Improve docker entrypoint to work rootless

* The previous behavior required root privileges on start, now this is
optional (when run in rootless mode with --user). The user has to ensure
the correct ownership is set for existing data in that case.

* Furthermore, it is now possible to choose to keep root privileges by
setting KEEP_PRIVILEGES to something non-empty.

* This also renames abc user to changedetection (nicer).
pull/722/head
jeanluc 3 years ago
parent 12d26c6667
commit a48b75d4ac
No known key found for this signature in database
GPG Key ID: 3EB52D4C754CD898

@ -50,8 +50,8 @@ RUN set -ex; \
zlib1g && \ zlib1g && \
apt-get clean && \ apt-get clean && \
rm -rf /var/lib/apt/lists/*; \ rm -rf /var/lib/apt/lists/*; \
useradd -u 911 -U -d /datastore -s /bin/false abc && \ useradd -u 911 -U -d /datastore -s /bin/false changedetection && \
usermod -G users abc; \ usermod -G users changedetection; \
mkdir -p /datastore mkdir -p /datastore
# https://stackoverflow.com/questions/58701233/docker-logs-erroneously-appears-empty-until-container-stops # https://stackoverflow.com/questions/58701233/docker-logs-erroneously-appears-empty-until-container-stops
@ -68,7 +68,7 @@ EXPOSE 5000
# The entrypoint script handling PUID/PGID and permissions # The entrypoint script handling PUID/PGID and permissions
COPY docker-entrypoint.sh /app/docker-entrypoint.sh COPY docker-entrypoint.sh /app/docker-entrypoint.sh
RUN chmod u+x /app/docker-entrypoint.sh RUN chmod 777 /app/docker-entrypoint.sh
# The actual flask app module # The actual flask app module
COPY changedetectionio /app/changedetectionio COPY changedetectionio /app/changedetectionio
@ -81,4 +81,5 @@ ARG LOGGER_LEVEL=''
ENV LOGGER_LEVEL "$LOGGER_LEVEL" ENV LOGGER_LEVEL "$LOGGER_LEVEL"
WORKDIR /app WORKDIR /app
CMD ["/app/docker-entrypoint.sh"] ENTRYPOINT ["/app/docker-entrypoint.sh"]
CMD ["python", "./changedetection.py", "-d", "/datastore"]

@ -1,11 +1,27 @@
#!/bin/bash #!/bin/bash
PUID=${PUID:-911} set -eu
PGID=${PGID:-911}
groupmod -o -g "$PGID" abc # If the first argument looks like a flag, assume we want to run changedetection
usermod -o -u "$PUID" abc if [ "${1:0:1}" = '-' ]; then
set -- python ./changedetection.py -d /datastore "$@"
fi
chown -R abc:abc /datastore # If we're running as root, by default make sure process uid/gid
# and datadir permissions are correct. This can be skipped by setting
# KEEP_PRIVILEGES to something non-empty.
if [ "$(id -u)" = '0' -a -n "${KEEP_PRIVILEGES:-}" ]; then
PUID=${PUID:-911}
PGID=${PGID:-911}
exec gosu abc:abc python ./changedetection.py -d /datastore groupmod -o -g "$PGID" changedetection
usermod -o -u "$PUID" changedetection
# Look for files in datadir not owned by the correct user and chown them
find "/datastore" \! -user changedetection -exec chown changedetection '{}' +
# Restart this script as an unprivileged user
exec gosu changedetection:changedetection "$BASH_SOURCE" "$@"
fi
exec "$@"

Loading…
Cancel
Save