerfile.base +gen-dockerfiles: render-dockerfiles.tmpl Dockerfile.tmpl Dockerfile.builder.tmpl Dockerfile.rootless.tmpl Dockerfile.rootless-builder.tmpl Dockerfile.windows.tmpl Dockerfile.windows-builder.tmpl Dockerfile.nanoserver.tmpl */*/Dockerfile.base @gomplate \ --plugin getChecksums=./getChecksums.sh \ -t dockerfile=Dockerfile.tmpl \ -t builder-dockerfile=Dockerfile.builder.tmpl \ + -t rootless-dockerfile=Dockerfile.rootless.tmpl \ + -t rootless-builder-dockerfile=Dockerfile.rootless-builder.tmpl \ -t windows-dockerfile=Dockerfile.windows.tmpl \ -t windows-builder-dockerfile=Dockerfile.windows-builder.tmpl \ -t nanoserver-dockerfile=Dockerfile.nanoserver.tmpl \ diff --git a/render-dockerfiles.tmpl b/render-dockerfiles.tmpl index 451f8eb..3eb3aa0 100644 --- a/render-dockerfiles.tmpl +++ b/render-dockerfiles.tmpl @@ -10,6 +10,10 @@ {{- $template := "dockerfile" }} {{- if eq "builder" $variant.dir -}} {{ $template = "builder-dockerfile" -}} + {{- else if eq "rootless" $variant.dir -}} + {{ $template = "rootless-dockerfile" -}} + {{- else if eq "rootless-builder" $variant.dir -}} + {{ $template = "rootless-builder-dockerfile" -}} {{ end -}} {{- if strings.HasPrefix "windows-builder" $variant.dir -}} {{ $template = "windows-builder-dockerfile" -}} @@ -24,7 +28,7 @@ Rendering {{ $outPath }} with template {{ $template }}...{{ "\n" -}} {{- tmpl.Exec $template $ctx | file.Write $outPath -}} - {{- if eq "builder" $variant.dir -}} + {{- if or (eq "builder" $variant.dir) (eq "rootless-builder" $variant.dir) -}} {{- $template = "caddy-builder" }} {{- $ctx := dict "config" $version }} {{- $outPath := filepath.Join $dir "caddy-builder.sh" -}} diff --git a/stackbrew-config.yaml b/stackbrew-config.yaml index c5b2e5d..57c7075 100644 --- a/stackbrew-config.yaml +++ b/stackbrew-config.yaml @@ -19,6 +19,14 @@ variants: tags: [ "builder-alpine" ] shared_tags: [ "builder" ] architectures: [ amd64, arm64v8, arm32v6, arm32v7, ppc64le, riscv64, s390x ] + - dir: rootless + tags: [ "rootless-alpine" ] + shared_tags: [ "rootless" ] + architectures: [ amd64, arm64v8, arm32v6, arm32v7, ppc64le, riscv64, s390x ] + - dir: rootless-builder + tags: [ "rootless-builder-alpine" ] + shared_tags: [ "rootless-builder" ] + architectures: [ amd64, arm64v8, arm32v6, arm32v7, ppc64le, riscv64, s390x ] - dir: windows/ltsc2022 tags: [ "windowsservercore-ltsc2022" ] shared_tags: [ "windowsservercore", "latest" ] @@ -48,4 +56,4 @@ variants: tags: [ "builder-windowsservercore-ltsc2025" ] shared_tags: [ "builder" ] architectures: [ windows-amd64 ] - constraints: [ windowsservercore-ltsc2025 ] \ No newline at end of file + constraints: [ windowsservercore-ltsc2025 ] From db9695c8c913ca0741d32155c773762b9dca7f56 Mon Sep 17 00:00:00 2001 From: Ivan P <2119240+i5okie@users.noreply.github.com> Date: Wed, 19 Nov 2025 14:21:42 -0800 Subject: [PATCH 3/8] Add caddy-builder and updated caddyfile Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com> --- 2.10/rootless-builder/caddy-builder.sh | 17 +++++++++++++++++ 2.10/rootless/Caddyfile | 11 +++++++++++ 2 files changed, 28 insertions(+) create mode 100644 2.10/rootless-builder/caddy-builder.sh create mode 100644 2.10/rootless/Caddyfile diff --git a/2.10/rootless-builder/caddy-builder.sh b/2.10/rootless-builder/caddy-builder.sh new file mode 100644 index 0000000..cd4b699 --- /dev/null +++ b/2.10/rootless-builder/caddy-builder.sh @@ -0,0 +1,17 @@ +#!/bin/sh +set -eu + +args="" +for p; do + args="$args --with $p" +done + +echo "Warning: the caddy-builder script is deprecated and will be removed in the future. +Instead, you should use the xcaddy command: + + xcaddy build $args +" >&2 + +# version is inferred from $CADDY_VERSION (set in the Dockerfile) +# output will be placed in the working dir (/usr/bin as set in the Dockerfile) +xcaddy build $args diff --git a/2.10/rootless/Caddyfile b/2.10/rootless/Caddyfile new file mode 100644 index 0000000..8a74d0d --- /dev/null +++ b/2.10/rootless/Caddyfile @@ -0,0 +1,11 @@ +# Global options: rootless image uses non-privileged ports +{ + http_port 8080 + https_port 8443 +} + +:8080 + +route { + teapot +} From 156fc65b11c6ead4d6e84d148cd98b72dd0461a5 Mon Sep 17 00:00:00 2001 From: Ivan P <2119240+i5okie@users.noreply.github.com> Date: Wed, 19 Nov 2025 14:22:06 -0800 Subject: [PATCH 4/8] Add generated rootless Dockerfiles Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com> --- 2.10/rootless-builder/Dockerfile | 47 +++++++++++++++ 2.10/rootless-builder/Dockerfile.base | 1 + 2.10/rootless/Dockerfile | 86 +++++++++++++++++++++++++++ 2.10/rootless/Dockerfile.base | 1 + 4 files changed, 135 insertions(+) create mode 100644 2.10/rootless-builder/Dockerfile create mode 100644 2.10/rootless-builder/Dockerfile.base create mode 100644 2.10/rootless/Dockerfile create mode 100644 2.10/rootless/Dockerfile.base diff --git a/2.10/rootless-builder/Dockerfile b/2.10/rootless-builder/Dockerfile new file mode 100644 index 0000000..db2a83f --- /dev/null +++ b/2.10/rootless-builder/Dockerfile @@ -0,0 +1,47 @@ +FROM golang:1.25-alpine3.22 + +RUN apk add --no-cache \ + ca-certificates \ + git \ + libcap + +ENV XCADDY_VERSION v0.4.5 +# Configures xcaddy to build with this version of Caddy +ENV CADDY_VERSION v2.10.2 +# Configures xcaddy to not clean up post-build (unnecessary in a container) +ENV XCADDY_SKIP_CLEANUP 1 + +RUN set -eux; \ + apkArch="$(apk --print-arch)"; \ + case "$apkArch" in \ + x86_64) binArch='amd64'; checksum='edea47d552fd9ac0a533386a72acaa95733ce734f347c11e5513469b5dc0eec0a62a6e21cfa93a83ab00b2dad72e0ee0b9bdf267a9654235f70d4c934739a15b' ;; \ + armhf) binArch='armv6'; checksum='29e4b7c484c0045d192fc8e7721c41988c1b8fc529343499ebb2acf94fba60f6e6c25c0944f7fb778ae25d5f8ccca452fc31d0338d6630d9b5219d5f9210ea44' ;; \ + armv7) binArch='armv7'; checksum='7e115fe60be169ffccff6884f1ab8fbe754d117c39618b02aedab9c857f0dcdc3cc6949f76b6a799cd617b509021bb086a4b2c5fb6c74d409d09429ff591a616' ;; \ + aarch64) binArch='arm64'; checksum='2933968a6e759a0406dc864000960fe0e605db9f0fe0662ce245897eaa5b529e322d1b14c2b98463a95e13f1dfd85432541b41f459a237daedb8c68a8f6a5bb1' ;; \ + ppc64el|ppc64le) binArch='ppc64le'; checksum='10e5f7e7dc885b278ebf4c5a97df4bde85a96fbc529890263f42af0445790a18669f44e318be1ac7639a283499e679ce9dabd8fe248478095d514bc2b72e6cd1' ;; \ + riscv64) binArch='riscv64'; checksum='4b108ef51ee3fd567f13cba3d3e2c89f86894e27b2ae5585e9ee20346b17f71a3bdcb968b25cb6d88a9a9671ef73cf82a1c0060e273d9b2e0c0c680369c83280' ;; \ + s390x) binArch='s390x'; checksum='f2e18d550dc12cb06bedda46c47404a2fbfdfb12363483daf41f5c52736a8ad22c72d7c32edb08aac7a18a1f1faee19aa787ac72b7515f07daf77329f4efbc3f' ;; \ + *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ + esac; \ + wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v0.4.5/xcaddy_0.4.5_linux_${binArch}.tar.gz"; \ + echo "$checksum /tmp/xcaddy.tar.gz" | sha512sum -c; \ + tar x -z -f /tmp/xcaddy.tar.gz -C /usr/bin xcaddy; \ + rm -f /tmp/xcaddy.tar.gz; \ + chmod +x /usr/bin/xcaddy; + +COPY caddy-builder.sh /usr/bin/caddy-builder + +# Create non-root user with UID 1001 and root group (GID 0) +# OpenShift will override the UID but keep GID=0 +RUN adduser -D -u 1001 -g 0 -H -h /usr/bin caddy + +# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility +RUN chown -R 1001:0 /usr/bin/xcaddy /usr/bin/caddy-builder + +# Make directories writable by the root group for OpenShift compatibility +RUN chmod -R g+w /usr/bin + +WORKDIR /usr/bin + +# Switch to non-root user +USER 1001 diff --git a/2.10/rootless-builder/Dockerfile.base b/2.10/rootless-builder/Dockerfile.base new file mode 100644 index 0000000..67ef8bb --- /dev/null +++ b/2.10/rootless-builder/Dockerfile.base @@ -0,0 +1 @@ +FROM golang:1.25-alpine3.22 diff --git a/2.10/rootless/Dockerfile b/2.10/rootless/Dockerfile new file mode 100644 index 0000000..eece9e0 --- /dev/null +++ b/2.10/rootless/Dockerfile @@ -0,0 +1,86 @@ +FROM alpine:3.22 + +RUN apk add --no-cache \ + ca-certificates \ + libcap \ + mailcap + +RUN set -eux; \ + mkdir -p \ + /config/caddy \ + /data/caddy \ + /etc/caddy \ + /usr/share/caddy \ + ; \ + wget -O /etc/caddy/Caddyfile "https://github.com/caddyserver/dist/raw/33ae08ff08d168572df2956ed14fbc4949880d94/config/Caddyfile"; \ + wget -O /usr/share/caddy/index.html "https://github.com/caddyserver/dist/raw/33ae08ff08d168572df2956ed14fbc4949880d94/welcome/index.html"; \ + sed -i 's/:80/:{\$CADDY_HTTP_PORT:8080}/g' /etc/caddy/Caddyfile + +# https://github.com/caddyserver/caddy/releases +ENV CADDY_VERSION v2.10.2 + +RUN set -eux; \ + apkArch="$(apk --print-arch)"; \ + case "$apkArch" in \ + x86_64) binArch='amd64'; checksum='747df7ee74de188485157a383633a1a963fd9233b71fbb4a69ddcbcc589ce4e2cc82dacf5dbbe136cb51d17e14c59daeb5d9bc92487610b0f3b93680b2646546' ;; \ + armhf) binArch='armv6'; checksum='95b71fd99595018eebf4890782de63018ee86455531380b2a83a1814bb09c2588c0a531c877a26ba8a16a5b78072a1c26f7548bdec0e18abcef423fcc31a2e0e' ;; \ + armv7) binArch='armv7'; checksum='215af42cf952726d962c9753a12c04248781221b66df8b7110726fa7905d7a5c2e50056e0b47ab3c709d3dcfb48fde0f11e184a6950de0a2ddf941d3e503d07b' ;; \ + aarch64) binArch='arm64'; checksum='6ce061a690312ab38367df3c5d5f89a2e4a263e7300d300d87356211bb81e79b15933e6d6203e03fbf26f15cc0311f264805f336147dbdd24938d84b57a4421c' ;; \ + ppc64el|ppc64le) binArch='ppc64le'; checksum='ab286a51e0e8ce79393519b0c7ebe99075f4539b57f6a34fe555ba8060f8fbaee36197a1e8e49d0050ab5d6a783253839bc2675137635f8d252aea27f2ca5a85' ;; \ + riscv64) binArch='riscv64'; checksum='e71c8ba2462990e0d8a67c544b694446ad36d045bf40ce641fae6774181677457f6ae8ed0b5c4c927ef8302d91c587074b6001318f377d7054113b5da6dee6df' ;; \ + s390x) binArch='s390x'; checksum='b8aaa737b63308fac14cf84d7a658d9a0d74d2fe5f6a2eb57ca3ce7c52a73bea702c95da73ebfd20b3206bfb7b71ac8613aef9797e0f7a2c2a04bf5083092c2b' ;; \ + *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ + esac; \ + wget -O /tmp/caddy.tar.gz "https://github.com/caddyserver/caddy/releases/download/v2.10.2/caddy_2.10.2_linux_${binArch}.tar.gz"; \ + echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \ + tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \ + rm -f /tmp/caddy.tar.gz; \ + chmod +x /usr/bin/caddy; \ + caddy version + +# Create non-root user with UID 1001 and root group (GID 0) +# OpenShift will override the UID but keep GID=0 +# The -D flag creates a system user without password +# The -H flag prevents creating a home directory +RUN adduser -D -u 1001 -g 0 -H -h /data caddy + +# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility +# OpenShift assigns arbitrary UIDs but always uses GID=0 (root group) +# The root group has no special privileges despite the name +RUN chown -R 1001:0 /data /config /etc/caddy /usr/share/caddy /usr/bin/caddy + +# Make directories writable by the root group for OpenShift compatibility +RUN chmod -R g+w /data /config /etc/caddy /usr/share/caddy + +# See https://caddyserver.com/docs/conventions#file-locations for details +ENV XDG_CONFIG_HOME /config +ENV XDG_DATA_HOME /data + +# Set default HTTP and HTTPS ports to non-privileged ports for rootless operation +ENV CADDY_HTTP_PORT=8080 +ENV CADDY_HTTPS_PORT=8443 + +LABEL org.opencontainers.image.version=v2.10.2 +LABEL org.opencontainers.image.title=Caddy +LABEL org.opencontainers.image.description="a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go (rootless)" +LABEL org.opencontainers.image.url=https://caddyserver.com +LABEL org.opencontainers.image.documentation=https://caddyserver.com/docs +LABEL org.opencontainers.image.vendor="Light Code Labs" +LABEL org.opencontainers.image.licenses=Apache-2.0 +LABEL org.opencontainers.image.source="https://github.com/caddyserver/caddy-docker" + +# Expose non-privileged ports (rootless containers cannot bind to ports < 1024) +# Configure these ports in your Caddyfile with http_port and https_port directives +# 8080: HTTP, 8443: HTTPS (TCP), 8443/udp: HTTP/3 (QUIC), 2019: Admin API +EXPOSE 8080 +EXPOSE 8443 +EXPOSE 8443/udp +EXPOSE 2019 + +WORKDIR /srv + +# Switch to non-root user +# OpenShift will override this UID with an arbitrary one, but keep GID=0 +USER 1001 + +CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] diff --git a/2.10/rootless/Dockerfile.base b/2.10/rootless/Dockerfile.base new file mode 100644 index 0000000..7a4fc3c --- /dev/null +++ b/2.10/rootless/Dockerfile.base @@ -0,0 +1 @@ +FROM alpine:3.22 From 157e69c8cce06482870c051eb91ad5390dd973e3 Mon Sep 17 00:00:00 2001 From: Ivan P <2119240+i5okie@users.noreply.github.com> Date: Mon, 12 Jan 2026 13:43:55 -0800 Subject: [PATCH 5/8] Remove rootless-builder Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com> --- 2.10/rootless-builder/Dockerfile | 47 -------------------------- 2.10/rootless-builder/Dockerfile.base | 1 - 2.10/rootless-builder/caddy-builder.sh | 17 ---------- Dockerfile.rootless-builder.tmpl | 47 -------------------------- Makefile | 3 +- render-dockerfiles.tmpl | 4 +-- stackbrew-config.yaml | 4 --- 7 files changed, 2 insertions(+), 121 deletions(-) delete mode 100644 2.10/rootless-builder/Dockerfile delete mode 100644 2.10/rootless-builder/Dockerfile.base delete mode 100644 2.10/rootless-builder/caddy-builder.sh delete mode 100644 Dockerfile.rootless-builder.tmpl diff --git a/2.10/rootless-builder/Dockerfile b/2.10/rootless-builder/Dockerfile deleted file mode 100644 index db2a83f..0000000 --- a/2.10/rootless-builder/Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -FROM golang:1.25-alpine3.22 - -RUN apk add --no-cache \ - ca-certificates \ - git \ - libcap - -ENV XCADDY_VERSION v0.4.5 -# Configures xcaddy to build with this version of Caddy -ENV CADDY_VERSION v2.10.2 -# Configures xcaddy to not clean up post-build (unnecessary in a container) -ENV XCADDY_SKIP_CLEANUP 1 - -RUN set -eux; \ - apkArch="$(apk --print-arch)"; \ - case "$apkArch" in \ - x86_64) binArch='amd64'; checksum='edea47d552fd9ac0a533386a72acaa95733ce734f347c11e5513469b5dc0eec0a62a6e21cfa93a83ab00b2dad72e0ee0b9bdf267a9654235f70d4c934739a15b' ;; \ - armhf) binArch='armv6'; checksum='29e4b7c484c0045d192fc8e7721c41988c1b8fc529343499ebb2acf94fba60f6e6c25c0944f7fb778ae25d5f8ccca452fc31d0338d6630d9b5219d5f9210ea44' ;; \ - armv7) binArch='armv7'; checksum='7e115fe60be169ffccff6884f1ab8fbe754d117c39618b02aedab9c857f0dcdc3cc6949f76b6a799cd617b509021bb086a4b2c5fb6c74d409d09429ff591a616' ;; \ - aarch64) binArch='arm64'; checksum='2933968a6e759a0406dc864000960fe0e605db9f0fe0662ce245897eaa5b529e322d1b14c2b98463a95e13f1dfd85432541b41f459a237daedb8c68a8f6a5bb1' ;; \ - ppc64el|ppc64le) binArch='ppc64le'; checksum='10e5f7e7dc885b278ebf4c5a97df4bde85a96fbc529890263f42af0445790a18669f44e318be1ac7639a283499e679ce9dabd8fe248478095d514bc2b72e6cd1' ;; \ - riscv64) binArch='riscv64'; checksum='4b108ef51ee3fd567f13cba3d3e2c89f86894e27b2ae5585e9ee20346b17f71a3bdcb968b25cb6d88a9a9671ef73cf82a1c0060e273d9b2e0c0c680369c83280' ;; \ - s390x) binArch='s390x'; checksum='f2e18d550dc12cb06bedda46c47404a2fbfdfb12363483daf41f5c52736a8ad22c72d7c32edb08aac7a18a1f1faee19aa787ac72b7515f07daf77329f4efbc3f' ;; \ - *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ - esac; \ - wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v0.4.5/xcaddy_0.4.5_linux_${binArch}.tar.gz"; \ - echo "$checksum /tmp/xcaddy.tar.gz" | sha512sum -c; \ - tar x -z -f /tmp/xcaddy.tar.gz -C /usr/bin xcaddy; \ - rm -f /tmp/xcaddy.tar.gz; \ - chmod +x /usr/bin/xcaddy; - -COPY caddy-builder.sh /usr/bin/caddy-builder - -# Create non-root user with UID 1001 and root group (GID 0) -# OpenShift will override the UID but keep GID=0 -RUN adduser -D -u 1001 -g 0 -H -h /usr/bin caddy - -# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility -RUN chown -R 1001:0 /usr/bin/xcaddy /usr/bin/caddy-builder - -# Make directories writable by the root group for OpenShift compatibility -RUN chmod -R g+w /usr/bin - -WORKDIR /usr/bin - -# Switch to non-root user -USER 1001 diff --git a/2.10/rootless-builder/Dockerfile.base b/2.10/rootless-builder/Dockerfile.base deleted file mode 100644 index 67ef8bb..0000000 --- a/2.10/rootless-builder/Dockerfile.base +++ /dev/null @@ -1 +0,0 @@ -FROM golang:1.25-alpine3.22 diff --git a/2.10/rootless-builder/caddy-builder.sh b/2.10/rootless-builder/caddy-builder.sh deleted file mode 100644 index cd4b699..0000000 --- a/2.10/rootless-builder/caddy-builder.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -eu - -args="" -for p; do - args="$args --with $p" -done - -echo "Warning: the caddy-builder script is deprecated and will be removed in the future. -Instead, you should use the xcaddy command: - - xcaddy build $args -" >&2 - -# version is inferred from $CADDY_VERSION (set in the Dockerfile) -# output will be placed in the working dir (/usr/bin as set in the Dockerfile) -xcaddy build $args diff --git a/Dockerfile.rootless-builder.tmpl b/Dockerfile.rootless-builder.tmpl deleted file mode 100644 index b074faa..0000000 --- a/Dockerfile.rootless-builder.tmpl +++ /dev/null @@ -1,47 +0,0 @@ -{{ .base | strings.TrimSpace }} - -RUN apk add --no-cache \ - ca-certificates \ - git \ - libcap - -ENV XCADDY_VERSION v{{ .xcaddy_config.version }} -# Configures xcaddy to build with this version of Caddy -ENV CADDY_VERSION v{{ .config.caddy_version }} -# Configures xcaddy to not clean up post-build (unnecessary in a container) -ENV XCADDY_SKIP_CLEANUP 1 - -RUN set -eux; \ - apkArch="$(apk --print-arch)"; \ - case "$apkArch" in \ - x86_64) binArch='amd64'; checksum='{{ .xcaddy_checksums.amd64 }}' ;; \ - armhf) binArch='armv6'; checksum='{{ .xcaddy_checksums.arm32v6 }}' ;; \ - armv7) binArch='armv7'; checksum='{{ .xcaddy_checksums.arm32v7 }}' ;; \ - aarch64) binArch='arm64'; checksum='{{ .xcaddy_checksums.arm64v8 }}' ;; \ - ppc64el|ppc64le) binArch='ppc64le'; checksum='{{ .xcaddy_checksums.ppc64le }}' ;; \ - riscv64) binArch='riscv64'; checksum='{{ .xcaddy_checksums.riscv64 }}' ;; \ - s390x) binArch='s390x'; checksum='{{ .xcaddy_checksums.s390x }}' ;; \ - *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ - esac; \ - wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v{{ .xcaddy_config.version }}/xcaddy_{{ .xcaddy_config.version }}_linux_${binArch}.tar.gz"; \ - echo "$checksum /tmp/xcaddy.tar.gz" | sha512sum -c; \ - tar x -z -f /tmp/xcaddy.tar.gz -C /usr/bin xcaddy; \ - rm -f /tmp/xcaddy.tar.gz; \ - chmod +x /usr/bin/xcaddy; - -COPY caddy-builder.sh /usr/bin/caddy-builder - -# Create non-root user with UID 1001 and root group (GID 0) -# OpenShift will override the UID but keep GID=0 -RUN adduser -D -u 1001 -g 0 -H -h /usr/bin caddy - -# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility -RUN chown -R 1001:0 /usr/bin/xcaddy /usr/bin/caddy-builder - -# Make directories writable by the root group for OpenShift compatibility -RUN chmod -R g+w /usr/bin - -WORKDIR /usr/bin - -# Switch to non-root user -USER 1001 diff --git a/Makefile b/Makefile index 5f01aee..599f36a 100644 --- a/Makefile +++ b/Makefile @@ -3,13 +3,12 @@ all: gen-dockerfiles library/caddy .github/dependabot.yml -gen-dockerfiles: render-dockerfiles.tmpl Dockerfile.tmpl Dockerfile.builder.tmpl Dockerfile.rootless.tmpl Dockerfile.rootless-builder.tmpl Dockerfile.windows.tmpl Dockerfile.windows-builder.tmpl Dockerfile.nanoserver.tmpl */*/Dockerfile.base +gen-dockerfiles: render-dockerfiles.tmpl Dockerfile.tmpl Dockerfile.builder.tmpl Dockerfile.rootless.tmpl Dockerfile.windows.tmpl Dockerfile.windows-builder.tmpl Dockerfile.nanoserver.tmpl */*/Dockerfile.base @gomplate \ --plugin getChecksums=./getChecksums.sh \ -t dockerfile=Dockerfile.tmpl \ -t builder-dockerfile=Dockerfile.builder.tmpl \ -t rootless-dockerfile=Dockerfile.rootless.tmpl \ - -t rootless-builder-dockerfile=Dockerfile.rootless-builder.tmpl \ -t windows-dockerfile=Dockerfile.windows.tmpl \ -t windows-builder-dockerfile=Dockerfile.windows-builder.tmpl \ -t nanoserver-dockerfile=Dockerfile.nanoserver.tmpl \ diff --git a/render-dockerfiles.tmpl b/render-dockerfiles.tmpl index 3eb3aa0..970610c 100644 --- a/render-dockerfiles.tmpl +++ b/render-dockerfiles.tmpl @@ -12,8 +12,6 @@ {{ $template = "builder-dockerfile" -}} {{- else if eq "rootless" $variant.dir -}} {{ $template = "rootless-dockerfile" -}} - {{- else if eq "rootless-builder" $variant.dir -}} - {{ $template = "rootless-builder-dockerfile" -}} {{ end -}} {{- if strings.HasPrefix "windows-builder" $variant.dir -}} {{ $template = "windows-builder-dockerfile" -}} @@ -28,7 +26,7 @@ Rendering {{ $outPath }} with template {{ $template }}...{{ "\n" -}} {{- tmpl.Exec $template $ctx | file.Write $outPath -}} - {{- if or (eq "builder" $variant.dir) (eq "rootless-builder" $variant.dir) -}} + {{- if eq "builder" $variant.dir -}} {{- $template = "caddy-builder" }} {{- $ctx := dict "config" $version }} {{- $outPath := filepath.Join $dir "caddy-builder.sh" -}} diff --git a/stackbrew-config.yaml b/stackbrew-config.yaml index 57c7075..dbab1d1 100644 --- a/stackbrew-config.yaml +++ b/stackbrew-config.yaml @@ -23,10 +23,6 @@ variants: tags: [ "rootless-alpine" ] shared_tags: [ "rootless" ] architectures: [ amd64, arm64v8, arm32v6, arm32v7, ppc64le, riscv64, s390x ] - - dir: rootless-builder - tags: [ "rootless-builder-alpine" ] - shared_tags: [ "rootless-builder" ] - architectures: [ amd64, arm64v8, arm32v6, arm32v7, ppc64le, riscv64, s390x ] - dir: windows/ltsc2022 tags: [ "windowsservercore-ltsc2022" ] shared_tags: [ "windowsservercore", "latest" ] From b509429d012dd01b5ac49905e32bd2c898c9ccd1 Mon Sep 17 00:00:00 2001 From: Ivan P <2119240+i5okie@users.noreply.github.com> Date: Mon, 12 Jan 2026 13:45:00 -0800 Subject: [PATCH 6/8] Address adduser and security concerns Signed-off-by: Ivan P <2119240+i5okie@users.noreply.github.com> --- 2.10/rootless/Dockerfile | 7 ++++--- Dockerfile.rootless.tmpl | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/2.10/rootless/Dockerfile b/2.10/rootless/Dockerfile index eece9e0..8aa9313 100644 --- a/2.10/rootless/Dockerfile +++ b/2.10/rootless/Dockerfile @@ -42,15 +42,16 @@ RUN set -eux; \ # OpenShift will override the UID but keep GID=0 # The -D flag creates a system user without password # The -H flag prevents creating a home directory -RUN adduser -D -u 1001 -g 0 -H -h /data caddy +RUN adduser -D -u 1001 -H -h /data caddy && \ + addgroup caddy root # Set ownership to 1001:0 (user:root-group) for OpenShift compatibility # OpenShift assigns arbitrary UIDs but always uses GID=0 (root group) # The root group has no special privileges despite the name -RUN chown -R 1001:0 /data /config /etc/caddy /usr/share/caddy /usr/bin/caddy +RUN chown -R 1001:0 /data /config /etc/caddy # Make directories writable by the root group for OpenShift compatibility -RUN chmod -R g+w /data /config /etc/caddy /usr/share/caddy +RUN chmod -R g+w /data /config /etc/caddy # See https://caddyserver.com/docs/conventions#file-locations for details ENV XDG_CONFIG_HOME /config diff --git a/Dockerfile.rootless.tmpl b/Dockerfile.rootless.tmpl index e0bdcd3..6c1feda 100644 --- a/Dockerfile.rootless.tmpl +++ b/Dockerfile.rootless.tmpl @@ -42,15 +42,16 @@ RUN set -eux; \ # OpenShift will override the UID but keep GID=0 # The -D flag creates a system user without password # The -H flag prevents creating a home directory -RUN adduser -D -u 1001 -g 0 -H -h /data caddy +RUN adduser -D -u 1001 -H -h /data caddy && \ + addgroup caddy root # Set ownership to 1001:0 (user:root-group) for OpenShift compatibility # OpenShift assigns arbitrary UIDs but always uses GID=0 (root group) # The root group has no special privileges despite the name -RUN chown -R 1001:0 /data /config /etc/caddy /usr/share/caddy /usr/bin/caddy +RUN chown -R 1001:0 /data /config /etc/caddy # Make directories writable by the root group for OpenShift compatibility -RUN chmod -R g+w /data /config /etc/caddy /usr/share/caddy +RUN chmod -R g+w /data /config /etc/caddy # See https://caddyserver.com/docs/conventions#file-locations for details ENV XDG_CONFIG_HOME /config From 7e724d4b89cede404743a1a1af3b5be78e28f023 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Fri, 16 Jan 2026 07:26:25 -0500 Subject: [PATCH 7/8] Add 2.11, add curl --- 2.10/rootless/Dockerfile | 1 + 2.11/rootless/Caddyfile | 11 +++++ 2.11/rootless/Dockerfile | 88 +++++++++++++++++++++++++++++++++++ 2.11/rootless/Dockerfile.base | 1 + Dockerfile.rootless.tmpl | 1 + 5 files changed, 102 insertions(+) create mode 100644 2.11/rootless/Caddyfile create mode 100644 2.11/rootless/Dockerfile create mode 100644 2.11/rootless/Dockerfile.base diff --git a/2.10/rootless/Dockerfile b/2.10/rootless/Dockerfile index 8aa9313..f39e581 100644 --- a/2.10/rootless/Dockerfile +++ b/2.10/rootless/Dockerfile @@ -2,6 +2,7 @@ FROM alpine:3.22 RUN apk add --no-cache \ ca-certificates \ + curl \ libcap \ mailcap diff --git a/2.11/rootless/Caddyfile b/2.11/rootless/Caddyfile new file mode 100644 index 0000000..8a74d0d --- /dev/null +++ b/2.11/rootless/Caddyfile @@ -0,0 +1,11 @@ +# Global options: rootless image uses non-privileged ports +{ + http_port 8080 + https_port 8443 +} + +:8080 + +route { + teapot +} diff --git a/2.11/rootless/Dockerfile b/2.11/rootless/Dockerfile new file mode 100644 index 0000000..83422a5 --- /dev/null +++ b/2.11/rootless/Dockerfile @@ -0,0 +1,88 @@ +FROM alpine:3.22 + +RUN apk add --no-cache \ + ca-certificates \ + curl \ + libcap \ + mailcap + +RUN set -eux; \ + mkdir -p \ + /config/caddy \ + /data/caddy \ + /etc/caddy \ + /usr/share/caddy \ + ; \ + wget -O /etc/caddy/Caddyfile "https://github.com/caddyserver/dist/raw/33ae08ff08d168572df2956ed14fbc4949880d94/config/Caddyfile"; \ + wget -O /usr/share/caddy/index.html "https://github.com/caddyserver/dist/raw/33ae08ff08d168572df2956ed14fbc4949880d94/welcome/index.html"; \ + sed -i 's/:80/:{\$CADDY_HTTP_PORT:8080}/g' /etc/caddy/Caddyfile + +# https://github.com/caddyserver/caddy/releases +ENV CADDY_VERSION v2.11.0-beta.2 + +RUN set -eux; \ + apkArch="$(apk --print-arch)"; \ + case "$apkArch" in \ + x86_64) binArch='amd64'; checksum='f9c72942891b3983d26cd96a2353f0985de3381f0996ae2fd37e9dc662c3b78a6cdad121d5ab225ffbe36d9425b46c5258c08dba707299a111d41ede7228171b' ;; \ + armhf) binArch='armv6'; checksum='ff625cf10b3af39aa55e9f912342fda2868b2de8df1a3da543ccbae998cbe5b7d12ebb707edc061ebdb6df3c656a8c3a67743f5212df2132c4ce6f26bc8bf057' ;; \ + armv7) binArch='armv7'; checksum='de69fc54499bcfecacd1f37533ebca116545bd46d27070d6858b042c61e11d673a13bf4f08db238ead6d54ed79a59c7ce2ce103ac94241715cfaba5034861541' ;; \ + aarch64) binArch='arm64'; checksum='e3caa4eed7104549029aa31074fc8f9e0399706c787a7ad22d23135d0c765ced8e9c2577fbb0b1e8a000042d86ad80cabb49e85eaf973e18b435926cc8b356fd' ;; \ + ppc64el|ppc64le) binArch='ppc64le'; checksum='ea4a8ef21630b5363e7c3f62ebb7926d152ac4fdc854fe374b08eb6c0edfd50dbb5c6f01b5c89aad1871b83690fcd4f9178ecd64db9544dab605161af0352644' ;; \ + riscv64) binArch='riscv64'; checksum='f68fd4802b8d77e8b7fcc4eb1d3576edceabe9494edfa07fee402b4643aa2cf3402f88f049bafa2995ddf4dfbdc2aa569abb7056e9696d94360725b25e5df91c' ;; \ + s390x) binArch='s390x'; checksum='e809207408cab3d9c96c7c70f832f244311c5e2b5546ad4e15179cae665c0cf3a759692ff0f8de0519c3b587309b2b892ca0559bf7ac9c3244f3ed851353cfa5' ;; \ + *) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\ + esac; \ + wget -O /tmp/caddy.tar.gz "https://github.com/caddyserver/caddy/releases/download/v2.11.0-beta.2/caddy_2.11.0-beta.2_linux_${binArch}.tar.gz"; \ + echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \ + tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \ + rm -f /tmp/caddy.tar.gz; \ + chmod +x /usr/bin/caddy; \ + caddy version + +# Create non-root user with UID 1001 and root group (GID 0) +# OpenShift will override the UID but keep GID=0 +# The -D flag creates a system user without password +# The -H flag prevents creating a home directory +RUN adduser -D -u 1001 -H -h /data caddy && \ + addgroup caddy root + +# Set ownership to 1001:0 (user:root-group) for OpenShift compatibility +# OpenShift assigns arbitrary UIDs but always uses GID=0 (root group) +# The root group has no special privileges despite the name +RUN chown -R 1001:0 /data /config /etc/caddy + +# Make directories writable by the root group for OpenShift compatibility +RUN chmod -R g+w /data /config /etc/caddy + +# See https://caddyserver.com/docs/conventions#file-locations for details +ENV XDG_CONFIG_HOME /config +ENV XDG_DATA_HOME /data + +# Set default HTTP and HTTPS ports to non-privileged ports for rootless operation +ENV CADDY_HTTP_PORT=8080 +ENV CADDY_HTTPS_PORT=8443 + +LABEL org.opencontainers.image.version=v2.11.0-beta.2 +LABEL org.opencontainers.image.title=Caddy +LABEL org.opencontainers.image.description="a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go (rootless)" +LABEL org.opencontainers.image.url=https://caddyserver.com +LABEL org.opencontainers.image.documentation=https://caddyserver.com/docs +LABEL org.opencontainers.image.vendor="Light Code Labs" +LABEL org.opencontainers.image.licenses=Apache-2.0 +LABEL org.opencontainers.image.source="https://github.com/caddyserver/caddy-docker" + +# Expose non-privileged ports (rootless containers cannot bind to ports < 1024) +# Configure these ports in your Caddyfile with http_port and https_port directives +# 8080: HTTP, 8443: HTTPS (TCP), 8443/udp: HTTP/3 (QUIC), 2019: Admin API +EXPOSE 8080 +EXPOSE 8443 +EXPOSE 8443/udp +EXPOSE 2019 + +WORKDIR /srv + +# Switch to non-root user +# OpenShift will override this UID with an arbitrary one, but keep GID=0 +USER 1001 + +CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] diff --git a/2.11/rootless/Dockerfile.base b/2.11/rootless/Dockerfile.base new file mode 100644 index 0000000..7a4fc3c --- /dev/null +++ b/2.11/rootless/Dockerfile.base @@ -0,0 +1 @@ +FROM alpine:3.22 diff --git a/Dockerfile.rootless.tmpl b/Dockerfile.rootless.tmpl index 6c1feda..3b54272 100644 --- a/Dockerfile.rootless.tmpl +++ b/Dockerfile.rootless.tmpl @@ -2,6 +2,7 @@ RUN apk add --no-cache \ ca-certificates \ + curl \ libcap \ mailcap From ca6f0a471f5782346346845addb5349961447e1e Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Fri, 16 Jan 2026 07:28:10 -0500 Subject: [PATCH 8/8] ENV `=` syntax --- 2.10/rootless/Dockerfile | 6 +++--- 2.11/rootless/Dockerfile | 6 +++--- Dockerfile.rootless.tmpl | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/2.10/rootless/Dockerfile b/2.10/rootless/Dockerfile index f39e581..4af2f13 100644 --- a/2.10/rootless/Dockerfile +++ b/2.10/rootless/Dockerfile @@ -18,7 +18,7 @@ RUN set -eux; \ sed -i 's/:80/:{\$CADDY_HTTP_PORT:8080}/g' /etc/caddy/Caddyfile # https://github.com/caddyserver/caddy/releases -ENV CADDY_VERSION v2.10.2 +ENV CADDY_VERSION=v2.10.2 RUN set -eux; \ apkArch="$(apk --print-arch)"; \ @@ -55,8 +55,8 @@ RUN chown -R 1001:0 /data /config /etc/caddy RUN chmod -R g+w /data /config /etc/caddy # See https://caddyserver.com/docs/conventions#file-locations for details -ENV XDG_CONFIG_HOME /config -ENV XDG_DATA_HOME /data +ENV XDG_CONFIG_HOME=/config +ENV XDG_DATA_HOME=/data # Set default HTTP and HTTPS ports to non-privileged ports for rootless operation ENV CADDY_HTTP_PORT=8080 diff --git a/2.11/rootless/Dockerfile b/2.11/rootless/Dockerfile index 83422a5..3d46151 100644 --- a/2.11/rootless/Dockerfile +++ b/2.11/rootless/Dockerfile @@ -18,7 +18,7 @@ RUN set -eux; \ sed -i 's/:80/:{\$CADDY_HTTP_PORT:8080}/g' /etc/caddy/Caddyfile # https://github.com/caddyserver/caddy/releases -ENV CADDY_VERSION v2.11.0-beta.2 +ENV CADDY_VERSION=v2.11.0-beta.2 RUN set -eux; \ apkArch="$(apk --print-arch)"; \ @@ -55,8 +55,8 @@ RUN chown -R 1001:0 /data /config /etc/caddy RUN chmod -R g+w /data /config /etc/caddy # See https://caddyserver.com/docs/conventions#file-locations for details -ENV XDG_CONFIG_HOME /config -ENV XDG_DATA_HOME /data +ENV XDG_CONFIG_HOME=/config +ENV XDG_DATA_HOME=/data # Set default HTTP and HTTPS ports to non-privileged ports for rootless operation ENV CADDY_HTTP_PORT=8080 diff --git a/Dockerfile.rootless.tmpl b/Dockerfile.rootless.tmpl index 3b54272..cfce003 100644 --- a/Dockerfile.rootless.tmpl +++ b/Dockerfile.rootless.tmpl @@ -18,7 +18,7 @@ RUN set -eux; \ sed -i 's/:80/:{\$CADDY_HTTP_PORT:8080}/g' /etc/caddy/Caddyfile # https://github.com/caddyserver/caddy/releases -ENV CADDY_VERSION v{{ .config.caddy_version }} +ENV CADDY_VERSION=v{{ .config.caddy_version }} RUN set -eux; \ apkArch="$(apk --print-arch)"; \ @@ -55,8 +55,8 @@ RUN chown -R 1001:0 /data /config /etc/caddy RUN chmod -R g+w /data /config /etc/caddy # See https://caddyserver.com/docs/conventions#file-locations for details -ENV XDG_CONFIG_HOME /config -ENV XDG_DATA_HOME /data +ENV XDG_CONFIG_HOME=/config +ENV XDG_DATA_HOME=/data # Set default HTTP and HTTPS ports to non-privileged ports for rootless operation ENV CADDY_HTTP_PORT=8080