From e6fe925dcbfc40aa6282a7fc690e145324f7a339 Mon Sep 17 00:00:00 2001 From: Lukasz Raczylo Date: Sat, 3 Jan 2026 01:15:09 +0000 Subject: [PATCH] chore: move directory setup from Helm initContainers to Dockerfiles - [x] Standardize directory structure across scanner and server Dockerfiles - [x] Use FHS-compliant paths (/var/cache, /var/lib, /tmp) - [x] Add explicit permission management (chmod 750) in build stage - [x] Remove initContainers from both Helm deployments --- Dockerfile.scanner | 17 ++++++++--- Dockerfile.server | 14 +++++++--- .../templates/deployment-scanner.yaml | 28 ------------------- .../templates/deployment-server.yaml | 21 -------------- 4 files changed, 23 insertions(+), 57 deletions(-) diff --git a/Dockerfile.scanner b/Dockerfile.scanner index 519e0b4..b6dfd90 100644 --- a/Dockerfile.scanner +++ b/Dockerfile.scanner @@ -24,9 +24,18 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | RUN addgroup -g 1000 scanner && \ adduser -D -u 1000 -G scanner scanner -# Create necessary directories -RUN mkdir -p /data/cache /data/scans && \ - chown -R scanner:scanner /data +# Create necessary directories with proper permissions +RUN mkdir -p /var/cache/gohoarder \ + /var/lib/gohoarder/metadata \ + /var/lib/trivy \ + /tmp/gohoarder && \ + chown -R scanner:scanner /var/cache/gohoarder \ + /var/lib/gohoarder \ + /var/lib/trivy \ + /tmp/gohoarder && \ + chmod -R 750 /var/cache/gohoarder \ + /var/lib/gohoarder \ + /var/lib/trivy # Copy binary (from platform-specific path) ARG TARGETOS @@ -37,7 +46,7 @@ RUN chmod +x /usr/local/bin/gohoarder # Copy example config COPY config.yaml.example /etc/gohoarder/config.yaml.example -WORKDIR /data +WORKDIR /var/cache/gohoarder USER scanner # Expose metrics port diff --git a/Dockerfile.server b/Dockerfile.server index 089eb34..4e0cabf 100644 --- a/Dockerfile.server +++ b/Dockerfile.server @@ -14,9 +14,15 @@ RUN apk add --no-cache \ RUN addgroup -g 1000 gohoarder && \ adduser -D -u 1000 -G gohoarder gohoarder -# Create necessary directories -RUN mkdir -p /data/cache /data/metadata && \ - chown -R gohoarder:gohoarder /data +# Create necessary directories with proper permissions +RUN mkdir -p /var/cache/gohoarder \ + /var/lib/gohoarder/metadata \ + /tmp/gohoarder && \ + chown -R gohoarder:gohoarder /var/cache/gohoarder \ + /var/lib/gohoarder \ + /tmp/gohoarder && \ + chmod -R 750 /var/cache/gohoarder \ + /var/lib/gohoarder # Copy binary (from platform-specific path) ARG TARGETOS @@ -27,7 +33,7 @@ RUN chmod +x /usr/local/bin/gohoarder # Copy example config COPY config.yaml.example /etc/gohoarder/config.yaml.example -WORKDIR /data +WORKDIR /var/cache/gohoarder USER gohoarder # Expose ports diff --git a/helm/gohoarder/templates/deployment-scanner.yaml b/helm/gohoarder/templates/deployment-scanner.yaml index a68e379..c1182f1 100644 --- a/helm/gohoarder/templates/deployment-scanner.yaml +++ b/helm/gohoarder/templates/deployment-scanner.yaml @@ -28,34 +28,6 @@ spec: serviceAccountName: {{ include "gohoarder.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: - - name: init-permissions - image: busybox:latest - command: ['sh', '-c'] - args: - - | - mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder - {{- if .Values.security.scanners.trivy.enabled }} - mkdir -p {{ .Values.security.scanners.trivy.cacheDb }} - {{- end }} - chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true - volumeMounts: - - name: storage - mountPath: /var/cache/gohoarder - - name: metadata - mountPath: /var/lib/gohoarder/metadata - {{- if .Values.security.scanners.trivy.enabled }} - - name: trivy-cache - mountPath: {{ .Values.security.scanners.trivy.cacheDb }} - {{- end }} - - name: tmp - mountPath: /tmp/gohoarder - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL containers: - name: scanner securityContext: diff --git a/helm/gohoarder/templates/deployment-server.yaml b/helm/gohoarder/templates/deployment-server.yaml index 915f69b..9bbd6d4 100644 --- a/helm/gohoarder/templates/deployment-server.yaml +++ b/helm/gohoarder/templates/deployment-server.yaml @@ -29,27 +29,6 @@ spec: serviceAccountName: {{ include "gohoarder.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: - - name: init-permissions - image: busybox:latest - command: ['sh', '-c'] - args: - - | - mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder - chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true - volumeMounts: - - name: storage - mountPath: /var/cache/gohoarder - - name: metadata - mountPath: /var/lib/gohoarder/metadata - - name: tmp - mountPath: /tmp/gohoarder - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL containers: - name: server securityContext: