public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docker: Set the home directory for the user 

Before this change, the docker user had home in a directory it had no
permissions on. The inability of creating a cache directory in `$HOME`
prevented npm to work properly.

Additionally, the `node_modules` in the base working directory had its
owner set to root, preventing further changes.

With this change, the `etherpad` user has a home directory.
Additionally, `npm i` is now run by `etherpad` rather than the root
user; this way, it is possible to dynamically change the `node_modules`
content in day 2 operations.

Note that while switching to the `useradd` builtin, a conflict was
discovered with the GID 65534 that was previously used. This change is
changing the `etherpad` user's UID to 5001 to avoid said conflict. As a
consequence, a `chmod -R 5001:5001` must be run prior to attaching
volumes created from previous Etherpad versions.
pull/3678/head
Pierre Prinetti 2019-12-01 15:08:20 +01:00 committed by muxator
parent 0a86024797
commit 50142f6580
1 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Dockerfile
View File

@ -19,9 +19,19 @@ ARG ETHERPAD_PLUGINS=
# this can be done with build args (and is mandatory to build ARM version) # this can be done with build args (and is mandatory to build ARM version)
ENV NODE_ENV=development ENV NODE_ENV=development
# Follow the principle of least privilege: run as unprivileged user.
#
# Running as non-root enables running this image in platforms like OpenShift
# that do not allow images running as root.
RUN useradd --uid 5001 --create-home etherpad
RUN mkdir /opt/etherpad-lite && chown etherpad:etherpad /opt/etherpad-lite
USER etherpad:etherpad
WORKDIR /opt/etherpad-lite WORKDIR /opt/etherpad-lite
COPY ./ ./ COPY --chown=etherpad:etherpad ./ ./
# install node dependencies for Etherpad # install node dependencies for Etherpad
RUN bin/installDeps.sh && \ RUN bin/installDeps.sh && \
@ -34,18 +44,7 @@ RUN bin/installDeps.sh && \
RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; done RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; done
# Copy the configuration file. # Copy the configuration file.
COPY ./settings.json.docker /opt/etherpad-lite/settings.json COPY --chown=etherpad:etherpad ./settings.json.docker /opt/etherpad-lite/settings.json
# Follow the principle of least privilege: run as unprivileged user.
#
# Running as non-root enables running this image in platforms like OpenShift
# that do not allow images running as root.
RUN \
echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \
echo 'etherpad:x:65534:' > /etc/group && \
chown -R etherpad:etherpad ./
USER etherpad:etherpad
EXPOSE 9001 EXPOSE 9001
CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"] CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]