build(DOCKER): flexible and enforced user perms

osx-provisioner · Feb 5, 2023 · 5f40433 · 5f40433
1 parent 4050714
commit 5f40433
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 15 deletions.
diff --git a/.github/scripts/build_container.sh b/.github/scripts/build_container.sh
@@ -4,7 +4,10 @@ set -eo pipefail
 
 main() {
 
-  docker-compose build --build-arg PYTHON_VERSION="${PYTHON_VERSION}"
+  docker-compose build                                        \
+    --build-arg BUILD_ARG_PYTHON_VERSION="${PYTHON_VERSION}"  \
+    --build-arg BUILD_ARG_CONTAINER_GID="$(id -g)"            \
+    --build-arg BUILD_ARG_CONTAINER_UID="$(id -u)"
   docker-compose up -d
 
 }

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -174,14 +174,14 @@ jobs:
           touch ${HOME}/.gitconfig
           touch ${HOME}/.gitconfig_global
 
-      - name: Container Build -- Ensure File System is Writable by the Container
-        run: |
-          sudo chmod -R o+w .
-
       - name: Container Build -- Build Container
         run: |
           source .github/scripts/build_container.sh
 
+      - name: Container Build -- Ensure GIT is working
+        run: |
+          docker-compose exec -T "${PROJECT_NAME}" git status
+
       - name: Container Build -- Run TOML Linter
         run: |
           docker-compose exec -T "${PROJECT_NAME}" tomll /app/pyproject.toml

diff --git a/assets/Dockerfile b/assets/Dockerfile
@@ -1,5 +1,9 @@
-ARG PYTHON_VERSION=3.8
-FROM python:$PYTHON_VERSION-slim AS base
+ARG BUILD_ARG_PYTHON_VERSION=3.8
+
+FROM python:$BUILD_ARG_PYTHON_VERSION-slim AS base
+
+ARG BUILD_ARG_CONTAINER_GID=1000
+ARG BUILD_ARG_CONTAINER_UID=1000
 
 LABEL maintainer="niall@niallbyrne.ca"
 LABEL project="mac_maker"
@@ -24,17 +28,19 @@ RUN apt-get update               && \
     build-essential=12.*         && \
     rm -rf /var/lib/apt/lists/*
 
+# Create the runtime user, and enforce permissions
+RUN groupadd user -g "${BUILD_ARG_CONTAINER_GID}"
+RUN useradd user -d /home/user                    \
+                 -s /bin/bash                     \
+                 -u "${BUILD_ARG_CONTAINER_UID}"  \
+                 -g "${BUILD_ARG_CONTAINER_GID}"  \
+                 -m
+
 # Setup directories
-RUN mkdir -p /home/user /app
+RUN mkdir -p /app
+RUN chown -R user:user /app
 WORKDIR /app
 
-# Create the runtime user, and enforce permissions
-RUN useradd user -d /home/user           \
-                 -s /bin/bash            \
-                 -M                   && \
- chown -R user:user /home/user        && \
- chown -R user:user /app
-
 # Include the local binary folder in PATH
 ENV PATH "/home/user/.local/bin/:${PATH}"
 
@@ -89,6 +95,11 @@ RUN poetry install --no-root -E docs
 # Copy the Codebase
 COPY . /app
 
+# Enforce git repository permissions
+USER root
+RUN chown -R user:user /app
+USER user
+
 # Install the Application
 RUN poetry install -E docs
 
@@ -143,4 +154,9 @@ RUN pip --no-cache-dir install -r requirements.txt
 # Copy the codebase
 COPY . /app
 
+# Enforce git repository permissions
+USER root
+RUN chown -R user:user /app
+USER user
+
 CMD ["./mac_maker/container_init.sh"]