Merge pull request #2 from mshuler/docker-as-user

Run container build steps as non-root user

Author: mshuler

Dockerfile

@@ -1,5 +1,18 @@
 FROM debian:stretch
 
+# Set up non-root user, 'build', with default uid:gid
+# This allows passing --build-arg to use local host user's uid:gid:
+#   $ docker-compose build \
+#     --build-arg UID=$(id -u) \
+#     --build-arg GID=$(id -g) \
+#     cassandra-website
+ARG UID=1000
+ARG GID=1000
+RUN echo "Setting up user 'build' with UID=${UID} GID=${GID}"
+RUN groupadd --gid $GID --non-unique build
+RUN useradd --create-home --shell /bin/bash \
+    --uid $UID --gid $GID --non-unique build
+
 # Install tools
 RUN apt-get update && \
     apt-get install -y \
@@ -26,16 +39,18 @@ RUN gem install bundler && \
     bundle install && \
     rm /Gemfile /Gemfile.lock
 
-ENV CASSANDRA_DIR="/usr/src/cassandra"
+# Run as build user from here
+USER build
+
+ENV CASSANDRA_DIR="/home/build/cassandra"
 
 # Setup repositories to building the docs
-RUN mkdir -p /usr/src/cassandra-site && \
+RUN mkdir -p /home/build/cassandra-site && \
     git clone https://gitbox.apache.org/repos/asf/cassandra.git ${CASSANDRA_DIR}
 
 EXPOSE 4000/tcp
 
-COPY docker-entrypoint.sh /
-RUN chmod +x /docker-entrypoint.sh
-ENTRYPOINT ["/docker-entrypoint.sh"]
+COPY docker-entrypoint.sh /home/build/
+ENTRYPOINT ["/home/build/docker-entrypoint.sh"]
 
 CMD [""]

README.md

@@ -27,6 +27,13 @@ $ docker-compose build cassandra-website
 $ docker-compose run cassandra-website
 ```
 
+:warning: *Tip:* In order to prevent root-owned modified files in your repository, the container user, `build`, is set up with a default UID=1000:GID=1000, which is usually the first user configured on a linux machine. If your local user is different you should set up the container user with your local host user's UID:GID, replace the above with:
+
+```bash
+$ docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g) cassandra-website
+$ docker-compose run cassandra-website
+```
+
 Go make yourself a cup of coffee, this will take a while...
 
 Once building has completed, the site content will be in the `./cassandra-website/content` directory ready to be committed.

docker-compose.yml

@@ -4,20 +4,22 @@ services:
   cassandra-website:
     build: .
     image: cassandra-website:latest
+    user: build
     volumes:
-      - ./src:/usr/src/cassandra-site/src
-      - ./content:/usr/src/cassandra-site/publish
+      - ./src:/home/build/cassandra-site/src
+      - ./content:/home/build/cassandra-site/publish
 
   cassandra-website-serve:
     build: .
     image: cassandra-website:latest
-    entrypoint: /docker-entrypoint-jekyll-serve.sh
+    user: build
+    entrypoint: /home/build/docker-entrypoint-jekyll-serve.sh
     ports:
       - 4000:4000
     volumes:
-      - ./src:/usr/src/cassandra-site/src
-      - ./content:/usr/src/cassandra-site/publish
-      - ./docker-entrypoint-jekyll-serve.sh:/docker-entrypoint-jekyll-serve.sh
+      - ./src:/home/build/cassandra-site/src
+      - ./content:/home/build/cassandra-site/publish
+      - ./docker-entrypoint-jekyll-serve.sh:/home/build/docker-entrypoint-jekyll-serve.sh
 
   preview:
     image: nginx
@@ -27,5 +29,3 @@ services:
       - "./content:/usr/share/nginx/html"
     command: [nginx-debug, '-g', 'daemon off;']
 
-
-

docker-entrypoint-jekyll-serve.sh

@@ -2,6 +2,8 @@
 
 set -e
 
+export CASSANDRA_SITE_DIR="/home/build/cassandra-site"
+
 GREEN='\033[1;32m'
 YELLOW='\033[0;33m'
 NC='\033[0m' # No Color
@@ -10,11 +12,11 @@ NC='\033[0m' # No Color
 # version in the publish directory
 while [ 1 ]
 do
-    sed -i 's/\.\/\.\.\//\.\/\.\.\/\.\.\//g' /usr/src/cassandra-site/publish/doc/*/index.html
+    sed -i 's/\.\/\.\.\//\.\/\.\.\/\.\.\//g' ${CASSANDRA_SITE_DIR}/publish/doc/*/index.html
     sleep 5
 done &
 
-cd /usr/src/cassandra-site/src
+cd ${CASSANDRA_SITE_DIR}/src
 
 JEKYLL_COMMAND="jekyll serve --host 0.0.0.0"
 

docker-entrypoint.sh

@@ -2,7 +2,7 @@
 
 set -xe
 
-export CASSANDRA_SITE_DIR="/usr/src/cassandra-site"
+export CASSANDRA_SITE_DIR="/home/build/cassandra-site"
 
 jekyll --version