Page MenuHomePhabricator

D4211.id13341.diff
No OneTemporary

D4211.id13341.diff

diff --git a/keyserver/Dockerfile b/keyserver/Dockerfile
--- a/keyserver/Dockerfile
+++ b/keyserver/Dockerfile
@@ -1,7 +1,42 @@
FROM node:16.13-bullseye
#-------------------------------------------------------------------------------
-# STEP 0: INSTALL PREREQS
+# STEP 0: SET UP USER
+# Set up Linux user and group for the container.
+#-------------------------------------------------------------------------------
+
+# We use bind mounts for our backups folder, which means Docker on Linux will
+# blindly match the UID/GID for the backups folder on the container with the
+# host. In order to make sure the container is able to create backups with the
+# right UID/GID, we need to do two things:
+# 1. Make sure that the user that runs the Docker container on the host has
+# permissions to write to the backups folder on the host. We rely on the host
+# to configure this properly
+# 2. Make sure we're running this container with the same UID/GID that the host
+# is using, so the UID/GID show up correctly on both sides of the bind mount
+# To handle 2 correctly, we have the host pass the UID/GID with which they're
+# running the container. Our approach is based on this one:
+# https://github.com/mhart/alpine-node/issues/48#issuecomment-430902787
+
+ARG HOST_UID
+ARG HOST_GID
+
+USER root
+RUN \
+ if [ -z "`getent group $HOST_GID`" ]; then \
+ addgroup --system --gid $HOST_GID comm; \
+ else \
+ groupmod --new-name comm `getent group $HOST_GID | cut -d: -f1`; \
+ fi && \
+ if [ -z "`getent passwd $HOST_UID`" ]; then \
+ adduser --system --uid $HOST_UID --ingroup comm --shell /bin/bash comm; \
+ else \
+ usermod --login comm --gid $HOST_GID --home /home/comm --move-home \
+ `getent passwd $HOST_UID | cut -d: -f1`; \
+ fi
+
+#-------------------------------------------------------------------------------
+# STEP 1: INSTALL PREREQS
# Install prereqs first so we don't have to reinstall them if anything changes
#-------------------------------------------------------------------------------
@@ -17,16 +52,15 @@
&& rm -rf /var/lib/apt/lists/*
#-------------------------------------------------------------------------------
-# STEP 1: DEVOLVE PRIVILEGES
+# STEP 2: DEVOLVE PRIVILEGES
# Create another user to run the rest of the commands
#-------------------------------------------------------------------------------
-RUN useradd -m comm
USER comm
WORKDIR /home/comm/app
#-------------------------------------------------------------------------------
-# STEP 2: SET UP MYSQL BACKUPS
+# STEP 3: SET UP MYSQL BACKUPS
# Prepare the system to properly handle mysqldump backups
#-------------------------------------------------------------------------------
@@ -39,7 +73,7 @@
RUN echo "[mysqldump]\ncolumn-statistics=0" > /home/comm/.my.cnf
#-------------------------------------------------------------------------------
-# STEP 3: INSTALL NVM
+# STEP 4: INSTALL NVM
# We use nvm to make sure we're running the right Node version
#-------------------------------------------------------------------------------
@@ -48,7 +82,7 @@
| bash
#-------------------------------------------------------------------------------
-# STEP 4: YARN CLEANINSTALL
+# STEP 5: YARN CLEANINSTALL
# We run yarn cleaninstall before copying most of the files in for build caching
#-------------------------------------------------------------------------------
@@ -69,7 +103,7 @@
RUN yarn cleaninstall
#-------------------------------------------------------------------------------
-# STEP 5: WEBPACK BUILD
+# STEP 6: WEBPACK BUILD
# We do this first so Docker doesn't rebuild when only keyserver files change
#-------------------------------------------------------------------------------
@@ -81,14 +115,14 @@
RUN yarn workspace web prod
#-------------------------------------------------------------------------------
-# STEP 6: COPY IN SOURCE FILES
+# STEP 7: COPY IN SOURCE FILES
# We run this later so the above layers are cached if only source files change
#-------------------------------------------------------------------------------
COPY --chown=comm . .
#-------------------------------------------------------------------------------
-# STEP 7: RUN BUILD SCRIPTS
+# STEP 8: RUN BUILD SCRIPTS
# We need to populate keyserver/dist, among other things
#-------------------------------------------------------------------------------
@@ -96,7 +130,7 @@
RUN yarn workspace keyserver prod-build
#-------------------------------------------------------------------------------
-# STEP 8: RUN THE SERVER
+# STEP 9: RUN THE SERVER
# Actually run the Node.js keyserver using nvm
#-------------------------------------------------------------------------------
diff --git a/keyserver/docker-compose.yml b/keyserver/docker-compose.yml
--- a/keyserver/docker-compose.yml
+++ b/keyserver/docker-compose.yml
@@ -4,6 +4,9 @@
build:
dockerfile: keyserver/Dockerfile
context: ../
+ args:
+ - HOST_UID=${HOST_UID}
+ - HOST_GID=${HOST_GID}
image: commapp/node-keyserver:1.0
restart: always
ports:

File Metadata

Mime Type
text/plain
Expires
Mon, Nov 25, 1:48 PM (21 h, 14 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2579975
Default Alt Text
D4211.id13341.diff (5 KB)

Event Timeline