From b0b0059d4711eb5fc441d82c874e23fbe009e6ce Mon Sep 17 00:00:00 2001 From: Fanch Date: Thu, 23 Oct 2025 15:40:58 +0200 Subject: [PATCH] dockerfile mattermost --- dockers/mattermost/Dockerfile | 87 +++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 dockers/mattermost/Dockerfile diff --git a/dockers/mattermost/Dockerfile b/dockers/mattermost/Dockerfile new file mode 100644 index 0000000..eb411db --- /dev/null +++ b/dockers/mattermost/Dockerfile @@ -0,0 +1,87 @@ +# First stage - Ubuntu with document processing dependencies and curl for downloading +FROM ubuntu:noble-20250415.1@sha256:dc17125eaac86538c57da886e494a34489122fb6a3ebb6411153d742594c2ddc AS builder +# Setting bash as our shell, and enabling pipefail option +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Build Arguments +ARG PUID=2000 +ARG PGID=2000 +# MM_PACKAGE build arguments controls which version of mattermost to install, defaults to latest stable enterprise +# e.g. https://releases.mattermost.com/9.7.1/mattermost-9.7.1-linux-amd64.tar.gz +ARG MM_PACKAGE="https://latest.mattermost.com/mattermost-enterprise-linux" + +# Install needed packages and indirect dependencies +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + ca-certificates \ + curl \ + media-types \ + mailcap \ + unrtf \ + wv \ + poppler-utils \ + tidy \ + tzdata \ + && rm -rf /var/lib/apt/lists/* + +# Set mattermost group/user and download Mattermost +RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \ + && groupadd --gid ${PGID} mattermost \ + && useradd --uid ${PUID} --gid ${PGID} --comment "" --home-dir /mattermost mattermost \ + && curl -L $MM_PACKAGE | tar -xvz \ + && chown -R mattermost:mattermost /mattermost /mattermost/data /mattermost/plugins /mattermost/client/plugins + +# Create PostgreSQL client SSL directory structure for ssl_mode=require +RUN mkdir -p /mattermost/.postgresql \ + && chmod 700 /mattermost/.postgresql + +# Final stage using distroless for minimal attack surface +FROM gcr.io/distroless/base-debian12 + +# Some ENV variables +ENV PATH="/mattermost/bin:${PATH}" +ENV MM_SERVICESETTINGS_ENABLELOCALMODE="true" + +# Copy over metadata files needed by runtime +COPY --from=builder /etc/mime.types /etc + +# Copy CA certificates for SSL/TLS validation with proper ownership +COPY --from=builder --chown=2000:2000 /etc/ssl/certs /etc/ssl/certs + +# Copy document processing utilities and necessary support files +COPY --from=builder /usr/bin/pdftotext /usr/bin/pdftotext +COPY --from=builder /usr/bin/wvText /usr/bin/wvText +COPY --from=builder /usr/bin/wvWare /usr/bin/wvWare +COPY --from=builder /usr/bin/unrtf /usr/bin/unrtf +COPY --from=builder /usr/bin/tidy /usr/bin/tidy +COPY --from=builder /usr/share/wv /usr/share/wv + +# Copy necessary libraries for document processing utilities +COPY --from=builder /usr/lib/x86_64-linux-gnu/libpoppler.so* /usr/lib/ +COPY --from=builder /usr/lib/x86_64-linux-gnu/libfreetype.so* /usr/lib/ +COPY --from=builder /usr/lib/x86_64-linux-gnu/libpng16.so* /usr/lib/ +COPY --from=builder /usr/lib/x86_64-linux-gnu/libwv-1.2.so* /usr/lib/ +COPY --from=builder /usr/lib/x86_64-linux-gnu/libtidy.so* /usr/lib/ +COPY --from=builder /usr/lib/x86_64-linux-gnu/libfontconfig.so* /usr/lib/ + +# Copy mattermost from builder stage +COPY --from=builder --chown=2000:2000 /mattermost /mattermost + +# Copy passwd including mattermost user +COPY passwd /etc/passwd + +# We should refrain from running as privileged user +USER mattermost + +# Healthcheck to make sure container is ready - using mmctl instead of curl for distroless compatibility +HEALTHCHECK --interval=30s --timeout=10s \ + CMD ["/mattermost/bin/mmctl", "system", "status", "--local"] + +# Configure entrypoint and command with proper permissions +WORKDIR /mattermost +CMD ["/mattermost/bin/mattermost"] + +EXPOSE 8065 8067 8074 8075 + +# Declare volumes for mount point directories +VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]