Small refactor of user/groups and add checks during startup. Only use -x in bash scripts when DEBUG=true set in env vars

2024-08-30 18:22:48 +00:00 · 2023-05-04 10:03:06 +10:00 · 2023-05-04 10:03:06 +10:00 · c432c34fb3
commit c432c34fb3
parent a1245bc161
14 changed files with 70 additions and 45 deletions
--- a/docker/rootfs/bin/common.sh
+++ b/docker/rootfs/bin/common.sh
@ -12,6 +12,11 @@ export CYAN BLUE YELLOW RED RESET
 PUID=${PUID:-0}
 PGID=${PGID:-0}

+NPMUSER=npm
+NPMGROUP=npm
+NPMHOME=/tmp/npmuserhome
+export NPMUSER NPMGROUP NPMHOME
+
 if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then
 	# set group id to same as user id,
 	# the user probably forgot to specify the group id and
@ -40,3 +45,10 @@ log_fatal () {
 	/run/s6/basedir/bin/halt
 	exit 1
 }
+
+# param $1: group_name
+get_group_id () {
+	if [ "${1:-}" != '' ]; then
+		getent group "$1" | cut -d: -f3
+	fi
+}
--- a/docker/rootfs/etc/nginx/nginx.conf
+++ b/docker/rootfs/etc/nginx/nginx.conf
@ -1,7 +1,7 @@
 # run nginx in foreground
 daemon off;
 pid /run/nginx/nginx.pid;
-user npmuser;
+user npm;

 # Set number of worker processes automatically based on number of CPU cores.
 worker_processes auto;
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run
@ -12,12 +12,12 @@ cd /app || exit 1
 log_info 'Starting backend ...'

 if [ "${DEVELOPMENT:-}" = 'true' ]; then
-	s6-setuidgid npmuser yarn install
-	exec s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js'
+	s6-setuidgid "$PUID:$PGID" yarn install
+	exec s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js"
 else
 	while :
 	do
-		s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --abort_on_uncaught_exception --max_old_space_size=250 index.js'
+		s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --abort_on_uncaught_exception --max_old_space_size=250 index.js"
 		sleep 1
 	done
 fi
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run
@ -8,14 +8,14 @@ set -e
 if [ "$DEVELOPMENT" = 'true' ]; then
 	. /bin/common.sh
 	cd /app/frontend || exit 1
-	HOME=/tmp/npmuserhome
+	HOME=$NPMHOME
 	export HOME
 	mkdir -p /app/frontend/dist
 	chown -R "$PUID:$PGID" /app/frontend/dist

 	log_info 'Starting frontend ...'
-	s6-setuidgid npmuser yarn install
-	exec s6-setuidgid npmuser yarn watch
+	s6-setuidgid "$PUID:$PGID" yarn install
+	exec s6-setuidgid "$PUID:$PGID" yarn watch
 else
 	exit 0
 fi
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@ -6,4 +6,4 @@ set -e
 . /bin/common.sh

 log_info 'Starting nginx ...'
-exec s6-setuidgid npmuser nginx
+exec s6-setuidgid "$PUID:$PGID" nginx
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh
@ -9,7 +9,11 @@ if [ "$(id -u)" != "0" ]; then
 	log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization."
 fi

-. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
+if [ "$DEBUG" = "true" ]; then
+	set -x
+fi
+
+. /etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
 . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
 . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
 . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
@ -1,22 +0,0 @@
-#!/command/with-contenv bash
-# shellcheck shell=bash
-
-set -e
-# verbose
-set -x
-
-log_info 'Configuring npmuser ...'
-
-if id -u npmuser; then
-	# user already exists
-	usermod -u "$PUID" npmuser || exit 1
-else
-	# Add npmuser user
-	useradd -o -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1
-fi
-
-usermod -G "$PGID" npmuser || exit 1
-groupmod -o -g "$PGID" npmuser || exit 1
-# Home for npmuser
-mkdir -p /tmp/npmuserhome
-chown -R "$PUID:$PGID" /tmp/npmuserhome
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
@ -0,0 +1,40 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+set -e
+
+log_info "Configuring $NPMUSER user ..."
+
+if id -u "$NPMUSER" 2>/dev/null; then
+	# user already exists
+	usermod -u "$PUID" "$NPMUSER"
+else
+	# Add user
+	useradd -o -u "$PUID" -U -d "$NPMHOME" -s /bin/false "$NPMUSER"
+fi
+
+log_info "Configuring $NPMGROUP group ..."
+if [ "$(get_group_id "$NPMGROUP")" = '' ]; then
+	# Add group. This will not set the id properly if it's already taken
+	groupadd -f -g "$PGID" "$NPMGROUP"
+else
+	groupmod -o -g "$PGID" "$NPMGROUP"
+fi
+
+# Set the group ID and check it
+groupmod -o -g "$PGID" "$NPMGROUP"
+if [ "$(get_group_id "$NPMGROUP")" != "$PGID" ]; then
+	echo "ERROR: Unable to set group id properly"
+	exit 1
+fi
+
+# Set the group against the user and check it
+usermod -G "$PGID" "$NPMGROUP"
+if [ "$(id -g "$NPMUSER")" != "$PGID" ] ; then
+	echo "ERROR: Unable to set group against the user properly"
+	exit 1
+fi
+
+# Home for user
+mkdir -p "$NPMHOME"
+chown -R "$PUID:$PGID" "$NPMHOME"
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
@ -2,8 +2,6 @@
 # shellcheck shell=bash

 set -e
-# verbose
-set -x

 log_info 'Checking paths ...'

--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
@ -2,15 +2,13 @@
 # shellcheck shell=bash

 set -e
-# verbose
-set -x

 log_info 'Setting ownership ...'

 # root
 chown root /tmp/nginx

-# npmuser
+# npm user and group
 chown -R "$PUID:$PGID" /data
 chown -R "$PUID:$PGID" /etc/letsencrypt
 chown -R "$PUID:$PGID" /run/nginx
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
@ -2,8 +2,6 @@
 # shellcheck shell=bash

 set -e
-# verbose
-set -x

 log_info 'Dynamic resolvers ...'

--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
@ -5,8 +5,6 @@
 # or disable ipv6 in all nginx configs based on this setting.

 set -e
-# verbose
-set -x

 log_info 'IPv6 ...'

@ -33,7 +31,7 @@ process_folder () {
 		sed -E -i "$SED_REGEX" "$FILE"
 	done

-	# ensure the files are still owned by the npmuser
+	# ensure the files are still owned by the npm user
 	chown -R "$PUID:$PGID" "$1"
 }

--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh
@ -2,8 +2,6 @@
 # shellcheck shell=bash

 set -e
-# verbose
-set -x

 # in s6, environmental variables are written as text files for s6 to monitor
 # search through full-path filenames for files ending in "__FILE"
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh
@ -2,6 +2,7 @@
 # shellcheck shell=bash

 set -e
+set +x

 echo "
 -------------------------------------
@ -11,7 +12,7 @@ echo "
 | |\  |  __/| |  | |
 |_| \_|_|   |_|  |_|
 -------------------------------------
-User ID:  $PUID
-Group ID: $PGID
+User:  $NPMUSER PUID:$PUID ID:$(id -u "$NPMUSER") GROUP:$(id -g "$NPMUSER")
+Group: $NPMGROUP PGID:$PGID ID:$(get_group_id "$NPMGROUP")
 -------------------------------------
 "