-
Notifications
You must be signed in to change notification settings - Fork 101
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Docker Image enhancement and better CLI support. (#1603)
## THIS PR INCLUDES BREAKING CHANGES - Dockerfile now uses `app` user instead of `root` #### Why? A few Geo-Mesh users report to POKTscan about an issue with the new image after we adopt the one on the pokt-network/pocket-core repository on the latest RC. They report that this image is using `root` as the user which is recommended to be avoided. There are a lot of blogs and documentation about this, [here](https://docs.bitnami.com/tutorials/why-non-root-containers-are-important-for-security) one of them from a well-known docker image user/company. Also, we detected a few things that could be enhanced on both, entry point and docker context. The problem with having a public image using root right now is that pocket binary generates folders and files that now belong to the `root` user, so they will need to modify those permissions to belong to the proper `app` user and group. To this, I added another optional entry point that could be used once to fix the permission issue and then start the container as before. [Here](https://github.com/pokt-network/pocket-core/pull/1603/files#diff-8a9d880ecb3d20b3cfe8def4da1bd200fcbd44131caee95ea699a34faf9cfd6fR19) you can see how to use it with docker-compose or docker #### Changes: - Modifications to Dockerfile allow the container to run as `app` user instead of `root`. - Added a new shell script named fix_permissions.sh to fix ownership issues related to running containers. - Updated Dockerfile to use this new script. - Added a .dockerignore file to help maintain a cleaner Docker build context, excluding unnecessary files. - Modifications to `entrypoint.sh` allows the user to run all its internal commands with the proper `--datadir` param. Now properly handle the start command when `--keybase=false` is sent. Also, allow the user to pass the `--datadir` as an env variable to omit it on the start command.
- Loading branch information
1 parent
21d70e9
commit 33b28c1
Showing
4 changed files
with
108 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# this is not need on context | ||
.circleci | ||
# only workflow files that could be needed on the image should be added to the context | ||
!.github/workflows | ||
# ide | ||
.editorconfig | ||
# doc files | ||
doc | ||
docs | ||
# yml/yaml | ||
**/*.yaml | ||
**/*.yml | ||
# markdown | ||
**/*.md | ||
# images | ||
**/*.png |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/sh | ||
datadir=$1 | ||
# Changing the permissions is necessary here because previous versions of our Dockerfile | ||
# did not specify `app` as the user, so Docker defaulted to `root`. | ||
# This script facilitates transition for those who have not specified the `app` user at the start of the container. | ||
# It changes the ownership to the proper user and group (`app:app`), as declared in the Dockerfile. | ||
# The specific ownership by user 'app' and group 'app' is required to ensure that the `app` user | ||
# specified in the Dockerfile will have full access to the relevant directory. | ||
echo "Attempting to fix ${datadir} permissions to be owned by app:app" | ||
chown -R app:app $datadir | ||
echo "${datadir} permissions applied." | ||
echo "Please turn off entrypoint override and ensure you are using user `app` or user `1005` when start container." | ||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters