diff --git a/docker/Dockerfile b/docker/Dockerfile index 564f838a..b1cd31a2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -10,9 +10,13 @@ ARG BUILD_VERSION ARG BUILD_COMMIT ARG BUILD_DATE +# See: https://github.com/just-containers/s6-overlay/blob/master/README.md ENV SUPPRESS_NO_CONFIG_WARNING=1 \ - S6_FIX_ATTRS_HIDDEN=1 \ S6_BEHAVIOUR_IF_STAGE2_FAILS=1 \ + S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \ + S6_FIX_ATTRS_HIDDEN=1 \ + S6_KILL_FINISH_MAXTIME=10000 \ + S6_VERBOSITY=1 \ NODE_ENV=production \ NPM_BUILD_VERSION="${BUILD_VERSION}" \ NPM_BUILD_COMMIT="${BUILD_COMMIT}" \ diff --git a/docker/dev/Dockerfile b/docker/dev/Dockerfile index 833f1003..749ac343 100644 --- a/docker/dev/Dockerfile +++ b/docker/dev/Dockerfile @@ -1,9 +1,13 @@ FROM jc21/nginx-full:certbot-node LABEL maintainer="Jamie Curnow " -ENV S6_LOGGING=0 \ - SUPPRESS_NO_CONFIG_WARNING=1 \ - S6_FIX_ATTRS_HIDDEN=1 +# See: https://github.com/just-containers/s6-overlay/blob/master/README.md +ENV SUPPRESS_NO_CONFIG_WARNING=1 \ + S6_BEHAVIOUR_IF_STAGE2_FAILS=1 \ + S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \ + S6_FIX_ATTRS_HIDDEN=1 \ + S6_KILL_FINISH_MAXTIME=10000 \ + S6_VERBOSITY=2 RUN echo "fs.file-max = 65535" > /etc/sysctl.conf \ && apt-get update \ diff --git a/docker/docker-compose.ci.yml b/docker/docker-compose.ci.yml index 9f4edc00..209d2d0e 100644 --- a/docker/docker-compose.ci.yml +++ b/docker/docker-compose.ci.yml @@ -35,6 +35,7 @@ services: DB_SQLITE_FILE: '/data/mydb.sqlite' PUID: 1000 PGID: 1000 + DISABLE_IPV6: 'true' volumes: - npm_data:/data expose: diff --git a/docker/rootfs/bin/common.sh b/docker/rootfs/bin/common.sh index 0bc6468d..913dd3e1 100644 --- a/docker/rootfs/bin/common.sh +++ b/docker/rootfs/bin/common.sh @@ -12,6 +12,11 @@ export CYAN BLUE YELLOW RED RESET PUID=${PUID:-0} PGID=${PGID:-0} +NPMUSER=npm +NPMGROUP=npm +NPMHOME=/tmp/npmuserhome +export NPMUSER NPMGROUP NPMHOME + if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then # set group id to same as user id, # the user probably forgot to specify the group id and @@ -40,3 +45,10 @@ log_fatal () { /run/s6/basedir/bin/halt exit 1 } + +# param $1: group_name +get_group_id () { + if [ "${1:-}" != '' ]; then + getent group "$1" | cut -d: -f3 + fi +} diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf index c2ee97cc..82618337 100644 --- a/docker/rootfs/etc/nginx/nginx.conf +++ b/docker/rootfs/etc/nginx/nginx.conf @@ -1,7 +1,7 @@ # run nginx in foreground daemon off; pid /run/nginx/nginx.pid; -user npmuser; +user npm; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run index e8ffa17c..19746169 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run @@ -10,12 +10,12 @@ cd /app || exit 1 log_info 'Starting backend ...' if [ "${DEVELOPMENT:-}" = 'true' ]; then - s6-setuidgid npmuser yarn install - exec s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js' + s6-setuidgid "$PUID:$PGID" yarn install + exec s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js" else while : do - s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --abort_on_uncaught_exception --max_old_space_size=250 index.js' + s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --abort_on_uncaught_exception --max_old_space_size=250 index.js" sleep 1 done fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run index 1181c53e..e62f749c 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run @@ -8,14 +8,14 @@ set -e if [ "$DEVELOPMENT" = 'true' ]; then . /bin/common.sh cd /app/frontend || exit 1 - HOME=/tmp/npmuserhome + HOME=$NPMHOME export HOME mkdir -p /app/frontend/dist chown -R "$PUID:$PGID" /app/frontend/dist log_info 'Starting frontend ...' - s6-setuidgid npmuser yarn install - exec s6-setuidgid npmuser yarn watch + s6-setuidgid "$PUID:$PGID" yarn install + exec s6-setuidgid "$PUID:$PGID" yarn watch else exit 0 fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run index fa8c1fc5..b1bed7a4 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run @@ -6,4 +6,4 @@ set -e . /bin/common.sh log_info 'Starting nginx ...' -exec s6-setuidgid npmuser nginx +exec s6-setuidgid "$PUID:$PGID" nginx diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh index 1d5899e4..82fbefb1 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh @@ -9,7 +9,11 @@ if [ "$(id -u)" != "0" ]; then log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization." fi -. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +if [ "$DEBUG" = "true" ]; then + set -x +fi + +. /etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh deleted file mode 100755 index c5cf5435..00000000 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/command/with-contenv bash -# shellcheck shell=bash - -set -e - -log_info 'Configuring npmuser ...' - -if id -u npmuser; then - # user already exists - usermod -u "$PUID" npmuser || exit 1 -else - # Add npmuser user - useradd -o -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1 -fi - -usermod -G "$PGID" npmuser || exit 1 -groupmod -o -g "$PGID" npmuser || exit 1 -# Home for npmuser -mkdir -p /tmp/npmuserhome -chown -R "$PUID:$PGID" /tmp/npmuserhome diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh new file mode 100755 index 00000000..ea100193 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh @@ -0,0 +1,40 @@ +#!/command/with-contenv bash +# shellcheck shell=bash + +set -e + +log_info "Configuring $NPMUSER user ..." + +if id -u "$NPMUSER" 2>/dev/null; then + # user already exists + usermod -u "$PUID" "$NPMUSER" +else + # Add user + useradd -o -u "$PUID" -U -d "$NPMHOME" -s /bin/false "$NPMUSER" +fi + +log_info "Configuring $NPMGROUP group ..." +if [ "$(get_group_id "$NPMGROUP")" = '' ]; then + # Add group. This will not set the id properly if it's already taken + groupadd -f -g "$PGID" "$NPMGROUP" +else + groupmod -o -g "$PGID" "$NPMGROUP" +fi + +# Set the group ID and check it +groupmod -o -g "$PGID" "$NPMGROUP" +if [ "$(get_group_id "$NPMGROUP")" != "$PGID" ]; then + echo "ERROR: Unable to set group id properly" + exit 1 +fi + +# Set the group against the user and check it +usermod -G "$PGID" "$NPMGROUP" +if [ "$(id -g "$NPMUSER")" != "$PGID" ] ; then + echo "ERROR: Unable to set group against the user properly" + exit 1 +fi + +# Home for user +mkdir -p "$NPMHOME" +chown -R "$PUID:$PGID" "$NPMHOME" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 684166e1..817c2c8e 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -8,17 +8,17 @@ log_info 'Setting ownership ...' # root chown root /tmp/nginx -# npmuser -chown -R "$PUID:$PGID" /data \ - /etc/letsencrypt \ - /run/nginx \ - /tmp/nginx \ - /var/cache/nginx \ - /var/lib/logrotate \ - /var/lib/nginx \ - /var/log/nginx +# npm user and group +chown -R "$PUID:$PGID" /data +chown -R "$PUID:$PGID" /etc/letsencrypt +chown -R "$PUID:$PGID" /run/nginx +chown -R "$PUID:$PGID" /tmp/nginx +chown -R "$PUID:$PGID" /var/cache/nginx +chown -R "$PUID:$PGID" /var/lib/logrotate +chown -R "$PUID:$PGID" /var/lib/nginx +chown -R "$PUID:$PGID" /var/log/nginx # Don't chown entire /etc/nginx folder as this causes crashes on some systems -chown -R "$PUID:$PGID" /etc/nginx/nginx \ - /etc/nginx/nginx.conf \ - /etc/nginx/conf.d +chown -R "$PUID:$PGID" /etc/nginx/nginx +chown -R "$PUID:$PGID" /etc/nginx/nginx.conf +chown -R "$PUID:$PGID" /etc/nginx/conf.d diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index bc27eb14..76e9a651 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -1,8 +1,11 @@ -#!/bin/bash +#!/command/with-contenv bash +# shellcheck shell=bash # This command reads the `DISABLE_IPV6` env var and will either enable # or disable ipv6 in all nginx configs based on this setting. +set -e + log_info 'IPv6 ...' # Lowercase @@ -28,7 +31,7 @@ process_folder () { sed -E -i "$SED_REGEX" "$FILE" done - # ensure the files are still owned by the npmuser + # ensure the files are still owned by the npm user chown -R "$PUID:$PGID" "$1" } diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh index 7991ddf4..48ba6392 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh @@ -2,6 +2,7 @@ # shellcheck shell=bash set -e +set +x echo " ------------------------------------- @@ -11,7 +12,7 @@ echo " | |\ | __/| | | | |_| \_|_| |_| |_| ------------------------------------- -User ID: $PUID -Group ID: $PGID +User: $NPMUSER PUID:$PUID ID:$(id -u "$NPMUSER") GROUP:$(id -g "$NPMUSER") +Group: $NPMGROUP PGID:$PGID ID:$(get_group_id "$NPMGROUP") ------------------------------------- " diff --git a/docker/scripts/install-s6 b/docker/scripts/install-s6 index 5a5a9c9c..0681aed9 100755 --- a/docker/scripts/install-s6 +++ b/docker/scripts/install-s6 @@ -8,7 +8,7 @@ BLUE='\E[1;34m' GREEN='\E[1;32m' RESET='\E[0m' -S6_OVERLAY_VERSION=3.1.4.1 +S6_OVERLAY_VERSION=3.1.5.0 TARGETPLATFORM=${1:unspecified} # Determine the correct binary file for the architecture given