use gosu to fix /data permissions errors

3 files changed, 57 insertions, 15 deletions

diff --git a/support/doc/docker.md b/support/doc/docker.md
index 3d25d06c4..e0c03a1dc 100644
--- a/support/doc/docker.md
+++ b/support/doc/docker.md
@@ -50,18 +50,6 @@ balancer, although any HTTP reverse proxy will work fine. See the example
 Nginx configuration `support/nginx/peertube` file to get an idea of
 recommendations and requirements to run PeerTube the most efficiently.
 
-When starting the containers for the first time, you will get permissions errors for the data volume, like this one:
-
-```
-Error: EACCES: permission denied, mkdir '/data/logs'
-```
-
-The peertube user inside the container has a UID and GID of 991 so you have to change the folder's owner, in the case you're using `./data`:
-
-```
-chown -R 991:991 data/
-```
-
 **Important**: note that you'll get the initial `root` user password from the
 program output, so check out your logs to find them.
 
diff --git a/support/docker/production/Dockerfile.stretch b/support/docker/production/Dockerfile.stretch
index b1905b3a8..bf2bae510 100644
--- a/support/docker/production/Dockerfile.stretch
+++ b/support/docker/production/Dockerfile.stretch
@@ -1,13 +1,45 @@
 FROM node:8-stretch
 
+RUN set -ex; \
+    if ! command -v gpg > /dev/null; then \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        gnupg \
+        dirmngr \
+      ; \
+      rm -rf /var/lib/apt/lists/*; \
+fi
+
 # Install dependencies
 RUN apt-get update \
     && apt-get -y install ffmpeg \
     && rm /var/lib/apt/lists/* -fR
 
 # Add peertube user
-RUN groupadd -g 991 peertube \
-    && useradd -u 991 -g peertube -m peertube
+RUN groupadd -r peertube \
+    && useradd -r -g peertube -m peertube
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.10
+RUN set -ex; \
+    \
+    fetchDeps='ca-certificates wget'; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends $fetchDeps; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+    wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+    gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+    rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+    chmod +x /usr/local/bin/gosu; \
+    gosu nobody true; \
+    \
+    apt-get purge -y --auto-remove wget
 
 # Download the latest version
 RUN git clone https://github.com/Chocobozzz/PeerTube /app \
@@ -25,7 +57,13 @@ RUN cp /app/config/default.yaml /app/support/docker/production/config/default.ya
 ENV NODE_ENV production
 ENV NODE_CONFIG_DIR /app/support/docker/production/config
 
+USER root
+RUN mkdir /data && chown peertube:peertube /data
+VOLUME /data
+
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
 # Run the application
 CMD ["npm", "start"]
-VOLUME ["/data"]
 EXPOSE 9000
diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh
new file mode 100644
index 000000000..79f0e60f6
--- /dev/null
+++ b/support/docker/production/docker-entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+
+# first arg is `-f` or `--some-option`
+# or first arg is `something.conf`
+if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then
+        set -- npm "$@"
+fi
+
+# allow the container to be started with `--user`
+if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then
+        chown -R peertube: /data
+        exec gosu peertube "$0" "$@"
+fi
+
+exec "$@"