From a1ab57c11ccafae4bb27a054b75e99f8a441b774 Mon Sep 17 00:00:00 2001 From: "Peter A. Jonsson" Date: Wed, 7 Aug 2024 00:06:24 +0200 Subject: [PATCH] Dockerfile: enable switching UID/GID (#1047) Add a script for switching UID/GID of the user inside the container. Use this to avoid making the directories the CI uses world-writable. --- .github/workflows/complementary-config-test.yaml | 2 ++ .github/workflows/pyspy-profiling.yaml | 6 ++++++ .github/workflows/test-prod.yaml | 2 ++ .github/workflows/test.yml | 5 +++-- Dockerfile | 14 ++++++++++++-- docker-compose.yaml | 2 ++ docker/files/remap-user.sh | 13 +++++++++++++ 7 files changed, 40 insertions(+), 4 deletions(-) create mode 100755 docker/files/remap-user.sh diff --git a/.github/workflows/complementary-config-test.yaml b/.github/workflows/complementary-config-test.yaml index a2e79b062..5e13b55c8 100644 --- a/.github/workflows/complementary-config-test.yaml +++ b/.github/workflows/complementary-config-test.yaml @@ -56,6 +56,8 @@ jobs: - name: Config parser check run: | + export LOCAL_UID=$(id -u $USER) + export LOCAL_GID=$(id -g $USER) cd ./datacube-ows export $(grep -v '^#' ./complementary_config_test/.env_complementary_config_dea_dev | xargs) docker compose -f docker-compose.yaml -f docker-compose.cleandb.yaml up -d diff --git a/.github/workflows/pyspy-profiling.yaml b/.github/workflows/pyspy-profiling.yaml index a044399f4..92ffdd045 100644 --- a/.github/workflows/pyspy-profiling.yaml +++ b/.github/workflows/pyspy-profiling.yaml @@ -39,6 +39,8 @@ jobs: # Run performance profiling - name: setup performance profiling with py-spy (stage 1 - run profiling containers) run: | + export LOCAL_UID=$(id -u $USER) + export LOCAL_GID=$(id -g $USER) export $(grep -v '^#' .env_simple | xargs) docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.pyspy.yaml up -d @@ -50,6 +52,8 @@ jobs: - name: set output container pid (stage 1 - get ows container pid) id: set-output-container-id run: | + export LOCAL_UID=$(id -u $USER) + export LOCAL_GID=$(id -g $USER) export $(grep -v '^#' .env_simple | xargs) echo "::set-output name=PID::$(docker inspect --format '{{.State.Pid}}' $(docker inspect -f '{{.Name}}' \ $(docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.pyspy.yaml ps -q ows_18) \ @@ -59,6 +63,8 @@ jobs: timeout-minutes: 1 continue-on-error: true run: | + export LOCAL_UID=$(id -u $USER) + export LOCAL_GID=$(id -g $USER) export $(grep -v '^#' .env_simple | xargs) docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.pyspy.yaml \ exec -T ows_18 /bin/sh -c "cd /code;./test_urls.sh &" diff --git a/.github/workflows/test-prod.yaml b/.github/workflows/test-prod.yaml index 766c4989c..7af740cc4 100644 --- a/.github/workflows/test-prod.yaml +++ b/.github/workflows/test-prod.yaml @@ -54,6 +54,8 @@ jobs: # Build prod image and tag as latest, connect to pre-indexed database - name: Build and run prod OWS images (stage 2) run: | + export LOCAL_UID=$(id -u $USER) + export LOCAL_GID=$(id -g $USER) export $(grep -v '^#' .env_simple | xargs) docker compose -f docker-compose.yaml -f docker-compose.db.yaml -f docker-compose.prod.yaml up -d diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 704d1f41c..c156fd45c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,12 +54,13 @@ jobs: - name: Test and lint dev OWS image run: | mkdir artifacts - docker run -v ${PWD}/artifacts:/mnt/artifacts ${ORG}/${IMAGE}:_builder /bin/sh -c "cd /code;./check-code.sh" + docker run -e LOCAL_UID=$(id -u $USER) -e LOCAL_GID=$(id -g $USER) -v ${PWD}/artifacts:/mnt/artifacts ${ORG}/${IMAGE}:_builder /bin/sh -c "cd /code;./check-code.sh" mv ./artifacts/coverage.xml ./artifacts/coverage-unit.xml - name: Dockerized Integration Pytest run: | - chmod a+rw artifacts + export LOCAL_UID=$(id -u $USER) + export LOCAL_GID=$(id -g $USER) export $(grep -v '^#' .env_simple | xargs) docker compose -f docker-compose.yaml -f docker-compose.db.yaml up -d docker compose -f docker-compose.yaml -f docker-compose.db.yaml exec -T ows_18 /bin/sh -c "cd /code;./check-code-all.sh" diff --git a/Dockerfile b/Dockerfile index 7a67e4acb..6096d1366 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,6 +38,16 @@ RUN pip freeze # Should match builder base. FROM ghcr.io/osgeo/gdal:ubuntu-small-3.8.5 +RUN apt-get update -y \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + gosu \ + tini \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /var/dpkg/* /var/tmp/* /var/log/dpkg.log + +# Add login-script for UID/GID-remapping. +COPY --chown=root:root --link docker/files/remap-user.sh /usr/local/bin/remap-user.sh + # all the python pip installed libraries COPY --from=builder /usr/local/lib/python3.10/dist-packages /usr/local/lib/python3.10/dist-packages COPY --from=builder /usr/lib/python3/dist-packages /usr/lib/python3/dist-packages @@ -68,7 +78,7 @@ WORKDIR /code COPY . /code # Configure user -RUN useradd -m -s /bin/bash -N -g 100 -u 1001 ows +RUN useradd -m -s /bin/bash ows WORKDIR "/home/ows" ENV GDAL_DISABLE_READDIR_ON_OPEN="EMPTY_DIR" \ @@ -78,5 +88,5 @@ ENV GDAL_DISABLE_READDIR_ON_OPEN="EMPTY_DIR" \ RUN chown 1000:100 /dev/shm -USER ows +ENTRYPOINT ["/usr/local/bin/remap-user.sh"] CMD ["gunicorn", "-b", "0.0.0.0:8000", "--workers=3", "--threads=2", "-k", "gevent", "--timeout", "121", "--pid", "/home/ows/gunicorn.pid", "--log-level", "info", "--worker-tmp-dir", "/dev/shm", "--config", "python:datacube_ows.gunicorn_config", "datacube_ows.wsgi"] diff --git a/docker-compose.yaml b/docker-compose.yaml index 993010046..8f387e7db 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,6 +13,8 @@ services: # Uncomment for use with non-dockerised postgres (for docker-compose 1.x) # network_mode: host environment: + LOCAL_UID: ${LOCAL_UID:-1000} + LOCAL_GID: ${LOCAL_GID:-1000} # Defaults are defined in .env file AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY} diff --git a/docker/files/remap-user.sh b/docker/files/remap-user.sh new file mode 100755 index 000000000..b51061428 --- /dev/null +++ b/docker/files/remap-user.sh @@ -0,0 +1,13 @@ +#!/bin/bash -e + +# Script that gives the container user uid $LOCAL_UID and gid $LOCAL_GID. +# If $LOCAL_UID or $LOCAL_GID are not set, they default to 1000 (default +# for the first user created in Ubuntu). + +USER_ID=${LOCAL_UID:-1000} +GROUP_ID=${LOCAL_GID:-1000} + +[[ "$USER_ID" == "1000" ]] || usermod -u $USER_ID -o -m -d /home/ows ows +[[ "$GROUP_ID" == "1000" ]] || groupmod -g $GROUP_ID ows +[[ $(id -u) != "0" ]] || GOSU="/usr/sbin/gosu ows" +exec /usr/bin/tini -- $GOSU "$@"