Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: Allowing to downgrade to regular user via environment variables #89

Merged
merged 2 commits into from Feb 25, 2023
Merged

docker: Allowing to downgrade to regular user via environment variables #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
81220c1
docker: Allowing to downgrade to regular user via environment variabl…
tuxuser Feb 25, 2023
dbd3e0c
docker: Use full relative path to entrypoint.sh
tuxuser Feb 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 7 additions & 14 deletions scripts/release/Dockerfile
View file
Open in desktop
Expand Up @@ -105,31 +105,24 @@ FROM alpine:latest
# libc6-compat
RUN apk add --no-cache libstdc++ binutils

# Create the user/group for stump
RUN addgroup -g 1000 stump
RUN adduser -D -s /bin/sh -u 1000 -G stump stump

WORKDIR /

# create the config, data and app directories
RUN mkdir -p config && \
mkdir -p data && \
mkdir -p app

# FIXME: this does not seem to be working...
# make the stump user own the directories
RUN chown stump /config && \
chown stump /data && \
chown stump /app

USER stump

# copy the binary
COPY --chown=stump:stump --from=core-builder /app/stump ./app/stump
COPY --from=core-builder /app/stump ./app/stump

# copy the react build
COPY --from=frontend /app/build ./app/client

# Copy docker entrypoint
# This will take care of starting the service daemon as a regular user, if desired
COPY scripts/release/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# TODO: replace this with something more elegant lol maybe a bash case statement
RUN ln -s /lib/ld-musl-aarch64.so.1 /lib/ld-linux-aarch64.so.1; exit 0

Expand All @@ -144,4 +137,4 @@ ENV API_VERSION=v1

WORKDIR /app

CMD ["./stump"]
ENTRYPOINT ["/entrypoint.sh"]
40 changes: 40 additions & 0 deletions scripts/release/entrypoint.sh
View file
Open in desktop
@@ -0,0 +1,40 @@
#!/bin/sh
# Depending on the values passed for PUID/PGID via environment variables,
# either starts the stump server daemon as root or as a regular user
#
# Also takes care of assigning proper attributes to the folders /data, /config and /app
PUID=${PUID:-0}
PGID=${PGID:-0}

USER=stump
GROUP=stump

## Add stump group if it doesn't already exist
if [[ -z "$(getent group "$PGID" | cut -d':' -f1)" ]]; then
addgroup -g "$PGID" $GROUP
fi

## Add stump user if it doesn't already exist
if [[ -z "$(getent passwd "$PUID" | cut -d':' -f1)" ]]; then
adduser -D -s /bin/sh -u "$PUID" -G "$GROUP" $USER
fi

# Change current working directory
cd /app

if [[ "$PUID" -eq 0 ]]; then
# Run as root
./stump
else
# Set ownership on config, app and data dir
chown -R "$PUID":"$PGID" /app
chown -R "$PUID":"$PGID" /config
# NOTE: Only change the directory itself, not recursively
# We dont want to accidentally overwrite with incorrect
# permissions if users provide wrong values for PUID/PGID
chown "$PUID":"$PGID" /data

# Run as non-root user
# NOTE: Omit "-l" switch to keep env vars
su $USER -c ./stump
fi