Skip to content

Commit

Permalink
Dockerfile: enable switching UID/GID (#1047)
Browse files Browse the repository at this point in the history
Add a script for switching UID/GID
of the user inside the container.
Use this to avoid making the directories
the CI uses world-writable.
  • Loading branch information
pjonsson authored Aug 6, 2024
1 parent 9579b4d commit a1ab57c
Show file tree
Hide file tree
Showing 7 changed files with 40 additions and 4 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/complementary-config-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ jobs:
- name: Config parser check
run: |
export LOCAL_UID=$(id -u $USER)
export LOCAL_GID=$(id -g $USER)
cd ./datacube-ows
export $(grep -v '^#' ./complementary_config_test/.env_complementary_config_dea_dev | xargs)
docker compose -f docker-compose.yaml -f docker-compose.cleandb.yaml up -d
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/pyspy-profiling.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ jobs:
# Run performance profiling
- name: setup performance profiling with py-spy (stage 1 - run profiling containers)
run: |
export LOCAL_UID=$(id -u $USER)
export LOCAL_GID=$(id -g $USER)
export $(grep -v '^#' .env_simple | xargs)
docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.pyspy.yaml up -d
Expand All @@ -50,6 +52,8 @@ jobs:
- name: set output container pid (stage 1 - get ows container pid)
id: set-output-container-id
run: |
export LOCAL_UID=$(id -u $USER)
export LOCAL_GID=$(id -g $USER)
export $(grep -v '^#' .env_simple | xargs)
echo "::set-output name=PID::$(docker inspect --format '{{.State.Pid}}' $(docker inspect -f '{{.Name}}' \
$(docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.pyspy.yaml ps -q ows_18) \
Expand All @@ -59,6 +63,8 @@ jobs:
timeout-minutes: 1
continue-on-error: true
run: |
export LOCAL_UID=$(id -u $USER)
export LOCAL_GID=$(id -g $USER)
export $(grep -v '^#' .env_simple | xargs)
docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.pyspy.yaml \
exec -T ows_18 /bin/sh -c "cd /code;./test_urls.sh &"
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test-prod.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ jobs:
# Build prod image and tag as latest, connect to pre-indexed database
- name: Build and run prod OWS images (stage 2)
run: |
export LOCAL_UID=$(id -u $USER)
export LOCAL_GID=$(id -g $USER)
export $(grep -v '^#' .env_simple | xargs)
docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.prod.yaml up -d
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,13 @@ jobs:
- name: Test and lint dev OWS image
run: |
mkdir artifacts
docker run -v ${PWD}/artifacts:/mnt/artifacts ${ORG}/${IMAGE}:_builder /bin/sh -c "cd /code;./check-code.sh"
docker run -e LOCAL_UID=$(id -u $USER) -e LOCAL_GID=$(id -g $USER) -v ${PWD}/artifacts:/mnt/artifacts ${ORG}/${IMAGE}:_builder /bin/sh -c "cd /code;./check-code.sh"
mv ./artifacts/coverage.xml ./artifacts/coverage-unit.xml
- name: Dockerized Integration Pytest
run: |
chmod a+rw artifacts
export LOCAL_UID=$(id -u $USER)
export LOCAL_GID=$(id -g $USER)
export $(grep -v '^#' .env_simple | xargs)
docker compose -f docker-compose.yaml -f docker-compose.db.yaml up -d
docker compose -f docker-compose.yaml -f docker-compose.db.yaml exec -T ows_18 /bin/sh -c "cd /code;./check-code-all.sh"
Expand Down
14 changes: 12 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,16 @@ RUN pip freeze
# Should match builder base.
FROM ghcr.io/osgeo/gdal:ubuntu-small-3.8.5

RUN apt-get update -y \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
gosu \
tini \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /var/dpkg/* /var/tmp/* /var/log/dpkg.log

# Add login-script for UID/GID-remapping.
COPY --chown=root:root --link docker/files/remap-user.sh /usr/local/bin/remap-user.sh

# all the python pip installed libraries
COPY --from=builder /usr/local/lib/python3.10/dist-packages /usr/local/lib/python3.10/dist-packages
COPY --from=builder /usr/lib/python3/dist-packages /usr/lib/python3/dist-packages
Expand Down Expand Up @@ -68,7 +78,7 @@ WORKDIR /code
COPY . /code

# Configure user
RUN useradd -m -s /bin/bash -N -g 100 -u 1001 ows
RUN useradd -m -s /bin/bash ows
WORKDIR "/home/ows"

ENV GDAL_DISABLE_READDIR_ON_OPEN="EMPTY_DIR" \
Expand All @@ -78,5 +88,5 @@ ENV GDAL_DISABLE_READDIR_ON_OPEN="EMPTY_DIR" \

RUN chown 1000:100 /dev/shm

USER ows
ENTRYPOINT ["/usr/local/bin/remap-user.sh"]
CMD ["gunicorn", "-b", "0.0.0.0:8000", "--workers=3", "--threads=2", "-k", "gevent", "--timeout", "121", "--pid", "/home/ows/gunicorn.pid", "--log-level", "info", "--worker-tmp-dir", "/dev/shm", "--config", "python:datacube_ows.gunicorn_config", "datacube_ows.wsgi"]
2 changes: 2 additions & 0 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ services:
# Uncomment for use with non-dockerised postgres (for docker-compose 1.x)
# network_mode: host
environment:
LOCAL_UID: ${LOCAL_UID:-1000}
LOCAL_GID: ${LOCAL_GID:-1000}
# Defaults are defined in .env file
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
Expand Down
13 changes: 13 additions & 0 deletions docker/files/remap-user.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash -e

# Script that gives the container user uid $LOCAL_UID and gid $LOCAL_GID.
# If $LOCAL_UID or $LOCAL_GID are not set, they default to 1000 (default
# for the first user created in Ubuntu).

USER_ID=${LOCAL_UID:-1000}
GROUP_ID=${LOCAL_GID:-1000}

[[ "$USER_ID" == "1000" ]] || usermod -u $USER_ID -o -m -d /home/ows ows
[[ "$GROUP_ID" == "1000" ]] || groupmod -g $GROUP_ID ows
[[ $(id -u) != "0" ]] || GOSU="/usr/sbin/gosu ows"
exec /usr/bin/tini -- $GOSU "$@"

0 comments on commit a1ab57c

Please sign in to comment.