From 6244511cf8f48e4df78cd721ddefaf29c0372005 Mon Sep 17 00:00:00 2001 From: Christian Winther Date: Thu, 4 Jan 2024 11:20:22 +0000 Subject: [PATCH] don't hardcode UID/GID for runtime --- contrib/docker/Dockerfile | 18 ++++++++++++------ .../shared/docker-entrypoint.d/10-storage.sh | 6 +++--- .../{30-horizon.sh => 20-horizon.sh} | 2 +- .../{20-cache.sh => 30-cache.sh} | 10 +++++----- contrib/docker/shared/lib.sh | 4 ++-- 5 files changed, 23 insertions(+), 17 deletions(-) rename contrib/docker/shared/docker-entrypoint.d/{30-horizon.sh => 20-horizon.sh} (60%) rename contrib/docker/shared/docker-entrypoint.d/{20-cache.sh => 30-cache.sh} (58%) diff --git a/contrib/docker/Dockerfile b/contrib/docker/Dockerfile index 7715dc7b3..d35276db6 100644 --- a/contrib/docker/Dockerfile +++ b/contrib/docker/Dockerfile @@ -17,6 +17,8 @@ ARG PHP_EXTENSIONS_EXTRA="" ARG PHP_EXTENSIONS="intl bcmath zip pcntl exif curl gd" ARG PHP_VERSION="8.1" ARG APT_PACKAGES_EXTRA="" +ARG RUNTIME_UID=33 +ARG RUNTIME_GID=33 # GPG key for nginx apt repository ARG NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 @@ -56,6 +58,8 @@ FROM php:${PHP_VERSION}-${PHP_BASE_TYPE}-${PHP_DEBIAN_RELEASE} AS base ARG PHP_VERSION ARG PHP_DEBIAN_RELEASE ARG APT_PACKAGES_EXTRA +ARG RUNTIME_UID +ARG RUNTIME_GID ARG TARGETPLATFORM ARG BUILDKIT_SBOM_SCAN_STAGE=true @@ -67,7 +71,7 @@ SHELL ["/bin/bash", "-c"] RUN set -ex \ && mkdir -pv /var/www/ \ - && chown -R 33:33 /var/www + && chown -R ${RUNTIME_UID}:${RUNTIME_GID} /var/www WORKDIR /var/www/ @@ -193,6 +197,8 @@ FROM base AS composer-and-src ARG PHP_VERSION ARG PHP_DEBIAN_RELEASE +ARG RUNTIME_UID +ARG RUNTIME_GID ARG TARGETPLATFORM # Make sure composer cache is targeting our cache mount later @@ -207,11 +213,11 @@ ENV COMPOSER_NO_INTERACTION=1 # Copy composer from https://hub.docker.com/_/composer COPY --link --from=composer-image /usr/bin/composer /usr/bin/composer -#! Changing user to 33 -USER 33:33 +#! Changing user to runtime user +USER ${RUNTIME_UID}:${RUNTIME_GID} # Copy over only composer related files so docker layer cache isn't invalidated on PHP file changes -COPY --link --chown=33:33 composer.json composer.lock /var/www/ +COPY --link --chown=${RUNTIME_UID}:${RUNTIME_GID} composer.json composer.lock /var/www/ # Install composer dependencies # NOTE: we skip the autoloader generation here since we don't have all files avaliable (yet) @@ -220,7 +226,7 @@ RUN --mount=type=cache,id=pixelfed-composer-${PHP_VERSION}-${PHP_DEBIAN_RELEASE} && composer install --prefer-dist --no-autoloader --ignore-platform-reqs # Copy all other files over -COPY --link --chown=33:33 . /var/www/ +COPY --link --chown=${RUNTIME_UID}:${RUNTIME_GID} . /var/www/ # Generate optimized autoloader now that we have all files around RUN set -ex \ @@ -237,7 +243,7 @@ FROM base AS shared-runtime COPY --link --from=php-extensions /usr/local/lib/php/extensions /usr/local/lib/php/extensions COPY --link --from=php-extensions /usr/local/etc/php /usr/local/etc/php -COPY --link --from=composer-and-src --chown=33:33 /var/www /var/www +COPY --link --from=composer-and-src --chown=${RUNTIME_UID}:${RUNTIME_GID} /var/www /var/www COPY --link --from=forego-image /usr/local/bin/forego /usr/local/bin/forego COPY --link contrib/docker/php.production.ini "$PHP_INI_DIR/php.ini" diff --git a/contrib/docker/shared/docker-entrypoint.d/10-storage.sh b/contrib/docker/shared/docker-entrypoint.d/10-storage.sh index 860ec0425..8357688c1 100755 --- a/contrib/docker/shared/docker-entrypoint.d/10-storage.sh +++ b/contrib/docker/shared/docker-entrypoint.d/10-storage.sh @@ -4,10 +4,10 @@ set -o errexit -o nounset -o pipefail source /lib.sh entrypoint_log "==> Create the storage tree if needed" -as_www_user cp --recursive storage.skel/* storage/ +as_runtime_user cp --recursive storage.skel/* storage/ entrypoint_log "==> Ensure storage is linked" -as_www_user php artisan storage:link +as_runtime_user php artisan storage:link entrypoint_log "==> Ensure permissions are correct" -chown --recursive www-data:www-data storage/ bootstrap/ +chown --recursive ${RUNTIME_UID}:${RUNTIME_GID} storage/ bootstrap/ diff --git a/contrib/docker/shared/docker-entrypoint.d/30-horizon.sh b/contrib/docker/shared/docker-entrypoint.d/20-horizon.sh similarity index 60% rename from contrib/docker/shared/docker-entrypoint.d/30-horizon.sh rename to contrib/docker/shared/docker-entrypoint.d/20-horizon.sh index 04227cf40..9db54ba35 100755 --- a/contrib/docker/shared/docker-entrypoint.d/30-horizon.sh +++ b/contrib/docker/shared/docker-entrypoint.d/20-horizon.sh @@ -3,4 +3,4 @@ set -o errexit -o nounset -o pipefail source /lib.sh -as_www_user php artisan horizon:publish +as_runtime_user php artisan horizon:publish diff --git a/contrib/docker/shared/docker-entrypoint.d/20-cache.sh b/contrib/docker/shared/docker-entrypoint.d/30-cache.sh similarity index 58% rename from contrib/docker/shared/docker-entrypoint.d/20-cache.sh rename to contrib/docker/shared/docker-entrypoint.d/30-cache.sh index 06e440802..3eb87b6bb 100755 --- a/contrib/docker/shared/docker-entrypoint.d/20-cache.sh +++ b/contrib/docker/shared/docker-entrypoint.d/30-cache.sh @@ -3,11 +3,11 @@ set -o errexit -o nounset -o pipefail source /lib.sh -entrypoint_log "==> config:cache" -as_www_user php artisan config:cache - entrypoint_log "==> route:cache" -as_www_user php artisan route:cache +as_runtime_user php artisan route:cache entrypoint_log "==> view:cache" -as_www_user php artisan view:cache +as_runtime_user php artisan view:cache + +entrypoint_log "==> config:cache" +as_runtime_user php artisan config:cache diff --git a/contrib/docker/shared/lib.sh b/contrib/docker/shared/lib.sh index 3e7ef0f91..8253ed085 100644 --- a/contrib/docker/shared/lib.sh +++ b/contrib/docker/shared/lib.sh @@ -8,6 +8,6 @@ function entrypoint_log() { fi } -function as_www_user() { - su --preserve-environment www-data --shell /bin/bash --command "${*}" +function as_runtime_user() { + su --preserve-environment ${RUNTIME_UID} --shell /bin/bash --command "${*}" }