refactor(docker): run all containers as root, add compact log format support

- Docker: remove appuser creation and USER directive in all 7 Dockerfiles - observability: recognize APP_LOG_FORMAT=compact as non-JSON pretty output
2026-05-12 23:59:31 +08:00 · 2026-05-12 23:59:31 +08:00 · 1c55cb8559
commit 1c55cb8559
parent 066bb4e83d
8 changed files with 8 additions and 22 deletions
--- a/docker/app.Dockerfile
+++ b/docker/app.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 openssh-client procps git \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/app /bin
 USER appuser
 EXPOSE 3000
 CMD ["app"]
--- a/docker/email.Dockerfile
+++ b/docker/email.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/email-worker /bin
 USER appuser
 EXPOSE 8084
 CMD ["email-worker"]
--- a/docker/gingress.Dockerfile
+++ b/docker/gingress.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/gingress /bin
 USER appuser
 EXPOSE 80 443 8080
 ENTRYPOINT ["gingress"]
--- a/docker/githook.Dockerfile
+++ b/docker/githook.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 git \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/git-hook /bin
 USER appuser
 EXPOSE 8083
 CMD ["git-hook"]
--- a/docker/gitserver.Dockerfile
+++ b/docker/gitserver.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 git openssh-client \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/gitserver /bin
 USER appuser
 EXPOSE 8021 2222
 CMD ["gitserver"]
--- a/docker/metrics.Dockerfile
+++ b/docker/metrics.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/metrics-aggregator /bin
 USER appuser
 EXPOSE 9090
 CMD ["metrics-aggregator"]
--- a/docker/static.Dockerfile
+++ b/docker/static.Dockerfile
@ -2,9 +2,7 @@ FROM ubuntu:24.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 \
    && rm -rf /var/lib/apt/lists/*
-RUN useradd --system --create-home appuser
+WORKDIR /app
 WORKDIR /home/appuser
 COPY ./target/release/static-server /bin
 USER appuser
 EXPOSE 8081
 CMD ["static-server"]
--- a/libs/observability/src/tracing_fmt.rs
+++ b/libs/observability/src/tracing_fmt.rs
@ -41,7 +41,7 @@ pub fn instance_id() -> String {
 fn use_json() -> bool {
    match std::env::var("APP_LOG_FORMAT").as_deref() {
        Ok("json") => true,
-        Ok("pretty") => false,
+        Ok("pretty") | Ok("compact") => false,
        _ => !std::io::stdout().is_terminal(), // TTY → pretty, non-TTY → json
    }
 }