profilarr

mirror/profilarr

Fork 0

mirror of https://github.com/Dictionarry-Hub/profilarr.git synced 2026-04-18 21:08:05 -04:00

Commit Graph

Author	SHA1	Message	Date
ppaslan	a49152d08d	feat: add non-root fast path for K8s and hardened Docker deployments (#415 ) The container previously required starting as root to handle PUID/PGID/UMASK and chown the config volume. This made it incompatible with Kubernetes Pod Security Standards (runAsNonRoot, capability dropping) and hardened Docker setups. The entrypoint now detects if it is already running as a non-root user and skips all privilege operations, execing the app directly. Volume ownership is expected to be handled externally (K8s fsGroup, pre-provisioned storage). A build-time profilarr user (UID/GID 1000) is added to the image so tooling that requires a named passwd entry is satisfied. Existing root/PUID/PGID behaviour is unchanged. Co-authored-by: ppaslan <pal@aslan.cx>	2026-04-10 06:43:16 +09:30
santiagosayshey	7289fc5cd0	feat: security hardening + CI pipeline (#310 )	2026-03-08 20:46:01 +10:30

Author

SHA1

Message

Date

ppaslan

a49152d08d

feat: add non-root fast path for K8s and hardened Docker deployments (#415 )

The container previously required starting as root to handle PUID/PGID/UMASK
and chown the config volume. This made it incompatible with Kubernetes Pod
Security Standards (runAsNonRoot, capability dropping) and hardened Docker
setups.

The entrypoint now detects if it is already running as a non-root user and
skips all privilege operations, execing the app directly. Volume ownership
is expected to be handled externally (K8s fsGroup, pre-provisioned storage).

A build-time profilarr user (UID/GID 1000) is added to the image so tooling
that requires a named passwd entry is satisfied. Existing root/PUID/PGID
behaviour is unchanged.

Co-authored-by: ppaslan <pal@aslan.cx>

2026-04-10 06:43:16 +09:30

santiagosayshey

7289fc5cd0

feat: security hardening + CI pipeline (#310 )

2026-03-08 20:46:01 +10:30

2 Commits