🐋 fix(docker): enforce UID 100 for tor user to resolve permission conflicts

Recent Alpine base images introduce a 'klogd' user at UID 100, which forced the 'tor' package to install as UID 101. This caused "Permission denied" errors for existing data volumes owned by UID 100. This fix: - Removes the conflicting 'klogd' user - Manually creates the 'tor' user with fixed UID 100 / GID 101 - Ensures compatibility with existing persistent volumes
2026-04-06 00:32:04 +02:00 · 2025-12-01 01:40:01 +08:00
parent 84b32e1ce9
commit 7f9f6c328d
2 changed files with 6 additions and 14 deletions
--- a/11
+++ b/11
@@ -4,21 +4,14 @@
 # ============================================================================
 FROM golang:1.25-alpine AS builder

-# Install git to fetch source
 RUN apk add --no-cache git

-# Build Lyrebird (obfs4) from official Tor Project repo
-# We use -ldflags="-s -w" to strip debug symbols and reduce binary size
-# We go get -u to update dependencies to fix CVEs in crypto/net/etc.
 WORKDIR /go/src/lyrebird
 RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird.git . \
 && go get -u ./... \
 && go mod tidy \
 && CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/bin/lyrebird ./cmd/lyrebird

-# ============================================================================
-# Final Stage: Tor Guard Relay - Ultra-optimized ~16.8 MB container
-# ============================================================================
 FROM alpine:3.22.2

 ARG BUILD_DATE
@@ -43,6 +36,9 @@ SHELL ["/bin/ash", "-eo", "pipefail", "-c"]

 # Note: 'lyrebird' removed from apk add, copying it from builder instead
 RUN set -eux \
+ && deluser klogd || true \
+ && addgroup -g 101 -S tor \
+ && adduser -u 100 -S -D -H -h /var/lib/tor -G tor -s /sbin/nologin tor \
 && apk upgrade --no-cache \
 && apk add --no-cache \
    tor \
@@ -56,7 +52,6 @@ RUN set -eux \
    "${BUILD_VERSION:-unversioned}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt \
 && rm -rf /var/cache/apk/*

-# Copy compiled Lyrebird from builder stage
 COPY --from=builder /usr/bin/lyrebird /usr/bin/lyrebird

 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh