Run script in conatiner as unrivileged user.

docker/Dockerfile

@@ -2,6 +2,8 @@ FROM alpine:latest
 
 ENV TZ="UTC"
 ENV SCHEDULE="* * * * *"
+ENV PUID=1000
+ENV PGID=1000
 
 ## Configure runtime variables for nsupdate
 ENV NSUPDATE_CONFD_DIR="/config"
@@ -24,6 +26,9 @@ RUN chmod +x /usr/local/bin/nsupdate.sh
 COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN chmod +x /usr/local/bin/entrypoint.sh
 
+# Create volume directories (ownership will be set at runtime)
+RUN mkdir -p /config /log
+
 ## Start crond
 ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
 CMD [ "crond", "-f" ]

docker/docker-compose.yml

@@ -5,7 +5,7 @@ services:
     image: git.debilux.org/chris/nsupdate
     container_name: nsupdate
     environment:
-      - SCHEDULE="*\2 * * * *"
+      - SCHEDULE=*\2 * * * *
       - TZ=Europe/Berlin
       - NSUPDATE_INWX_USER=YOUR_INWX_USERNAME
       - NSUPDATE_INWX_PASSWORD=YOUR_INWX_PASSWORD

docker/entrypoint.sh

@@ -4,9 +4,31 @@ set -eu
 
 SCHEDULE="${SCHEDULE:-* * * * *}"
 CRON_LOG_LEVEL="${CRON_LOG_LEVEL:-2}"
+PUID="${PUID:-1000}"
+PGID="${PGID:-1000}"
 CRON_FILE="/etc/crontabs/root"
 
-printf '%s /usr/local/bin/nsupdate.sh\n' "${SCHEDULE}" > "${CRON_FILE}"
+# Create or update group with specified PGID
+if grep -q "^nsupdate:" /etc/group 2>/dev/null; then
+  delgroup nsupdate 2>/dev/null || true
+fi
+addgroup -g "${PGID}" nsupdate 2>/dev/null || true
+
+# Create or update user with specified PUID
+if grep -q "^nsupdate:" /etc/passwd 2>/dev/null; then
+  deluser nsupdate 2>/dev/null || true
+fi
+adduser -u "${PUID}" -G nsupdate -s /sbin/nologin -D nsupdate 2>/dev/null || true
+
+# Set ownership of volumes
+chown -R "${PUID}:${PGID}" /config /log
+
+# Ensure crontabs directory exists
+mkdir -p "$(dirname "${CRON_FILE}")"
+
+# Write cron job to run as the specified user (by UID:GID)
+printf '%s su -s /bin/sh %s:%s -c /usr/local/bin/nsupdate.sh\n' "${SCHEDULE}" "${PUID}" "${PGID}" > "${CRON_FILE}"
+chmod 600 "${CRON_FILE}"
 
 if [ "$#" -gt 0 ]; then
 	if [ "$1" = "crond" ]; then