From 8e0ccf59e0de018a4eae8c1b8d79274bcb1be1d3 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 12:35:14 -0400 Subject: [PATCH 01/16] added PUID and GUID Args For buildtime UID and GID specification, Add User and Group with those ids and set User at entrypiont call. there will be permission errors. --- Dockerfile | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 816bdd3c3..8239e4761 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN apk add --no-cache --update \ unzip WORKDIR /server -COPY index.js package* /server +COPY index.js package* /server/ COPY /server /server/server RUN case "$TARGETPLATFORM" in \ @@ -45,12 +45,18 @@ FROM node:20-alpine ARG NUSQLITE3_DIR ARG NUSQLITE3_PATH +ARG PUID=1000 +ARG PGID=1000 # Install only runtime dependencies RUN apk add --no-cache --update \ tzdata \ ffmpeg \ - tini + tini \ + shadow \ + && addgroup -g ${PGID} audiobookshelf \ + && adduser -u ${PUID} -G audiobookshelf -D audiobookshelf \ + && apk del --purge shadow WORKDIR /app @@ -69,5 +75,6 @@ ENV SOURCE="docker" ENV NUSQLITE3_DIR=${NUSQLITE3_DIR} ENV NUSQLITE3_PATH=${NUSQLITE3_PATH} +USER audiobookshelf ENTRYPOINT ["tini", "--"] CMD ["node", "index.js"] From 7403a0199eb7e93d4c0e224c5ae3b23ef2dd0aab Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 12:46:59 -0400 Subject: [PATCH 02/16] updated build yaml to allow builds in other repos, and build on dev branches --- .github/workflows/docker-build.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index fdb57fbc5..77d71c736 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -10,7 +10,10 @@ on: required: true default: 'latest' push: - branches: [main, master] + branches: + - main + - master + - dev/* tags: - 'v*.*.*' # Only build when files in these directories have been changed @@ -22,7 +25,7 @@ on: jobs: build: - if: ${{ !contains(github.event.head_commit.message, 'skip ci') && github.repository == 'advplyr/audiobookshelf' }} + if: ${{ !contains(github.event.head_commit.message, 'skip ci') }} runs-on: ubuntu-24.04 steps: @@ -33,8 +36,11 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: advplyr/audiobookshelf,ghcr.io/${{ github.repository_owner }}/audiobookshelf + images: | + name:${{ secrets.DOCKERHUB_USERNAME }}/audiobookshelf,enable=${{ github.ref == 'refs/heads/main' && secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_TOKEN != '' }} + name:ghcr.io/${{ github.repository }},enable=true tags: | + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} type=edge,branch=master type=semver,pattern={{version}} @@ -54,6 +60,10 @@ jobs: - name: Login to Dockerhub uses: docker/login-action@v3 + env: # secrets for Docker hub username and token should be in the registry settings if not docker hub push will be skipped. + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME || '' }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN || '' }} + if: ${{ github.ref == 'refs/heads/main' && env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} From d4e807a86c29a5f6a8040befade4dc8666b9a27c Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:11:06 -0400 Subject: [PATCH 03/16] changed default uid and group id to 5000 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8239e4761..9dd933cc5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,8 +45,8 @@ FROM node:20-alpine ARG NUSQLITE3_DIR ARG NUSQLITE3_PATH -ARG PUID=1000 -ARG PGID=1000 +ARG PUID=5000 +ARG PGID=5000 # Install only runtime dependencies RUN apk add --no-cache --update \ From aa3a0d7bff8fab241d88fd0b160aea045101785e Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:12:51 -0400 Subject: [PATCH 04/16] remove --purge from apt del --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9dd933cc5..882ebfef2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,7 @@ RUN apk add --no-cache --update \ shadow \ && addgroup -g ${PGID} audiobookshelf \ && adduser -u ${PUID} -G audiobookshelf -D audiobookshelf \ - && apk del --purge shadow + && apk del shadow WORKDIR /app From 3d5eaa6577dceba313001397460d6a48e3b92890 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:26:31 -0400 Subject: [PATCH 05/16] changed to reuse node user, renaming and re-iding. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 882ebfef2..624d36dbb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,8 +54,8 @@ RUN apk add --no-cache --update \ ffmpeg \ tini \ shadow \ - && addgroup -g ${PGID} audiobookshelf \ - && adduser -u ${PUID} -G audiobookshelf -D audiobookshelf \ + && groupmod -g ${PGID} -n audiobookshelf node\ + && usermod -u ${PUID} -l audiobookshelf -m node \ && apk del shadow WORKDIR /app From 71b4f70034e8d9787a3fa6b398e1461b707cf244 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:29:05 -0400 Subject: [PATCH 06/16] added move home to user mod --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 624d36dbb..69b7d9cdc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,7 +55,7 @@ RUN apk add --no-cache --update \ tini \ shadow \ && groupmod -g ${PGID} -n audiobookshelf node\ - && usermod -u ${PUID} -l audiobookshelf -m node \ + && usermod -u ${PUID} -l audiobookshelf -d audiobookshelf -m node \ && apk del shadow WORKDIR /app From 0eb1905d1f538d3d5d6ace7d9c8db48c74d8e636 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:30:16 -0400 Subject: [PATCH 07/16] fixed homepath --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 69b7d9cdc..94d79ca62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,7 +55,7 @@ RUN apk add --no-cache --update \ tini \ shadow \ && groupmod -g ${PGID} -n audiobookshelf node\ - && usermod -u ${PUID} -l audiobookshelf -d audiobookshelf -m node \ + && usermod -u ${PUID} -l audiobookshelf -d /home/audiobookshelf -m node \ && apk del shadow WORKDIR /app From 6c79d28329274aa6e32ed458454810d4f903a843 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:36:04 -0400 Subject: [PATCH 08/16] making sure /config and /metadata and are world writable for --user support incase they're not bind mounted. --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 94d79ca62..02dac36b2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,10 @@ RUN apk add --no-cache --update \ shadow \ && groupmod -g ${PGID} -n audiobookshelf node\ && usermod -u ${PUID} -l audiobookshelf -d /home/audiobookshelf -m node \ - && apk del shadow + && apk del shadow \ + && mkdir -p /config /metadata \ + && chown -R audiobookshelf:audiobookshelf /config /metadata \ + && chmod u=rwx,go=rw /config /metadata WORKDIR /app From ce1540e78116453574c77cf23309dd93315e7850 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 13:38:19 -0400 Subject: [PATCH 09/16] reverted default IDs to 1000 which is what the node user is created as. Though this default for the container was root. Figured 1000 is a safer default then root and will fit most basic user setups. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 02dac36b2..d55d565b3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,8 +45,8 @@ FROM node:20-alpine ARG NUSQLITE3_DIR ARG NUSQLITE3_PATH -ARG PUID=5000 -ARG PGID=5000 +ARG PUID=1000 +ARG PGID=1000 # Install only runtime dependencies RUN apk add --no-cache --update \ From d9e7db2b5c691f49e5e3d8e37b67930c6e9e6ee4 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 14:02:54 -0400 Subject: [PATCH 10/16] Added Global Definition of PUID and GUID for ease of management only. --- Dockerfile | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index d55d565b3..07e64939a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,9 @@ +# globally defining Arguments and Defaults ARG NUSQLITE3_DIR="/usr/local/lib/nusqlite3" ARG NUSQLITE3_PATH="${NUSQLITE3_DIR}/libnusqlite3.so" +# default Process user id and group id +ARG PUID=1000 +ARG PGID=1000 ### STAGE 0: Build client ### FROM node:20-alpine AS build-client @@ -45,8 +49,8 @@ FROM node:20-alpine ARG NUSQLITE3_DIR ARG NUSQLITE3_PATH -ARG PUID=1000 -ARG PGID=1000 +ARG PUID +ARG PGID # Install only runtime dependencies RUN apk add --no-cache --update \ @@ -59,14 +63,14 @@ RUN apk add --no-cache --update \ && apk del shadow \ && mkdir -p /config /metadata \ && chown -R audiobookshelf:audiobookshelf /config /metadata \ - && chmod u=rwx,go=rw /config /metadata + && chmod a=rws /config /metadata WORKDIR /app # Copy compiled frontend and server from build stages -COPY --from=build-client /client/dist /app/client/dist -COPY --from=build-server /server /app -COPY --from=build-server ${NUSQLITE3_PATH} ${NUSQLITE3_PATH} +COPY --chmod=755 --from=build-client /client/dist /app/client/dist +COPY --chmod=755 --from=build-server /server /app +COPY --chmod=755 --from=build-server ${NUSQLITE3_PATH} ${NUSQLITE3_PATH} EXPOSE 80 From df55e2f7e5c9cc429a1f35909e76df7db0696058 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 14:11:42 -0400 Subject: [PATCH 11/16] rwx not rws.... --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 07e64939a..37f1879a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -63,7 +63,7 @@ RUN apk add --no-cache --update \ && apk del shadow \ && mkdir -p /config /metadata \ && chown -R audiobookshelf:audiobookshelf /config /metadata \ - && chmod a=rws /config /metadata + && chmod a=rwx /config /metadata WORKDIR /app From 42d4c6fd4cd15fac61662d416289e10baa05bbba Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 14:20:21 -0400 Subject: [PATCH 12/16] Moved to a non-root model. - Added buildargs to specify the User ID and Group IDs. - entrypoint now defaults to running as 1000:1000 rather then 0:0. --- Dockerfile | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 816bdd3c3..ce277b0c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN apk add --no-cache --update \ unzip WORKDIR /server -COPY index.js package* /server +COPY index.js package* /server/ COPY /server /server/server RUN case "$TARGETPLATFORM" in \ @@ -50,7 +50,14 @@ ARG NUSQLITE3_PATH RUN apk add --no-cache --update \ tzdata \ ffmpeg \ - tini + tini \ + shadow \ + && groupmod -g ${PGID} -n audiobookshelf node\ + && usermod -u ${PUID} -l audiobookshelf -d /home/audiobookshelf -m node \ + && apk del shadow \ + && mkdir -p /config /metadata \ + && chown -R audiobookshelf:audiobookshelf /config /metadata \ + && chmod a=rwx /config /metadata WORKDIR /app From fd20fb17b2c337cd17c8516b819b41d419b65982 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 14:36:13 -0400 Subject: [PATCH 13/16] Update docker-build.yml Added Permissions Directive to control token. Switched to Github_TOKEN for package. --- .github/workflows/docker-build.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 77d71c736..7d41b4a9f 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,6 +1,8 @@ --- name: Build and Push Docker Image - +permissions: + contents: read + packages: write on: # Allows you to run workflow manually from Actions tab workflow_dispatch: @@ -72,8 +74,8 @@ jobs: uses: docker/login-action@v3 with: registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PASSWORD }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build image uses: docker/build-push-action@v6 From 89e8411ce50abcf09318904dc7653b8c1f86b3db Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 15:12:49 -0400 Subject: [PATCH 14/16] Update docker-build.yml removed manual taging as it was causing issues when no dockerhub secrets are available. --- .github/workflows/docker-build.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 7d41b4a9f..fbf237a66 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -6,11 +6,6 @@ permissions: on: # Allows you to run workflow manually from Actions tab workflow_dispatch: - inputs: - tags: - description: 'Docker Tag' - required: true - default: 'latest' push: branches: - main @@ -39,7 +34,7 @@ jobs: uses: docker/metadata-action@v5 with: images: | - name:${{ secrets.DOCKERHUB_USERNAME }}/audiobookshelf,enable=${{ github.ref == 'refs/heads/main' && secrets.DOCKER_HUB_USERNAME != '' && secrets.DOCKER_HUB_TOKEN != '' }} + name:${{ secrets.DOCKERHUB_USERNAME }}/audiobookshelf,enable=${{ github.ref == 'refs/heads/main' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} name:ghcr.io/${{ github.repository }},enable=true tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} @@ -80,7 +75,7 @@ jobs: - name: Build image uses: docker/build-push-action@v6 with: - tags: ${{ github.event.inputs.tags || steps.meta.outputs.tags }} + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} context: . platforms: linux/amd64,linux/arm64 From b7396963726a37ee0926fe5920e94c5e874e37f9 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Wed, 1 Oct 2025 19:17:58 -0400 Subject: [PATCH 15/16] Update docker-build.yml --- .github/workflows/docker-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index fbf237a66..657b12a13 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -40,6 +40,9 @@ jobs: type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} type=edge,branch=master type=semver,pattern={{version}} + type=ref,event=branch + type=ref,event=pr + type=sha - name: Setup QEMU uses: docker/setup-qemu-action@v3 From f63847c583186d788bd35d624f296c47a10c4b43 Mon Sep 17 00:00:00 2001 From: Vylyne <94922829+Vylyne@users.noreply.github.com> Date: Thu, 2 Oct 2025 14:06:32 -0400 Subject: [PATCH 16/16] Update docker-build.yml Reverted and replaced : with =... --- .github/workflows/docker-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 657b12a13..0a3a7ecd7 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -34,8 +34,8 @@ jobs: uses: docker/metadata-action@v5 with: images: | - name:${{ secrets.DOCKERHUB_USERNAME }}/audiobookshelf,enable=${{ github.ref == 'refs/heads/main' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} - name:ghcr.io/${{ github.repository }},enable=true + name=${{ secrets.DOCKERHUB_USERNAME }}/audiobookshelf,enable=${{ github.ref == 'refs/heads/main' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} + name=ghcr.io/${{ github.repository }},enable=true tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} type=edge,branch=master