# First stage - FIPS dev image with dependencies for building FROM cgr.dev/mattermost.com/glibc-openssl-fips:15-dev@sha256:9223f9245fb026a3c255ce9b7028a069fe11432aa7710713a331eaa36f44851c AS builder # Setting bash as our shell, and enabling pipefail option SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Build Arguments ARG PUID=2000 ARG PGID=2000 # MM_PACKAGE build arguments controls which version of mattermost to install, defaults to latest stable enterprise # e.g. https://releases.mattermost.com/9.7.1/mattermost-9.7.1-linux-amd64.tar.gz ARG MM_PACKAGE="https://latest.mattermost.com/mattermost-enterprise-linux" # Install needed packages and indirect dependencies USER 0:0 RUN apk add \ curl \ ca-certificates \ mailcap \ unrtf \ wv \ poppler-utils \ tzdata # Set mattermost group/user and download Mattermost RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \ && addgroup -g ${PGID} mattermost \ && adduser -D -u ${PUID} -G mattermost -g "" -s /bin/sh -h /mattermost mattermost \ && curl -L $MM_PACKAGE | tar -xvz \ && chown -R mattermost:mattermost /mattermost /mattermost/data /mattermost/plugins /mattermost/client/plugins # Create PostgreSQL client SSL directory structure for ssl_mode=require RUN mkdir -p /mattermost/.postgresql \ && chmod 700 /mattermost/.postgresql # Create /var/tmp directory needed for local socket files RUN mkdir -p /var/tmp \ && chmod 755 /var/tmp # Final stage using FIPS runtime image FROM cgr.dev/mattermost.com/glibc-openssl-fips:15@sha256:7947eecc0d82fa3bc661aaca039bcd86d55fdf3ee581c8ecdef1b3c6f63fa83a # Some ENV variables ENV PATH="/mattermost/bin:${PATH}" ENV MM_SERVICESETTINGS_ENABLELOCALMODE="true" ENV MM_INSTALL_TYPE="docker" # Copy over metadata files needed by runtime COPY --from=builder /etc/mime.types /etc # Copy CA certificates for SSL/TLS validation with proper ownership COPY --from=builder --chown=2000:2000 /etc/ssl/certs /etc/ssl/certs # Copy document processing utilities and necessary support files COPY --from=builder /usr/bin/pdftotext /usr/bin/pdftotext COPY --from=builder /usr/bin/wvText /usr/bin/wvText COPY --from=builder /usr/bin/wvWare /usr/bin/wvWare COPY --from=builder /usr/bin/unrtf /usr/bin/unrtf COPY --from=builder /usr/share/wv /usr/share/wv # Copy necessary libraries for document processing utilities COPY --from=builder /usr/lib/libpoppler.so* /usr/lib/ COPY --from=builder /usr/lib/libfreetype.so* /usr/lib/ COPY --from=builder /usr/lib/libpng16.so* /usr/lib/ COPY --from=builder /usr/lib/libwv.so* /usr/lib/ COPY --from=builder /usr/lib/libfontconfig.so* /usr/lib/ # Copy mattermost from builder stage COPY --from=builder --chown=2000:2000 /mattermost /mattermost # Copy group and passwd files including mattermost user COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /etc/group /etc/group # Copy /var/tmp directory needed for local socket files COPY --from=builder --chown=2000:2000 /var/tmp /var/tmp # We should refrain from running as privileged user USER mattermost # Healthcheck to make sure container is ready - using mmctl instead of curl for distroless compatibility HEALTHCHECK --interval=30s --timeout=10s \ CMD ["/mattermost/bin/mmctl", "system", "status", "--local"] # Configure entrypoint and command with proper permissions WORKDIR /mattermost CMD ["/mattermost/bin/mattermost"] EXPOSE 8065 8067 8074 8075 # Declare volumes for mount point directories VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]