Run as root, but switch to the target UID/GID is supplied (fixes file permission issues with mounted volumes). (#130)

2023-04-28 22:14:45 -05:00 · 2023-04-28 22:14:45 -05:00 · fb040d7484
commit fb040d7484
parent 60e951a172
2 changed files with 28 additions and 17 deletions
--- a/12
+++ b/12
@ -14,22 +14,18 @@ RUN GO111MODULE=on GCO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldfl
 # app container
 FROM alpine
 ARG USER="vdm"
 ARG CONFIG_FILE="./environments/config.toml"
 ARG EXPOSE_PORT=8545
-RUN adduser -Du 5000 $USER adm
+RUN apk --no-cache add su-exec bash
 RUN adduser $USER adm; apk --no-cache add sudo bash; echo '%adm ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 WORKDIR /app
 RUN chown $USER /app
 USER $USER
 # chown first so dir is writable
 # note: using $USER is merged, but not in the stable release yet
-COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/$CONFIG_FILE config.toml
+COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/$CONFIG_FILE config.toml
-COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/startup_script.sh .
+COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/startup_script.sh .
-COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/environments environments
+COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/environments environments
 # keep binaries immutable
 COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/eth-statediff-service eth-statediff-service
--- a/startup_script.sh
+++ b/startup_script.sh
@ -12,26 +12,36 @@ test "$VDB_COMMAND"
 # docker must be run in privilaged mode for mounts to work
 echo "Setting up /app/geth-rw overlayed /app/geth-ro"
-mkdir -p /tmp/overlay && \
+mkdir -p /tmp/overlay
-sudo mount -t tmpfs tmpfs /tmp/overlay && \
+mount -t tmpfs tmpfs /tmp/overlay
-mkdir -p /tmp/overlay/upper && \
+mkdir -p /tmp/overlay/upper
-mkdir -p /tmp/overlay/work && \
+mkdir -p /tmp/overlay/work
-mkdir -p /app/geth-rw && \
+mkdir -p /app/geth-rw
-sudo mount -t overlay overlay -o lowerdir=/app/geth-ro,upperdir=/tmp/overlay/upper,workdir=/tmp/overlay/work /app/geth-rw
+
 mount -t overlay overlay -o lowerdir=/app/geth-ro,upperdir=/tmp/overlay/upper,workdir=/tmp/overlay/work /app/geth-rw
 mkdir /var/run/statediff
 cd /var/run/statediff
 SETUID=""
 if [[ -n "$TARGET_UID" ]] && [[ -n "$TARGET_GID" ]]; then
    SETUID="su-exec $TARGET_UID:$TARGET_GID"
    chown -R $TARGET_UID:$TARGET_GID /var/run/statediff
 fi
 START_TIME=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
 echo "Running the statediff service" && \
 if [[ ! -z "$LOG_FILE_PATH" ]]; then
-  sudo -E ./eth-statediff-service "$VDB_COMMAND" --config=config.toml $* |& tee ${LOG_FILE_PATH}.console
+  $SETUID /app/eth-statediff-service "$VDB_COMMAND" --config=/app/config.toml $* |& $SETUID tee ${LOG_FILE_PATH}.console
  rc=$?
 else
-  sudo -E ./eth-statediff-service "$VDB_COMMAND" --config=config.toml $*
+  $SETUID /app/eth-statediff-service "$VDB_COMMAND" --config=/app/config.toml $*
  rc=$?
 fi
 STOP_TIME=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
 if [ $rc -eq 0 ] && [ "$PRERUN_ONLY" == "true" ] && [ ! -z "$PRERUN_RANGE_START" ] && [ ! -z "$PRERUN_RANGE_STOP" ] && [ ! -z "$DATABASE_FILE_CSV_DIR" ] && [ "$DATABASE_FILE_MODE" == "csv" ]; then
-  cat >"$DATABASE_FILE_CSV_DIR/metadata.json" <<EOF
+  cat >metadata.json <<EOF
 {
  "range": { "start": $PRERUN_RANGE_START, "stop": $PRERUN_RANGE_STOP },
  "nodeId": "$ETH_NODE_ID",
@ -41,6 +51,11 @@ if [ $rc -eq 0 ] && [ "$PRERUN_ONLY" == "true" ] && [ ! -z "$PRERUN_RANGE_START"
  "time": { "start": "$START_TIME", "stop": "$STOP_TIME" }
 }
 EOF
  if [[ -n "$TARGET_UID" ]] && [[ -n "$TARGET_GID" ]]; then
    echo 'metadata.json' | cpio -p --owner $TARGET_UID:$TARGET_GID $DATABASE_FILE_CSV_DIR
  else
    cp metadata.json $DATABASE_FILE_CSV_DIR
  fi
 fi
 exit $rc