mirror of
https://gitlab.com/crafty-controller/crafty-4.git
synced 2024-08-30 18:23:09 +00:00
Use sudo to drop perms to non-root
This commit is contained in:
parent
cc52fdeb83
commit
57bdeac2c2
@ -8,13 +8,14 @@ LABEL maintainer="Dockerfile created by Zedifus <https://gitlab.com/zedifus>"
|
|||||||
ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
|
ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
|
||||||
|
|
||||||
# Create non-root user & required dirs
|
# Create non-root user & required dirs
|
||||||
RUN useradd -M crafty \
|
RUN useradd -g root -M crafty \
|
||||||
&& mkdir /commander \
|
&& mkdir /commander \
|
||||||
&& chown -R crafty:root /commander
|
&& chown -R crafty:root /commander
|
||||||
|
|
||||||
# Install required system packages
|
# Install required system packages
|
||||||
RUN apt-get update \
|
RUN apt-get update \
|
||||||
&& apt-get -y --no-install-recommends install \
|
&& apt-get -y --no-install-recommends install \
|
||||||
|
sudo \
|
||||||
gcc \
|
gcc \
|
||||||
python3 \
|
python3 \
|
||||||
python3-dev \
|
python3-dev \
|
||||||
@ -38,6 +39,7 @@ RUN python3 -m venv ./.venv \
|
|||||||
&& pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \
|
&& pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \
|
||||||
&& pip3 install --no-cache-dir -r requirements.txt \
|
&& pip3 install --no-cache-dir -r requirements.txt \
|
||||||
&& deactivate
|
&& deactivate
|
||||||
|
USER root
|
||||||
|
|
||||||
# Copy Source w/ perms & prepare default config from example
|
# Copy Source w/ perms & prepare default config from example
|
||||||
COPY --chown=crafty:root ./ ./
|
COPY --chown=crafty:root ./ ./
|
||||||
|
@ -2,10 +2,32 @@
|
|||||||
|
|
||||||
# Check if config exists from existing installation (venv or previous docker launch)
|
# Check if config exists from existing installation (venv or previous docker launch)
|
||||||
if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then
|
if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then
|
||||||
mkdir ./app/config/
|
echo "Wrapper | Config not found, pulling defaults..."
|
||||||
|
mkdir ./app/config/ 2> /dev/null
|
||||||
cp -r ./app/config_original/* ./app/config/
|
cp -r ./app/config_original/* ./app/config/
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Activate our prepared venv and launch crafty with provided args
|
|
||||||
. .venv/bin/activate
|
if [ $(id -u) -eq 0 ]; then
|
||||||
|
# We're running as root;
|
||||||
|
# Need to ensure all dirs are owned by the root group,
|
||||||
|
# This fixes bind mounts that may have incorrect perms.
|
||||||
|
|
||||||
|
# Look for files & dirs that require group permissions to be fixed
|
||||||
|
echo "Wrapper | Looking for problem bind mount permissions"
|
||||||
|
find . ! -group root -exec chgrp root {} \;
|
||||||
|
find . ! -perm g+rw -exec chmod g+rw {} \;
|
||||||
|
find . -type d ! -perm g+s -exec chmod g+s {} \;
|
||||||
|
|
||||||
|
# Switch user, activate our prepared venv and lauch crafty
|
||||||
|
args="$@"
|
||||||
|
echo "Wrapper | Launching crafty with [$args]"
|
||||||
|
exec sudo -u crafty bash -c "source ./.venv/bin/activate && exec python3 main.py $args"
|
||||||
|
else
|
||||||
|
# Activate our prepared venv
|
||||||
|
echo "Wrapper | Non-root host detected, using normal exec"
|
||||||
|
. ./.venv/bin/activate
|
||||||
|
# Use exec as our perms are already correct
|
||||||
|
# This is likely if using Kubernetes/OpenShift etc
|
||||||
exec python3 main.py $@
|
exec python3 main.py $@
|
||||||
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user