Use deterministic UID/GID in Dockerfile #230

Dockerfile

@@ -12,17 +12,23 @@ LABEL org.opencontainers.image.source="https://github.com/aboutcode-org/dejacode
 LABEL org.opencontainers.image.description="DejaCode"
 LABEL org.opencontainers.image.licenses="AGPL-3.0-only"
 
-ENV APP_NAME dejacode
-ENV APP_USER app
-ENV APP_DIR /opt/$APP_NAME
-ENV VENV_LOCATION /opt/$APP_NAME/.venv
+# Set default values for APP_UID and APP_GID at build-time
+ARG APP_UID=1000
+ARG APP_GID=1000
+
+ENV APP_NAME=dejacode
+ENV APP_USER=app
+ENV APP_UID=${APP_UID}
+ENV APP_GID=${APP_GID}
+ENV APP_DIR=/opt/$APP_NAME
+ENV VENV_LOCATION=/opt/$APP_NAME/.venv
 
 # Force Python unbuffered stdout and stderr (they are flushed to terminal immediately)
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 # Do not write Python .pyc files
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
 # Add the app dir in the Python path for entry points availability
-ENV PYTHONPATH $PYTHONPATH:$APP_DIR
+ENV PYTHONPATH=$PYTHONPATH:$APP_DIR
 
 # OS requirements
 RUN apt-get update \
@@ -36,9 +42,9 @@ RUN apt-get update \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# Create the APP_USER group, user, and directory with proper permissions
-RUN addgroup --system $APP_USER \
- && adduser --system --group --home=$APP_DIR $APP_USER \
+# Create the APP_USER group, user, and directory with specific UID and GID
+RUN groupadd --gid $APP_GID --system $APP_USER \
+ && useradd --uid $APP_UID --gid $APP_GID --home-dir $APP_DIR --system --create-home $APP_USER \
  && chown $APP_USER:$APP_USER $APP_DIR \
  && mkdir -p /var/$APP_NAME \
  && chown $APP_USER:$APP_USER /var/$APP_NAME
@@ -53,7 +59,7 @@ RUN mkdir -p /var/$APP_NAME/static/ /var/$APP_NAME/media/
 # Create the virtualenv
 RUN python -m venv $VENV_LOCATION
 # Enable the virtualenv, similar effect as "source activate"
-ENV PATH $VENV_LOCATION/bin:$PATH
+ENV PATH=$VENV_LOCATION/bin:$PATH
 
 # Install the dependencies before the codebase COPY for proper Docker layer caching
 COPY --chown=$APP_USER:$APP_USER setup.cfg setup.py $APP_DIR/

docker-compose.yml

@@ -23,6 +23,31 @@ services:
       - redis_data:/data
     restart: always
 
+  # This service is responsible for ensuring the correct ownership of files
+  # in the shared volumes used by the application (static and media).
+  # It ensures that all files inside the `/var/dejacode/` directory are owned
+  # by the user and group with the UID and GID defined in the environment variables
+  # APP_UID and APP_GID, which default to 1000 if not set.
+  #
+  # The service runs only once (due to "restart: no") and performs a `chown` operation
+  # to change the ownership of the static and media directories, ensuring proper
+  # file access rights for the running application containers.
+  #
+  # Volumes mounted:
+  # - static: Ensures the ownership of static files in the /var/dejacode/static directory
+  # - media: Ensures the ownership of media files in the /var/dejacode/media directory
+  #
+  # Notes: This service can be removed once DejaCode 5.3.0 will be released.
+  chown:
+    image: alpine:latest
+    restart: "no"
+    command: chown -R ${APP_UID:-1000}:${APP_GID:-1000} /var/dejacode/
+    env_file:
+      - docker.env
+    volumes:
+      - static:/var/dejacode/static
+      - media:/var/dejacode/media
+
   web:
     build: .
     command: sh -c "
@@ -46,6 +71,8 @@ services:
         condition: service_started
       clamav:
         condition: service_started
+      chown:
+        condition: service_completed_successfully
 
   worker:
     build: .
@@ -63,6 +90,7 @@ services:
       - redis
       - db
       - web
+      - chown
 
   scheduler:
     build: .
@@ -78,6 +106,7 @@ services:
       - redis
       - db
       - web
+      - chown
 
   nginx:
     image: nginx:alpine