Run as root, but switch to the target UID/GID is supplied (fixes file permission issues with mounted volumes). (#130)

Dockerfile

@@ -14,22 +14,18 @@ RUN GO111MODULE=on GCO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldfl
 # app container
 FROM alpine
 
-ARG USER="vdm"
 ARG CONFIG_FILE="./environments/config.toml"
 ARG EXPOSE_PORT=8545
 
-RUN adduser -Du 5000 $USER adm
-RUN adduser $USER adm; apk --no-cache add sudo bash; echo '%adm ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+RUN apk --no-cache add su-exec bash
 
 WORKDIR /app
-RUN chown $USER /app
-USER $USER
 
 # chown first so dir is writable
 # note: using $USER is merged, but not in the stable release yet
-COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/$CONFIG_FILE config.toml
-COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/startup_script.sh .
-COPY --chown=5000:5000 --from=builder /go/src/github.com/cerc-io/eth-statediff-service/environments environments
+COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/$CONFIG_FILE config.toml
+COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/startup_script.sh .
+COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/environments environments
 
 # keep binaries immutable
 COPY --from=builder /go/src/github.com/cerc-io/eth-statediff-service/eth-statediff-service eth-statediff-service

startup_script.sh

@@ -12,26 +12,36 @@ test "$VDB_COMMAND"
 
 # docker must be run in privilaged mode for mounts to work
 echo "Setting up /app/geth-rw overlayed /app/geth-ro"
-mkdir -p /tmp/overlay && \
-sudo mount -t tmpfs tmpfs /tmp/overlay && \
-mkdir -p /tmp/overlay/upper && \
-mkdir -p /tmp/overlay/work && \
-mkdir -p /app/geth-rw && \
-sudo mount -t overlay overlay -o lowerdir=/app/geth-ro,upperdir=/tmp/overlay/upper,workdir=/tmp/overlay/work /app/geth-rw
+mkdir -p /tmp/overlay
+mount -t tmpfs tmpfs /tmp/overlay
+mkdir -p /tmp/overlay/upper
+mkdir -p /tmp/overlay/work
+mkdir -p /app/geth-rw
+
+mount -t overlay overlay -o lowerdir=/app/geth-ro,upperdir=/tmp/overlay/upper,workdir=/tmp/overlay/work /app/geth-rw
+
+mkdir /var/run/statediff
+cd /var/run/statediff
+
+SETUID=""
+if [[ -n "$TARGET_UID" ]] && [[ -n "$TARGET_GID" ]]; then
+    SETUID="su-exec $TARGET_UID:$TARGET_GID"
+    chown -R $TARGET_UID:$TARGET_GID /var/run/statediff
+fi
 
 START_TIME=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
 echo "Running the statediff service" && \
 if [[ ! -z "$LOG_FILE_PATH" ]]; then
-  sudo -E ./eth-statediff-service "$VDB_COMMAND" --config=config.toml $* |& tee ${LOG_FILE_PATH}.console
+  $SETUID /app/eth-statediff-service "$VDB_COMMAND" --config=/app/config.toml $* |& $SETUID tee ${LOG_FILE_PATH}.console
   rc=$?
 else
-  sudo -E ./eth-statediff-service "$VDB_COMMAND" --config=config.toml $*
+  $SETUID /app/eth-statediff-service "$VDB_COMMAND" --config=/app/config.toml $*
   rc=$?
 fi
 STOP_TIME=`date -u +"%Y-%m-%dT%H:%M:%SZ"`
 
 if [ $rc -eq 0 ] && [ "$PRERUN_ONLY" == "true" ] && [ ! -z "$PRERUN_RANGE_START" ] && [ ! -z "$PRERUN_RANGE_STOP" ] && [ ! -z "$DATABASE_FILE_CSV_DIR" ] && [ "$DATABASE_FILE_MODE" == "csv" ]; then
-  cat >"$DATABASE_FILE_CSV_DIR/metadata.json" <<EOF
+  cat >metadata.json <<EOF
 {
   "range": { "start": $PRERUN_RANGE_START, "stop": $PRERUN_RANGE_STOP },
   "nodeId": "$ETH_NODE_ID",
@@ -41,6 +51,11 @@ if [ $rc -eq 0 ] && [ "$PRERUN_ONLY" == "true" ] && [ ! -z "$PRERUN_RANGE_START"
   "time": { "start": "$START_TIME", "stop": "$STOP_TIME" }
 }
 EOF
+  if [[ -n "$TARGET_UID" ]] && [[ -n "$TARGET_GID" ]]; then
+    echo 'metadata.json' | cpio -p --owner $TARGET_UID:$TARGET_GID $DATABASE_FILE_CSV_DIR
+  else
+    cp metadata.json $DATABASE_FILE_CSV_DIR
+  fi
 fi
 
 exit $rc