Skip to content

Commit

Permalink
feat(docker): configure botpress user for the docker image (#11937)
Browse files Browse the repository at this point in the history 
* chore(docker): configure botpress user for the docker image

* fix permissions not being set properly

* run bins as botpress user + mount permissions fix

* add warning when running botpress as root
  • Loading branch information
@laurentlp
laurentlp committed Jul 22, 2022
1 parent e90f9d5 commit b5b6492
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 11 deletions.
1 change: 1 addition & 0 deletions .github/workflows/docker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ jobs:
yarn run build --linux --prod --verbose
yarn run package --linux
cp build/docker/Dockerfile packages/bp/binaries/
cp build/docker/docker-entrypoint.sh packages/bp/binaries/
- name: DockerHub Authentication
uses: docker/login-action@v1
if: ${{ steps.prep.outputs.release }}
Expand Down
31 changes: 22 additions & 9 deletions build/docker/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,39 @@
FROM ubuntu:20.04

ADD . /botpress
WORKDIR /botpress
ENV BP_WORKDIR=/botpress
ENV BP_USER=botpress
ENV BP_GROUP=botpress
ENV BP_DATA_PATH $BP_WORKDIR/data

ADD . $BP_WORKDIR
WORKDIR $BP_WORKDIR

RUN apt update && \
apt install -y wget ca-certificates && \
update-ca-certificates && \
wget -O duckling https://s3.amazonaws.com/botpress-binaries/duckling-example-exe && \
chmod +x duckling && \
chmod +x bp && \
chgrp -R 0 /botpress && \
chmod -R g=u /botpress && \
apt install -y tzdata && \
ln -fs /usr/share/zoneinfo/UTC /etc/localtime && \
dpkg-reconfigure --frontend noninteractive tzdata && \
./bp extract
dpkg-reconfigure --frontend noninteractive tzdata

RUN chmod +x duckling && chmod +x bp

RUN ./bp extract

# Creates botpress user and group
RUN groupadd -g 999 $BP_GROUP && \
useradd -m -r -u 999 -g $BP_GROUP $BP_USER

# Sets ownership of the workdir to the botpress user
RUN chown -R $BP_USER:$BP_GROUP $BP_WORKDIR

ENV BP_MODULE_NLU_DUCKLINGURL=http://localhost:8000
ENV BP_IS_DOCKER=true

ENV LANG=C.UTF-8
EXPOSE 3000

CMD ./duckling & ./bp
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]

CMD su - botpress -c "$BP_WORKDIR/duckling & $BP_WORKDIR/bp"
8 changes: 8 additions & 0 deletions build/docker/docker-entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash

# Creates the Botpress data folder and sets botpress as the owner
mkdir -p $BP_DATA_PATH;
chown -R $BP_USER:$BP_GROUP $BP_DATA_PATH;

# Executes the command (CMD) passed to the container
exec "$@";
2 changes: 2 additions & 0 deletions packages/bp/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@
"https-proxy-agent": "^2.2.3",
"intl-messageformat": "^2.2.0",
"inversify": "^4.13.0",
"is-elevated": "^3.0.0",
"json-schema-defaults": "^0.4.0",
"jsonlint-mod": "^1.7.6",
"jsonwebtoken": "^8.5.1",
Expand Down Expand Up @@ -109,6 +110,7 @@
"joi": "^13.6.0"
},
"devDependencies": {
"@types/is-elevated": "^2.0.0",
"@types/mustache": "^4.1.2"
},
"optionalDependencies": {
Expand Down
11 changes: 10 additions & 1 deletion packages/bp/src/core/app/bootstrap.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { ModuleConfigEntry } from 'core/config'
import { LoggerProvider } from 'core/logger'
import { ModuleLoader, ModuleResolver } from 'core/modules'
import fs from 'fs'
import isElevated from 'is-elevated'
import { AppLifecycle, AppLifecycleEvents } from 'lifecycle'
import _ from 'lodash'
import { setupMasterNode, setupWebWorker, WorkerType } from 'orchestrator'
Expand Down Expand Up @@ -112,8 +113,16 @@ async function start() {
const loggerProvider = createLoggerProvider()
if (cluster.isMaster) {
await setupDebugLogger(loggerProvider)
const logger = await getLogger(loggerProvider, 'Cluster')

if (await isElevated()) {
logger.warn(
'You are running Botpress as a privileged user. This is not recommended. Please consider running it as an unprivileged user.'
)
}

// The master process only needs getos and rewire
return setupMasterNode(await getLogger(loggerProvider, 'Cluster'))
return setupMasterNode(logger)
}

await setupDebugLogger(loggerProvider)
Expand Down
22 changes: 21 additions & 1 deletion yarn.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3908,6 +3908,11 @@
dependencies:
"@types/node" "*"

"@types/is-elevated@^2.0.0":
version "2.0.0"
resolved "https://registry.yarnpkg.com/@types/is-elevated/-/is-elevated-2.0.0.tgz#783a70e7226241a4e4f4918d3450f0e404f33c63"
integrity sha512-vhf0oGLj1/oGs8YnqSrmUJ+BGpNtiJlnNUj4P2ywiBRCkkWL/wrSF+ineCbonKtSVDmIjEIu6amLY1hYmD3mYQ==

"@types/istanbul-lib-coverage@*", "@types/istanbul-lib-coverage@^2.0.0":
version "2.0.1"
resolved "https://registry.yarnpkg.com/@types/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.1.tgz#42995b446db9a48a11a07ec083499a860e9138ff"
Expand Down Expand Up @@ -12885,6 +12890,13 @@ is-accessor-descriptor@^1.0.0:
dependencies:
kind-of "^6.0.0"

is-admin@^3.0.0:
version "3.0.0"
resolved "https://registry.yarnpkg.com/is-admin/-/is-admin-3.0.0.tgz#5c6077fd235e056c3dbc0b6f1bbd23ff96e97135"
integrity sha512-wOa3CXFJAu8BZ2BDtG9xYOOrsq6oiSvc2jFPy4X/HINx5bmJUcW8e+apItVbU2E7GIfBVaFVO7Zit4oAWtTJcw==
dependencies:
execa "^1.0.0"

is-any-array@^0.0.3:
version "0.0.3"
resolved "https://registry.yarnpkg.com/is-any-array/-/is-any-array-0.0.3.tgz#cbdd8c7189d47b53b050969245f4ef7e55550b9b"
Expand Down Expand Up @@ -13043,6 +13055,14 @@ is-dotfile@^1.0.0:
resolved "https://registry.npmjs.org/is-dotfile/-/is-dotfile-1.0.3.tgz#a6a2f32ffd2dfb04f5ca25ecd0f6b83cf798a1e1"
integrity sha1-pqLzL/0t+wT1yiXs0Pa4PPeYoeE=

is-elevated@^3.0.0:
version "3.0.0"
resolved "https://registry.yarnpkg.com/is-elevated/-/is-elevated-3.0.0.tgz#f0de684f89b5144179ae1729ba8af590b8e0cecb"
integrity sha512-wjcp6RkouU9jpg55zERl+BglvV5j4jx5c/EMvQ+d12j/+nIEenNWPu+qc0tCg3JkLodbKZMg1qhJzEwG4qjclg==
dependencies:
is-admin "^3.0.0"
is-root "^2.1.0"

is-equal-shallow@^0.1.3:
version "0.1.3"
resolved "https://registry.npmjs.org/is-equal-shallow/-/is-equal-shallow-0.1.3.tgz#2238098fc221de0bcfa5d9eac4c45d638aa1c534"
Expand Down Expand Up @@ -13288,7 +13308,7 @@ is-retry-allowed@^2.2.0:
resolved "https://registry.npmjs.org/is-retry-allowed/-/is-retry-allowed-2.2.0.tgz#88f34cbd236e043e71b6932d09b0c65fb7b4d71d"
integrity sha512-XVm7LOeLpTW4jV19QSH38vkswxoLud8sQ57YwJVTPWdiaI9I8keEhGFpBlslyVsgdQy4Opg8QOLb8YRgsyZiQg==

is-root@2.1.0:
is-root@2.1.0, is-root@^2.1.0:
version "2.1.0"
resolved "https://registry.npmjs.org/is-root/-/is-root-2.1.0.tgz#809e18129cf1129644302a4f8544035d51984a9c"
integrity sha512-AGOriNp96vNBd3HtU+RzFEc75FfR5ymiYv8E553I71SCeXBiMsVDUtdio1OEFvrPyLIQ9tVR5RxXIFe5PUFjMg==
Expand Down

0 comments on commit b5b6492

Please sign in to comment.