use gosu to fix /data permissions errors

author: Florent Poinsaut <florent@poinsaut.fr> 2018-04-15 22:28:05 +0200
committer: Chocobozzz <me@florianbigard.com> 2018-04-16 09:33:49 +0200
commit: 399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714 (patch)
tree: bdcfae14155f42e6ad8b3779ad8a7b50a2a9a2a4 /support/docker/production
parent: 864e782bc2306f7154a185361ebf94e6e86472e8 (diff)
download: PeerTube-399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714.tar.gz
PeerTube-399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714.tar.zst
PeerTube-399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714.zip
2 files changed, 57 insertions, 3 deletions
diff --git a/support/docker/production/Dockerfile.stretch b/support/docker/production/Dockerfile.stretch
index b1905b3a8..bf2bae510 100644
--- a/support/docker/production/Dockerfile.stretch
+++ b/support/docker/production/Dockerfile.stretch
@@ -1,13 +1,45 @@
 FROM node:8-stretch
+RUN set -ex; \
+    if ! command -v gpg > /dev/null; then \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        gnupg \
+        dirmngr \
+      ; \
+      rm -rf /var/lib/apt/lists/*; \
+fi
 # Install dependencies
 RUN apt-get update \
    && apt-get -y install ffmpeg \
    && rm /var/lib/apt/lists/* -fR
 # Add peertube user
-RUN groupadd -g 991 peertube \
+RUN groupadd -r peertube \
-    && useradd -u 991 -g peertube -m peertube
+    && useradd -r -g peertube -m peertube
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.10
+RUN set -ex; \
+    \
+    fetchDeps='ca-certificates wget'; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends $fetchDeps; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+    wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+    gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+    rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+    chmod +x /usr/local/bin/gosu; \
+    gosu nobody true; \
+    \
+    apt-get purge -y --auto-remove wget
 # Download the latest version
 RUN git clone https://github.com/Chocobozzz/PeerTube /app \
@@ -25,7 +57,13 @@ RUN cp /app/config/default.yaml /app/support/docker/production/config/default.ya
 ENV NODE_ENV production
 ENV NODE_CONFIG_DIR /app/support/docker/production/config
+USER root
+RUN mkdir /data && chown peertube:peertube /data
+VOLUME /data
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
 # Run the application
 CMD ["npm", "start"]
-VOLUME ["/data"]
 EXPOSE 9000
diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh
new file mode 100644
index 000000000..79f0e60f6
--- /dev/null
+++ b/support/docker/production/docker-entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+# first arg is `-f` or `--some-option`
+# or first arg is `something.conf`
+if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then
+        set -- npm "$@"
+fi
+# allow the container to be started with `--user`
+if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then
+        chown -R peertube: /data
+        exec gosu peertube "$0" "$@"
+fi
+exec "$@"
author	Florent Poinsaut <florent@poinsaut.fr>	2018-04-15 22:28:05 +0200
committer	Chocobozzz <me@florianbigard.com>	2018-04-16 09:33:49 +0200
commit	399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714 (patch)
tree	bdcfae14155f42e6ad8b3779ad8a7b50a2a9a2a4 /support/docker/production
parent	864e782bc2306f7154a185361ebf94e6e86472e8 (diff)
download	PeerTube-399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714.tar.gz PeerTube-399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714.tar.zst PeerTube-399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714.zip

diff --git a/support/docker/production/Dockerfile.stretch b/support/docker/production/Dockerfile.stretch index b1905b3a8..bf2bae510 100644 --- a/support/docker/production/Dockerfile.stretch +++ b/support/docker/production/Dockerfile.stretch
@@ -1,13 +1,45 @@
1	FROM node:8-stretch	1	FROM node:8-stretch
2		2
		3	RUN set -ex; \
		4	if ! command -v gpg > /dev/null; then \
		5	apt-get update; \
		6	apt-get install -y --no-install-recommends \
		7	gnupg \
		8	dirmngr \
		9	; \
		10	rm -rf /var/lib/apt/lists/*; \
		11	fi
		12
3	# Install dependencies	13	# Install dependencies
4	RUN apt-get update \	14	RUN apt-get update \
5	&& apt-get -y install ffmpeg \	15	&& apt-get -y install ffmpeg \
6	&& rm /var/lib/apt/lists/* -fR	16	&& rm /var/lib/apt/lists/* -fR
7		17
8	# Add peertube user	18	# Add peertube user
9	RUN groupadd -g 991 peertube \	19	RUN groupadd -r peertube \
10	&& useradd -u 991 -g peertube -m peertube	20	&& useradd -r -g peertube -m peertube
		21
		22	# grab gosu for easy step-down from root
		23	# https://github.com/tianon/gosu/releases
		24	ENV GOSU_VERSION 1.10
		25	RUN set -ex; \
		26	\
		27	fetchDeps='ca-certificates wget'; \
		28	apt-get update; \
		29	apt-get install -y --no-install-recommends $fetchDeps; \
		30	rm -rf /var/lib/apt/lists/*; \
		31	\
		32	dpkgArch="$(dpkg --print-architecture \| awk -F- '{ print $NF }')"; \
		33	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
		34	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
		35	export GNUPGHOME="$(mktemp -d)"; \
		36	gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
		37	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
		38	rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \
		39	chmod +x /usr/local/bin/gosu; \
		40	gosu nobody true; \
		41	\
		42	apt-get purge -y --auto-remove wget
11		43
12	# Download the latest version	44	# Download the latest version
13	RUN git clone https://github.com/Chocobozzz/PeerTube /app \	45	RUN git clone https://github.com/Chocobozzz/PeerTube /app \
@@ -25,7 +57,13 @@ RUN cp /app/config/default.yaml /app/support/docker/production/config/default.ya
25	ENV NODE_ENV production	57	ENV NODE_ENV production
26	ENV NODE_CONFIG_DIR /app/support/docker/production/config	58	ENV NODE_CONFIG_DIR /app/support/docker/production/config
27		59
		60	USER root
		61	RUN mkdir /data && chown peertube:peertube /data
		62	VOLUME /data
		63
		64	COPY docker-entrypoint.sh /usr/local/bin/
		65	ENTRYPOINT ["docker-entrypoint.sh"]
		66
28	# Run the application	67	# Run the application
29	CMD ["npm", "start"]	68	CMD ["npm", "start"]
30	VOLUME ["/data"]
31	EXPOSE 9000	69	EXPOSE 9000


diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh new file mode 100644 index 000000000..79f0e60f6 --- /dev/null +++ b/support/docker/production/docker-entrypoint.sh
@@ -0,0 +1,16 @@
		1	#!/bin/sh
		2	set -e
		3
		4	# first arg is `-f` or `--some-option`
		5	# or first arg is `something.conf`
		6	if [ "${1#-}" != "$1" ] \|\| [ "${1%.conf}" != "$1" ]; then
		7	set -- npm "$@"
		8	fi
		9
		10	# allow the container to be started with `--user`
		11	if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then
		12	chown -R peertube: /data
		13	exec gosu peertube "$0" "$@"
		14	fi
		15
		16	exec "$@"