Build CRATE docker image with user's group

This should hopefully allow easier access to shared volumes without having to change permissions on them.
ucam-department-of-psychiatry · Jun 18, 2024 · 10677d1 · 10677d1
1 parent 3c9b060
commit 10677d1
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 3 deletions.
diff --git a/docker/dockerfiles/crate.Dockerfile b/docker/dockerfiles/crate.Dockerfile
@@ -41,7 +41,10 @@ LABEL maintainer="Rudolf Cardinal <rudolf@pobox.com>"
 # https://vsupalov.com/docker-shared-permissions/
 
 ARG USER_ID
-RUN adduser --disabled-password --gecos '' --uid $USER_ID crate
+ARG GROUP_ID
+
+RUN addgroup --gid $GROUP_ID crate
+RUN adduser --disabled-password --gecos '' --uid $USER_ID --gid $GROUP_ID crate
 
 FROM crate-build-1-user AS crate-build-2-files
 

diff --git a/docker/dockerfiles/docker-compose.yaml b/docker/dockerfiles/docker-compose.yaml
@@ -157,6 +157,7 @@ services:
 
             args:
                 - USER_ID=${CRATE_DOCKER_INSTALL_USER_ID}
+                - GROUP_ID=${CRATE_DOCKER_INSTALL_GROUP_ID}
                 - GATE_VERSION=${CRATE_DOCKER_GATE_VERSION}
 
         # If you specify "image" as well as "build", Compose names the built

diff --git a/installer/installer.py b/installer/installer.py
@@ -33,6 +33,7 @@
 
 from argparse import ArgumentParser
 import collections
+import grp
 import os
 from pathlib import Path
 from platform import uname
@@ -184,6 +185,7 @@ class DockerEnvVar(EnvVar):
         f"{PREFIX}_GATE_BIOYODIE_RESOURCES_HOST_DIR"
     )
     IMAGE_TAG = f"{PREFIX}_IMAGE_TAG"
+    INSTALL_GROUP_ID = f"{PREFIX}_INSTALL_GROUP_ID"
     INSTALL_USER_ID = f"{PREFIX}_INSTALL_USER_ID"
 
     CRATE_DB_DATABASE_NAME = f"{PREFIX}_CRATE_DB_DATABASE_NAME"
@@ -640,6 +642,7 @@ def check_setup(self) -> None:
     def configure(self) -> None:
         try:
             self.configure_user()
+            self.configure_group()
             self.configure_tag()
             self.configure_config_files()
             self.configure_files_dir()
@@ -663,6 +666,11 @@ def configure_user(self) -> None:
             DockerEnvVar.INSTALL_USER_ID, self.get_docker_install_user_id
         )
 
+    def configure_group(self) -> None:
+        self.setenv(
+            DockerEnvVar.INSTALL_GROUP_ID, self.get_docker_install_group_id
+        )
+
     def configure_tag(self) -> None:
         tag = self.env_dict[DockerEnvVar.IMAGE_TAG]
         self.setenv(DockerEnvVar.IMAGE_TAG, tag)
@@ -1270,9 +1278,37 @@ def report_status(self) -> None:
     # Fetching information from environment variables or statically
     # -------------------------------------------------------------------------
 
+    def get_docker_install_user_id(self) -> str:
+        return str(self._get_user_id())
+
+    def get_docker_install_group_id(self) -> str:
+        choice_dict = {}
+
+        # https://stackoverflow.com/questions/9323834/python-how-to-get-group-ids-of-one-username-like-id-gn
+        # Reported to work with sssd. Maybe not everything else.
+        for group_id in os.getgroups():
+            # Ignore any groups created by the OS so we don't clash when we try
+            # to create the group on the server
+            if group_id >= 1000:
+                try:
+                    choice_dict[str(group_id)] = grp.getgrgid(group_id).gr_name
+                except KeyError:
+                    # One poster reported that this happens for some reason
+                    pass
+
+        if len(choice_dict) == 1:
+            # No choice
+            return next(iter(choice_dict))
+
+        return self.get_user_choice(
+            "The CRATE container will be created with your user's "
+            "permissions. Select the group to use:",
+            choice_dict,
+        )
+
     @staticmethod
-    def get_docker_install_user_id() -> str:
-        return str(os.geteuid())
+    def _get_user_id() -> int:
+        return os.geteuid()
 
     @staticmethod
     def get_hmac_md5_key() -> str: