feat!: use rootless OCI image

With this change, the image is built rootless. BREAKING CHANGE: Container is now running rootless. You need to update the ownership of your database file to uid and gid 65532. For details, see the updating instructions.
envelope-zero · Jan 1, 2024 · 9c7634b · 9c7634b
1 parent 87989ab
commit 9c7634b
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 15 deletions.
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -32,16 +32,20 @@ changelog:
       regexp: "^.*chore(deps):+.*$"
       order: 3
 
-dockers:
-  - dockerfile: Dockerfile.goreleaser
-    image_templates:
-      - "ghcr.io/envelope-zero/backend:{{ .Tag }}"
-      - "ghcr.io/envelope-zero/backend:v{{ .Major }}"
-      - "ghcr.io/envelope-zero/backend:v{{ .Major }}.{{ .Minor }}"
-      - "ghcr.io/envelope-zero/backend:latest"
-
-    build_flag_templates:
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
+kos:
+  - repository: ghcr.io/envelope-zero/backend
+    tags:
+      - "{{ .Tag }}" # v{{ .Major}}.{{ .Minor }}.{{ .Patch }}
+      - "v{{ .Major }}"
+      - "v{{ .Major }}.{{ .Minor }}"
+      - latest
+    bare: true
+    preserve_import_paths: false
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    labels:
+      org.opencontainers.image.created: "{{.Date}}"
+      org.opencontainers.image.revision: "{{.FullCommit}}"
+      org.opencontainers.image.title: "{{.ProjectName}}"
+      org.opencontainers.image.version: "{{.Version}}"
diff --git a/README.md b/README.md
@@ -53,6 +53,9 @@ persistence:
   enabled: true
   mountPath: /data
 
+podSecurityContext:
+  fsGroup: 65532
+
 affinity:
   podAffinity:
     requiredDuringSchedulingIgnoredDuringExecution:

diff --git a/docs/upgrading.md b/docs/upgrading.md
@@ -6,10 +6,21 @@ If upgrades between versions require manual actions, those are described here.
 
 # to v4.0.0
 
-1. Upgrade to v3.22.2 before upgrading to v4.0.0
+For breaking changes to functionality, see the release notes. Upgrade as follows:
+
+## Using the binary directly
+
+1. Upgrade to v3.22.2 before upgrading to v4.0.0.
 2. Upgrade to v4.0.0
 
-For breaking changes, see the release notes
+## Using the OCI image
+
+With the upgrade to v4.0.0, the image will now run rootless.
+
+1. Upgrade to v3.22.2 before upgrading to v4.0.0.
+2. Turn off your backend instance. This depends on how you have deployed the backend. On Kubernetes, scale the Deployment to 0, with docker(-compose), delete the container.
+3. Update the ownership of the database file. Enter the directory where it is stored and run `chown 65532:65532 gorm.db` to update the permissions to the user the image is now using.
+4. Upgrade to v4.0.0
 
 # to v3.0.0