diff --git a/Dockerfile b/Dockerfile index d835958d..140d5122 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,13 +8,14 @@ LABEL maintainer="Dockerfile created by Zedifus " ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true # Create non-root user & required dirs -RUN useradd -M crafty \ +RUN useradd -g root -M crafty \ && mkdir /commander \ && chown -R crafty:root /commander # Install required system packages RUN apt-get update \ && apt-get -y --no-install-recommends install \ + sudo \ gcc \ python3 \ python3-dev \ @@ -38,6 +39,7 @@ RUN python3 -m venv ./.venv \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir -r requirements.txt \ && deactivate +USER root # Copy Source w/ perms & prepare default config from example COPY --chown=crafty:root ./ ./ diff --git a/README.md b/README.md index d5e8ccf4..b3a05c58 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles, ### - Two big changes you will notice is: - We now provide pre-built images for you guys. -- Containers now run as non-root, using practices used by OpenSwift & Kubernetes (root group perms). +- Containers now run as non-root, using practices used by OpenShift & Kubernetes (root group perms). > __**⚠ 🔻WARNING: [WSL/WSL2 | WINDOWS 11 | DOCKER DESKTOP]🔻**__
@@ -39,11 +39,8 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles, All you need to do is pull the image from this git repository's registry. This is done by using `'docker-compose'` or `'docker run'` (You don't need to clone the Repository and build, like in 3.x ). -If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume, if no config present then it will populate its own config folder for you.

+If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume and fix the permission as required, if no config present then it will populate its own config folder for you.

As the Dockerfile uses the permission structure of `crafty:root` **internally** there is no need to worry about matching the `UID` or `GID` on the host system :) -> ***Make sure the ownership permissions on `servers/ backups/ logs/ configs/ imports/` in the `docker/` are not `root:root`, please just chown the dir recursively to your host user.** - -> **Please make sure if you are using a `compose` file, that the above volume mount directories are present, otherwise, docker will just make them and they'll be `root:root` which is not what we want.💀**
@@ -81,9 +78,6 @@ $ cat ~/my_password.txt | docker login registry.gitlab.com -u --passw Then use one of the following methods: ### **docker-compose.yml:** ```sh -# We need to make them because of permissions remember! -$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import - # Make your compose file $ vim docker-compose.yml ``` @@ -116,9 +110,6 @@ $ docker-compose up -d && docker-compose logs -f ### **docker run:** ```sh -# We need to make them because of permissions remember! -$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import - $ docker run \ --name crafty_commander \ -p 8000:8000 \ diff --git a/docker_launcher.sh b/docker_launcher.sh index 08fc81cc..3a14a2d0 100644 --- a/docker_launcher.sh +++ b/docker_launcher.sh @@ -2,10 +2,32 @@ # Check if config exists from existing installation (venv or previous docker launch) if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then - mkdir ./app/config/ + echo "Wrapper | Config not found, pulling defaults..." + mkdir ./app/config/ 2> /dev/null cp -r ./app/config_original/* ./app/config/ fi -# Activate our prepared venv and launch crafty with provided args -. .venv/bin/activate -exec python3 main.py $@ + +if [ $(id -u) -eq 0 ]; then + # We're running as root; + # Need to ensure all dirs are owned by the root group, + # This fixes bind mounts that may have incorrect perms. + + # Look for files & dirs that require group permissions to be fixed + echo "Wrapper | Looking for problem bind mount permissions" + find . ! -group root -exec chgrp root {} \; + find . ! -perm g+rw -exec chmod g+rw {} \; + find . -type d ! -perm g+s -exec chmod g+s {} \; + + # Switch user, activate our prepared venv and lauch crafty + args="$@" + echo "Wrapper | Launching crafty with [$args]" + exec sudo -u crafty bash -c "source ./.venv/bin/activate && exec python3 main.py $args" +else + # Activate our prepared venv + echo "Wrapper | Non-root host detected, using normal exec" + . ./.venv/bin/activate + # Use exec as our perms are already correct + # This is likely if using Kubernetes/OpenShift etc + exec python3 main.py $@ +fi