From fb040d7484133fb2dea5bf5f2a2e803cd0d3907b Mon Sep 17 00:00:00 2001 From: Thomas E Lackey Date: Fri, 28 Apr 2023 22:14:45 -0500 Subject: [PATCH] Run as root, but switch to the target UID/GID is supplied (fixes file permission issues with mounted volumes). (#130) --- Dockerfile | 12 ++++-------- startup_script.sh | 33 ++++++++++++++++++++++++--------- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6d84a5f..0dad3ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,22 +14,18 @@ RUN GO111MODULE=on GCO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldfl # app container FROM alpine -ARG USER="vdm" ARG CONFIG_FILE="./environments/config.toml" ARG EXPOSE_PORT=8545 -RUN adduser -Du 5000 $USER adm -RUN adduser $USER adm; apk --no-cache add sudo bash; echo '%adm ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers +RUN apk --no-cache add su-exec bash WORKDIR /app -RUN chown $USER /app -USER $USER # chown first so dir is writable # note: using $USER is merged, but not in the stable release yet -COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/$CONFIG_FILE config.toml -COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/startup_script.sh . -COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/environments environments +COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/$CONFIG_FILE config.toml +COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/startup_script.sh . +COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/environments environments # keep binaries immutable COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/eth-statediff-service eth-statediff-service diff --git a/startup_script.sh b/startup_script.sh index d743ff5..c92697a 100755 --- a/startup_script.sh +++ b/startup_script.sh @@ -12,26 +12,36 @@ test "$VDB_COMMAND" # docker must be run in privilaged mode for mounts to work echo "Setting up /app/geth-rw overlayed /app/geth-ro" -mkdir -p /tmp/overlay && \ -sudo mount -t tmpfs tmpfs /tmp/overlay && \ -mkdir -p /tmp/overlay/upper && \ -mkdir -p /tmp/overlay/work && \ -mkdir -p /app/geth-rw && \ -sudo mount -t overlay overlay -o lowerdir=/app/geth-ro,upperdir=/tmp/overlay/upper,workdir=/tmp/overlay/work /app/geth-rw +mkdir -p /tmp/overlay +mount -t tmpfs tmpfs /tmp/overlay +mkdir -p /tmp/overlay/upper +mkdir -p /tmp/overlay/work +mkdir -p /app/geth-rw + +mount -t overlay overlay -o lowerdir=/app/geth-ro,upperdir=/tmp/overlay/upper,workdir=/tmp/overlay/work /app/geth-rw + +mkdir /var/run/statediff +cd /var/run/statediff + +SETUID="" +if [[ -n "$TARGET_UID" ]] && [[ -n "$TARGET_GID" ]]; then + SETUID="su-exec $TARGET_UID:$TARGET_GID" + chown -R $TARGET_UID:$TARGET_GID /var/run/statediff +fi START_TIME=`date -u +"%Y-%m-%dT%H:%M:%SZ"` echo "Running the statediff service" && \ if [[ ! -z "$LOG_FILE_PATH" ]]; then - sudo -E ./eth-statediff-service "$VDB_COMMAND" --config=config.toml $* |& tee ${LOG_FILE_PATH}.console + $SETUID /app/eth-statediff-service "$VDB_COMMAND" --config=/app/config.toml $* |& $SETUID tee ${LOG_FILE_PATH}.console rc=$? else - sudo -E ./eth-statediff-service "$VDB_COMMAND" --config=config.toml $* + $SETUID /app/eth-statediff-service "$VDB_COMMAND" --config=/app/config.toml $* rc=$? fi STOP_TIME=`date -u +"%Y-%m-%dT%H:%M:%SZ"` if [ $rc -eq 0 ] && [ "$PRERUN_ONLY" == "true" ] && [ ! -z "$PRERUN_RANGE_START" ] && [ ! -z "$PRERUN_RANGE_STOP" ] && [ ! -z "$DATABASE_FILE_CSV_DIR" ] && [ "$DATABASE_FILE_MODE" == "csv" ]; then - cat >"$DATABASE_FILE_CSV_DIR/metadata.json" <metadata.json <