From 31d09e3a676bcc3d001371e77a3604f277828e9d Mon Sep 17 00:00:00 2001 From: Tobias Florek Date: Fri, 20 May 2022 10:21:52 +0200 Subject: [PATCH 1/3] in container don't chown and gosu when not root --- docker/async_entrypoint.sh | 23 ++++++++++++++--------- docker/entrypoint.sh | 34 +++++++++++++++++++++------------- 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/docker/async_entrypoint.sh b/docker/async_entrypoint.sh index 543b7d31..87fac081 100644 --- a/docker/async_entrypoint.sh +++ b/docker/async_entrypoint.sh @@ -8,13 +8,18 @@ set -euo pipefail -# Give permission to taiga:taiga after mounting volumes -echo Give permission to taiga:taiga -chown -R taiga:taiga /taiga-back +cmd=( celery -A taiga.celery worker -B --concurrency 4 -l INFO "$@" ) -# Start Celery processes -echo Starting Celery... -exec gosu taiga celery -A taiga.celery worker -B \ - --concurrency 4 \ - -l INFO \ - "$@" +if [ "$(id -u)" -eq 0 ]; then + # Give permission to taiga:taiga after mounting volumes + echo Give permission to taiga:taiga + # chown -R taiga:taiga /taiga-back + + # Start Celery processes + echo Starting Celery... + exec gosu taiga "${cmd[@]}" +else + # Start Celery processes + echo Starting Celery... + exec "${cmd[@]}" +fi diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 98d08b42..3af3eefa 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -8,6 +8,15 @@ set -euo pipefail +cmd=( gunicorn taiga.wsgi:application \ + --name taiga_api \ + --bind 0.0.0.0:8000 \ + --workers 3 \ + --worker-tmp-dir /dev/shm \ + --log-level=info \ + --access-logfile - \ + "$@" ) + # Execute pending migrations echo Executing pending migrations python manage.py migrate @@ -16,17 +25,16 @@ python manage.py migrate echo Load default templates python manage.py loaddata initial_project_templates -# Give permission to taiga:taiga after mounting volumes -echo Give permission to taiga:taiga -chown -R taiga:taiga /taiga-back +if [ "$(id -u)" -eq 0 ]; then + # Give permission to taiga:taiga after mounting volumes + echo Give permission to taiga:taiga + chown -R taiga:taiga /taiga-back -# Start Taiga processes -echo Starting Taiga API... -exec gosu taiga gunicorn taiga.wsgi:application \ - --name taiga_api \ - --bind 0.0.0.0:8000 \ - --workers 3 \ - --worker-tmp-dir /dev/shm \ - --log-level=info \ - --access-logfile - \ - "$@" + # Start Taiga processes + echo Starting Taiga API... + exec gosu taiga "${cmd[@]}" +else + # Start Taiga processes + echo Starting Taiga API... + exec "${cmd[@]}" +fi From 5488c5c2794d08518db09760960d10bae668b542 Mon Sep 17 00:00:00 2001 From: Tobias Florek Date: Fri, 20 May 2022 10:26:40 +0200 Subject: [PATCH 2/3] allow running with gid=0 and any uid --- docker/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index e6945fd4..8cd60e34 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -64,7 +64,8 @@ RUN set -eux; \ groupadd --system taiga --gid=999; \ useradd --system --no-create-home --gid taiga --uid=999 --shell=/bin/bash taiga; \ mkdir -p /taiga-back/media/exports; \ - chown -R taiga:taiga /taiga-back; \ + chown -R taiga:0 /taiga-back; \ + chmod -R g+rwX /taiga-back; \ # remove unneeded files and packages apt-get purge -y \ build-essential \ From c282c99ace0f3a2b335ac1c0a5b1451314589913 Mon Sep 17 00:00:00 2001 From: Tobias Florek Date: Fri, 20 May 2022 10:27:19 +0200 Subject: [PATCH 3/3] set shell permissions This will save some bytes in the resulting container image (when not squashing). --- docker/async_entrypoint.sh | 0 docker/entrypoint.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 docker/async_entrypoint.sh mode change 100644 => 100755 docker/entrypoint.sh diff --git a/docker/async_entrypoint.sh b/docker/async_entrypoint.sh old mode 100644 new mode 100755 diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh old mode 100644 new mode 100755