Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run Buffalo Docker image as non-root user #1862

Open
Schparky opened this issue Dec 5, 2019 · 1 comment
Open

Run Buffalo Docker image as non-root user #1862

Schparky opened this issue Dec 5, 2019 · 1 comment

Comments

@Schparky
Copy link
Contributor

@Schparky Schparky commented Dec 5, 2019

Description

The latest gobuffalo/buffalo Docker image (v0.15.1) does not allow execution as a non-root user, which has unfortunate side-effects. Of note, when a build triggers an update of go.mod, the file ownership will be changed to root. In development, this can be problematic if an IDE needs access to this file mapped to the development machine by a Docker volume.

Steps to Reproduce the Problem

Dockerfile-dev:

FROM gobuffalo/buffalo:v0.15.1
RUN mkdir -p /app && chmod 770 /app
WORKDIR /app
ADD . .
ENV GO111MODULE=on
RUN useradd user && usermod -a -G root user && mkdir /home/user
USER user
RUN go get ./...

CMD ["buffalo", "dev"]

docker-compose.yml

version: "3.7"

services:
  buff:
    build:
      context: ./application
      dockerfile: Dockerfile-dev
    volumes:
      - ./application:/app
      - ./dev:/app/dev
    ports:
      - "3000:3000"
    env_file:
      - ./.env
    environment:
      ADDR: 0.0.0.0
      HOST: http://app.local:3000
      PORT: 3000
      APP_NAME: Buffalo App
      GO_ENV: development
    command: buffalo dev

Expected Behavior

I would like a docker-compose build to run this app with no problems, and not muck with file ownership on my development machine.

Actual Behavior

Truncated output of docker-compose build:

Step 12/15 : RUN go get ./...
 ---> Running in 06eba4864eac
go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/gobuffalo/suite/@v/v2.8.1+incompatible.mod277341737.tmp: permission denied
go: writing go.mod cache: open /go/pkg/mod/cache/download/github.com/cockroachdb/cockroach-go/@v/v0.0.0-20190925194419-606b3d062051.mod126960631.tmp: permission denied
...
go: writing go.mod cache: open /go/pkg/mod/cache/download/golang.org/x/oauth2/@v/v0.0.0-20180620175406-ef147856a6dd.mod208226134.tmp: permission denied
go: failed to lock file at /go/pkg/mod/cache/lock
ERROR: Service 'buffalo' failed to build: The command '/bin/sh -c go get ./...' returned a non-zero code: 1

Info

If I place a command near the top of Dockerfile-dev like:

RUN chmod -R o=,g=rwX $GOPATH/pkg

then the build succeeds and I can run the buffalo info command.

-> Go: Checking installation
✓ The `go` executable was found on your system at: /usr/local/go/bin/go

-> Go: Checking minimum version requirements
✓ Your version of Go, 1.13.4, meets the minimum requirements.

-> Go: Checking GOPATH
✓ You are using Go Modules, so no need to worry about the GOPATH.

-> Go: Checking Package Management
✓ You are using Go Modules (`go`) for package management.

-> Go: Checking PATH
✓ Your PATH contains /go/bin.

-> Node: Checking installation
✓ The `node` executable was found on your system at: /usr/bin/node

-> Node: Checking minimum version requirements
✓ Your version of Node, v10.17.0, meets the minimum requirements.

-> NPM: Checking installation
✓ The `npm` executable was found on your system at: /usr/bin/npm

-> NPM: Checking minimum version requirements
✓ Your version of NPM, 6.11.3, meets the minimum requirements.

-> Yarn: Checking installation
✓ The `yarnpkg` executable was found on your system at: /usr/bin/yarnpkg

-> Yarn: Checking minimum version requirements
✓ Your version of Yarn, 1.19.1, meets the minimum requirements.

-> PostgreSQL: Checking installation
✘ The `postgres` executable could not be found on your system.
For help setting up your Postgres environment please follow the instructions for you platform at:

https://www.postgresql.org/download/

-> MySQL: Checking installation
✘ The `mysql` executable could not be found on your system.
For help setting up your MySQL environment please follow the instructions for you platform at:

https://www.mysql.com/downloads/

-> SQLite3: Checking installation
✓ The `sqlite3` executable was found on your system at: /usr/bin/sqlite3

-> SQLite3: Checking minimum version requirements
✓ Your version of SQLite3, 3.27.2, meets the minimum requirements.

-> Cockroach: Checking installation
✘ The `cockroach` executable could not be found on your system.
For help setting up your Cockroach environment please follow the instructions for you platform at:

https://www.cockroachlabs.com/docs/stable/

-> Buffalo (CLI): Checking installation
✓ The `buffalo` executable was found on your system at: /go/bin/buffalo

-> Buffalo (CLI): Checking minimum version requirements
✓ Your version of Buffalo (CLI), v0.15.1, meets the minimum requirements.

-> Buffalo: Application Details
Pwd         /wecarry
Root        /wecarry
GoPath      /go
PackagePkg  github.com/silinternational/wecarry-api
ActionsPkg  github.com/silinternational/wecarry-api/actions
ModelsPkg   github.com/silinternational/wecarry-api/models
GriftsPkg   github.com/silinternational/wecarry-api/grifts
WithModules true
Name        application
Bin         bin/application
VCS         git
WithPop     true
WithSQLite  false
WithDep     false
WithWebpack false
WithNodeJs  false
WithYarn    false
WithDocker  true
WithGrifts  true
AsWeb       false
AsAPI       true
InApp       true
PackageJSON {map[]}

-> Buffalo: config/buffalo-app.toml
name = "application"
bin = "bin/application"
vcs = "git"
with_pop = true
with_sqlite = false
with_dep = false
with_webpack = false
with_nodejs = false
with_yarn = false
with_docker = true
with_grifts = true
as_web = false
as_api = true

-> Buffalo: config/buffalo-plugins.toml
[[plugin]]
  binary = "buffalo-pop"
  go_get = "github.com/gobuffalo/buffalo-pop"

-> Buffalo: go.mod
module github.com/silinternational/wecarry-api

go 1.12

require (
	github.com/99designs/gqlgen v0.10.1
	github.com/aws/aws-sdk-go v1.25.0
	github.com/beevik/etree v1.1.0 // indirect
	github.com/cockroachdb/cockroach-go v0.0.0-20190925194419-606b3d062051 // indirect
	github.com/go-chi/chi v3.3.2+incompatible
	github.com/gobuffalo/buffalo v0.15.1
	github.com/gobuffalo/buffalo-pop v1.23.1
	github.com/gobuffalo/envy v1.7.1
	github.com/gobuffalo/events v1.4.0
	github.com/gobuffalo/httptest v1.4.0
	github.com/gobuffalo/mw-i18n v0.0.0-20190129204410-552713a3ebb4
	github.com/gobuffalo/mw-paramlogger v0.0.0-20190224201358-0d45762ab655
	github.com/gobuffalo/nulls v0.1.0
	github.com/gobuffalo/packr/v2 v2.7.1
	github.com/gobuffalo/pop v4.12.2+incompatible
	github.com/gobuffalo/suite v2.8.1+incompatible
	github.com/gobuffalo/validate v2.0.3+incompatible
	github.com/gofrs/uuid v3.2.0+incompatible
	github.com/gorilla/sessions v1.2.0
	github.com/jackc/pgconn v1.1.0 // indirect
	github.com/markbates/goth v1.56.0
	github.com/markbates/grift v1.5.0
	github.com/nicksnyder/go-i18n v1.10.0
	github.com/olekukonko/tablewriter v0.0.2 // indirect
	github.com/paganotoni/sendgrid-sender v1.0.5
	github.com/pkg/errors v0.8.1
	github.com/rollbar/rollbar-go v1.1.0
	github.com/rs/cors v1.6.0
	github.com/russellhaering/gosaml2 v0.3.1
	github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7
	github.com/sendgrid/sendgrid-go v3.5.0+incompatible
	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
	github.com/stretchr/testify v1.4.0
	github.com/vektah/gqlparser v1.1.2
	golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890
	jaytaylor.com/html2text v0.0.0-20190408195923-01ec452cbe43
)

@Schparky

This comment has been minimized.

Copy link
Contributor Author

@Schparky Schparky commented Dec 5, 2019

Perhaps anecdotal, or maybe standard-setting, I'm not sure which, but in docker-library/golang the permissions on files in /go are 777, presumably for this reason. (See the first comment here: docker-library/golang#65 (comment))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.