Merge branch 'devops/non-root-container-qol' into 'dev'

QoL Improvements to non-root container

See merge request crafty-controller/crafty-commander!195

Dockerfile

@@ -8,13 +8,14 @@ LABEL maintainer="Dockerfile created by Zedifus <https://gitlab.com/zedifus>"
 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
 
 # Create non-root user & required dirs
-RUN useradd -M crafty \
+RUN useradd -g root -M crafty \
     && mkdir /commander \
     && chown -R crafty:root /commander
 
 # Install required system packages
 RUN apt-get update \
     && apt-get -y --no-install-recommends install \
+        sudo \
         gcc \
         python3 \
         python3-dev \
@@ -38,6 +39,7 @@ RUN python3 -m venv ./.venv \
     && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \
     && pip3 install --no-cache-dir -r requirements.txt \
     && deactivate
+USER root
 
 # Copy Source w/ perms & prepare default config from example
 COPY --chown=crafty:root ./ ./

README.md

@@ -25,7 +25,7 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles,
 
 ### - Two big changes you will notice is:
 - We now provide pre-built images for you guys.
-- Containers now run as non-root, using practices used by OpenSwift & Kubernetes (root group perms).
+- Containers now run as non-root, using practices used by OpenShift & Kubernetes (root group perms).
 
 
 > __**⚠ 🔻WARNING: [WSL/WSL2 | WINDOWS 11 | DOCKER DESKTOP]🔻**__ <br>
@@ -39,11 +39,8 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles,
 All you need to do is pull the image from this git repository's registry.
 This is done by using `'docker-compose'` or `'docker run'` (You don't need to clone the Repository and build, like in 3.x ).
 
-If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume, if no config present then it will populate its own config folder for you. <br> <br>
+If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume and fix the permission as required, if no config present then it will populate its own config folder for you. <br> <br>
 As the Dockerfile uses the permission structure of `crafty:root` **internally** there is no need to worry about matching the `UID` or `GID` on the host system :)
-> ***Make sure the ownership permissions on `servers/ backups/ logs/ configs/ imports/` in the `docker/` are not `root:root`, please just chown the dir recursively to your host user.**
-
-> **Please make sure if you are using a `compose` file, that the above volume mount directories are present, otherwise, docker will just make them and they'll be `root:root` which is not what we want.💀**
 
 <br>
 
@@ -81,9 +78,6 @@ $ cat ~/my_password.txt | docker login registry.gitlab.com -u <username> --passw
 Then use one of the following methods:
 ### **docker-compose.yml:**
 ```sh
-# We need to make them because of permissions remember!
-$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import
-
 # Make your compose file
 $ vim docker-compose.yml
 ```
@@ -116,9 +110,6 @@ $ docker-compose up -d && docker-compose logs -f
 
 ### **docker run:**
 ```sh
-# We need to make them because of permissions remember!
-$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import
-
 $ docker run \
 	--name crafty_commander \
 	-p 8000:8000 \

docker_launcher.sh

@@ -2,10 +2,32 @@
 
 # Check if config exists from existing installation (venv or previous docker launch)
 if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then
-    mkdir ./app/config/
+    echo "Wrapper | Config not found, pulling defaults..."
+    mkdir ./app/config/ 2> /dev/null
     cp -r ./app/config_original/* ./app/config/
 fi
 
-# Activate our prepared venv and launch crafty with provided args
-. .venv/bin/activate
-exec python3 main.py $@
+
+if [ $(id -u) -eq 0 ]; then
+    # We're running as root;
+    # Need to ensure all dirs are owned by the root group,
+    # This fixes bind mounts that may have incorrect perms.
+
+    # Look for files & dirs that require group permissions to be fixed
+    echo "Wrapper | Looking for problem bind mount permissions"
+    find . ! -group root -exec chgrp root {} \;
+    find . ! -perm g+rw -exec chmod g+rw {} \;
+    find . -type d ! -perm g+s -exec chmod g+s {} \;
+
+    # Switch user, activate our prepared venv and lauch crafty
+    args="$@"
+    echo "Wrapper | Launching crafty with [$args]"
+    exec sudo -u crafty bash -c "source ./.venv/bin/activate && exec python3 main.py $args"
+else
+    # Activate our prepared venv
+    echo "Wrapper | Non-root host detected, using normal exec"
+    . ./.venv/bin/activate
+    # Use exec as our perms are already correct
+    # This is likely if using Kubernetes/OpenShift etc
+    exec python3 main.py $@
+fi