util/Attachments/entrypoint.sh

#!/bin/sh

# Setup

GROUPNAME="bitwarden"
USERNAME="bitwarden"

LUID=${LOCAL_UID:-0}
LGID=${LOCAL_GID:-0}

# Step down from host root to well-known nobody/nogroup user

if [ $LUID -eq 0 ]
then
    LUID=65534
fi
if [ $LGID -eq 0 ]
then
    LGID=65534
fi

if [ "$(id -u)" = "0" ]
then
    # Create user and group

    groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
    groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
    useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
    usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
    mkhomedir_helper $USERNAME

    # The rest...
    chown -R $USERNAME:$GROUPNAME /bitwarden_server
    mkdir -p /etc/bitwarden/core/attachments
    chown -R $USERNAME:$GROUPNAME /etc/bitwarden
    
    gosu_cmd="gosu $USERNAME:$GROUPNAME"
else
    gosu_cmd=""
fi

exec $gosu_cmd /bitwarden_server/Server \
    /contentRoot=/etc/bitwarden/core/attachments \
    /webRoot=. \
    /serveUnknown=true
BRE-917 Update to Alpine base (#5976) * testing-wolfi * testing alpine * fix gosu download * fix Admin dockerfile * update dockerfiles * alpine-compatible-entrypoint-script-for-api-test * make-entrypoint-scripts-alpine-compatible * testing nginx with alpine * cleaning up comments from dockerfile from testing * restore accidentally deleted icon * remove unused file * pin alpine, update apk add no cache * remove comments from testing * test shadow implementtaion for entrypoints * add shadow package, revert entrypoints, change from bash to shell for entry * add icu to setup container, update helpers to use shell * update migrator utility * add missing krb5 libraries 2025-07-28 10:56:20 -04:00			`#!/bin/sh`
local attachment storage & docker image 2017-08-08 17:27:01 -04:00
map host docker group id to containers 2018-04-16 15:30:07 -04:00			`# Setup`

			`GROUPNAME="bitwarden"`
step down from host root LUID 2018-03-27 22:57:30 -04:00			`USERNAME="bitwarden"`
map host docker group id to containers 2018-04-16 15:30:07 -04:00
Rework service user (#299) * Use user primary group if not root * Do not run getent on MacOS * Simplify UID/GID management * Make uid.env backward compatible in run.sh * Merge install.sh with run.sh to avoid duplicating code Especially the UID/GID management one * Generate correct OS name * Be sure to keep old behavior for backward compatiblilty * Get the colors back from install.sh 2018-05-31 18:05:26 +02:00			`LUID=${LOCAL_UID:-0}`
			`LGID=${LOCAL_GID:-0}`
map host docker group id to containers 2018-04-16 15:30:07 -04:00
Rework service user (#299) * Use user primary group if not root * Do not run getent on MacOS * Simplify UID/GID management * Make uid.env backward compatible in run.sh * Merge install.sh with run.sh to avoid duplicating code Especially the UID/GID management one * Generate correct OS name * Be sure to keep old behavior for backward compatiblilty * Get the colors back from install.sh 2018-05-31 18:05:26 +02:00			`# Step down from host root to well-known nobody/nogroup user`
step down from host root LUID 2018-03-27 22:57:30 -04:00
Rework service user (#299) * Use user primary group if not root * Do not run getent on MacOS * Simplify UID/GID management * Make uid.env backward compatible in run.sh * Merge install.sh with run.sh to avoid duplicating code Especially the UID/GID management one * Generate correct OS name * Be sure to keep old behavior for backward compatiblilty * Get the colors back from install.sh 2018-05-31 18:05:26 +02:00			`if [ $LUID -eq 0 ]`
map host docker group id to containers 2018-04-16 15:30:07 -04:00			`then`
Rework service user (#299) * Use user primary group if not root * Do not run getent on MacOS * Simplify UID/GID management * Make uid.env backward compatible in run.sh * Merge install.sh with run.sh to avoid duplicating code Especially the UID/GID management one * Generate correct OS name * Be sure to keep old behavior for backward compatiblilty * Get the colors back from install.sh 2018-05-31 18:05:26 +02:00			`LUID=65534`
map host docker group id to containers 2018-04-16 15:30:07 -04:00			`fi`
Rework service user (#299) * Use user primary group if not root * Do not run getent on MacOS * Simplify UID/GID management * Make uid.env backward compatible in run.sh * Merge install.sh with run.sh to avoid duplicating code Especially the UID/GID management one * Generate correct OS name * Be sure to keep old behavior for backward compatiblilty * Get the colors back from install.sh 2018-05-31 18:05:26 +02:00			`if [ $LGID -eq 0 ]`
step down from host root LUID 2018-03-27 22:57:30 -04:00			`then`
Rework service user (#299) * Use user primary group if not root * Do not run getent on MacOS * Simplify UID/GID management * Make uid.env backward compatible in run.sh * Merge install.sh with run.sh to avoid duplicating code Especially the UID/GID management one * Generate correct OS name * Be sure to keep old behavior for backward compatiblilty * Get the colors back from install.sh 2018-05-31 18:05:26 +02:00			`LGID=65534`
step down from host root LUID 2018-03-27 22:57:30 -04:00			`fi`

feat: non-root self hosted images for standard deployment (#5701) * Use IHttpMessageHandlerFactory For HTTP Communication Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * feat: allow custom app-id.json location for rootless Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fix: new build context wont allow copying git context * feat: allow images to run as non-root user * fix: build failures caused by bad merge * build: we don't need to copy the `.git` dir * Revert "build: we don't need to copy the `.git` dir" This reverts commit 32c2f6236a894534de09ffe847ffff064a7174bd. * Use `IHttpClientFactory` in more places * update build workflow * fix: compatibility with the existin run.sh script * fix: compatibility with existing run.sh script * Add SelfHosted GlobalSettings for Setup * Fix my build error * Add other services * Add IConfiguration * fix: missing gosu command for rootful mode * fix: try using .net core certificate handling * fix: add `SSL_CERT_DIR` to remaining images * Remove X509ChainCustomization activation code * Revert "Use IHttpMessageHandlerFactory For HTTP Communication" This reverts commit c93be6d52b12599040d3c3d8a7b3bc854c6c6802. * Revert "fix: build failures caused by bad merge" This reverts commit 3e4639489b6b6c06b5a977a069002fe0c0eb2057. * Revert "Use `IHttpClientFactory` in more places" This reverts commit 284501a4932b819b093406e0bcdf76def22b6eea. * remove unused code * re-add error log for installation id * remove missing error message in log * build: remove duplicate docker+qemu setup steps Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> * build: optimize for simpler builds over caching * build: restore previous method for getting the GIT_HASH * fix: add missing build args to remaining images * fix: rm extraneous source revision id arg * fmt: apply consistent spacing and rm redundant WORKDIR directive * build: update migrator to use simpler build; apply consistent spacing * fix: merge conflicts; simplify changes * fix: add publish branch check back --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> 2025-05-30 10:29:47 -07:00			`if [ "$(id -u)" = "0" ]`
			`then`
			`# Create user and group`

Fix attachments container (#6165) 2025-08-06 18:44:01 +00:00			`groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 \|\|`
			`groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1`
			`useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 \|\|`
			`usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1`
			`mkhomedir_helper $USERNAME`
feat: non-root self hosted images for standard deployment (#5701) * Use IHttpMessageHandlerFactory For HTTP Communication Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * feat: allow custom app-id.json location for rootless Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fix: new build context wont allow copying git context * feat: allow images to run as non-root user * fix: build failures caused by bad merge * build: we don't need to copy the `.git` dir * Revert "build: we don't need to copy the `.git` dir" This reverts commit 32c2f6236a894534de09ffe847ffff064a7174bd. * Use `IHttpClientFactory` in more places * update build workflow * fix: compatibility with the existin run.sh script * fix: compatibility with existing run.sh script * Add SelfHosted GlobalSettings for Setup * Fix my build error * Add other services * Add IConfiguration * fix: missing gosu command for rootful mode * fix: try using .net core certificate handling * fix: add `SSL_CERT_DIR` to remaining images * Remove X509ChainCustomization activation code * Revert "Use IHttpMessageHandlerFactory For HTTP Communication" This reverts commit c93be6d52b12599040d3c3d8a7b3bc854c6c6802. * Revert "fix: build failures caused by bad merge" This reverts commit 3e4639489b6b6c06b5a977a069002fe0c0eb2057. * Revert "Use `IHttpClientFactory` in more places" This reverts commit 284501a4932b819b093406e0bcdf76def22b6eea. * remove unused code * re-add error log for installation id * remove missing error message in log * build: remove duplicate docker+qemu setup steps Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> * build: optimize for simpler builds over caching * build: restore previous method for getting the GIT_HASH * fix: add missing build args to remaining images * fix: rm extraneous source revision id arg * fmt: apply consistent spacing and rm redundant WORKDIR directive * build: update migrator to use simpler build; apply consistent spacing * fix: merge conflicts; simplify changes * fix: add publish branch check back --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> 2025-05-30 10:29:47 -07:00
			`# The rest...`
			`chown -R $USERNAME:$GROUPNAME /bitwarden_server`
			`mkdir -p /etc/bitwarden/core/attachments`
			`chown -R $USERNAME:$GROUPNAME /etc/bitwarden`
Fix attachments container (#6165) 2025-08-06 18:44:01 +00:00
feat: non-root self hosted images for standard deployment (#5701) * Use IHttpMessageHandlerFactory For HTTP Communication Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * feat: allow custom app-id.json location for rootless Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fix: new build context wont allow copying git context * feat: allow images to run as non-root user * fix: build failures caused by bad merge * build: we don't need to copy the `.git` dir * Revert "build: we don't need to copy the `.git` dir" This reverts commit 32c2f6236a894534de09ffe847ffff064a7174bd. * Use `IHttpClientFactory` in more places * update build workflow * fix: compatibility with the existin run.sh script * fix: compatibility with existing run.sh script * Add SelfHosted GlobalSettings for Setup * Fix my build error * Add other services * Add IConfiguration * fix: missing gosu command for rootful mode * fix: try using .net core certificate handling * fix: add `SSL_CERT_DIR` to remaining images * Remove X509ChainCustomization activation code * Revert "Use IHttpMessageHandlerFactory For HTTP Communication" This reverts commit c93be6d52b12599040d3c3d8a7b3bc854c6c6802. * Revert "fix: build failures caused by bad merge" This reverts commit 3e4639489b6b6c06b5a977a069002fe0c0eb2057. * Revert "Use `IHttpClientFactory` in more places" This reverts commit 284501a4932b819b093406e0bcdf76def22b6eea. * remove unused code * re-add error log for installation id * remove missing error message in log * build: remove duplicate docker+qemu setup steps Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> * build: optimize for simpler builds over caching * build: restore previous method for getting the GIT_HASH * fix: add missing build args to remaining images * fix: rm extraneous source revision id arg * fmt: apply consistent spacing and rm redundant WORKDIR directive * build: update migrator to use simpler build; apply consistent spacing * fix: merge conflicts; simplify changes * fix: add publish branch check back --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> 2025-05-30 10:29:47 -07:00			`gosu_cmd="gosu $USERNAME:$GROUPNAME"`
			`else`
			`gosu_cmd=""`
			`fi`
goso all the things 2018-03-27 14:55:33 -04:00
feat: non-root self hosted images for standard deployment (#5701) * Use IHttpMessageHandlerFactory For HTTP Communication Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * feat: allow custom app-id.json location for rootless Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> * fix: new build context wont allow copying git context * feat: allow images to run as non-root user * fix: build failures caused by bad merge * build: we don't need to copy the `.git` dir * Revert "build: we don't need to copy the `.git` dir" This reverts commit 32c2f6236a894534de09ffe847ffff064a7174bd. * Use `IHttpClientFactory` in more places * update build workflow * fix: compatibility with the existin run.sh script * fix: compatibility with existing run.sh script * Add SelfHosted GlobalSettings for Setup * Fix my build error * Add other services * Add IConfiguration * fix: missing gosu command for rootful mode * fix: try using .net core certificate handling * fix: add `SSL_CERT_DIR` to remaining images * Remove X509ChainCustomization activation code * Revert "Use IHttpMessageHandlerFactory For HTTP Communication" This reverts commit c93be6d52b12599040d3c3d8a7b3bc854c6c6802. * Revert "fix: build failures caused by bad merge" This reverts commit 3e4639489b6b6c06b5a977a069002fe0c0eb2057. * Revert "Use `IHttpClientFactory` in more places" This reverts commit 284501a4932b819b093406e0bcdf76def22b6eea. * remove unused code * re-add error log for installation id * remove missing error message in log * build: remove duplicate docker+qemu setup steps Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> * build: optimize for simpler builds over caching * build: restore previous method for getting the GIT_HASH * fix: add missing build args to remaining images * fix: rm extraneous source revision id arg * fmt: apply consistent spacing and rm redundant WORKDIR directive * build: update migrator to use simpler build; apply consistent spacing * fix: merge conflicts; simplify changes * fix: add publish branch check back --------- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com> 2025-05-30 10:29:47 -07:00			`exec $gosu_cmd /bitwarden_server/Server \`
			`/contentRoot=/etc/bitwarden/core/attachments \`
			`/webRoot=. \`
			`/serveUnknown=true`