Run as root by default

Optionally run as another user/group only if
the env vars are specified. Should give flexibility
to those who need to run processes as root and open ports
without having to request additional priveleges
This commit is contained in:
Jamie Curnow 2023-03-30 09:04:37 +10:00
parent d5ed70dbb6
commit 56a92e5c0e
No known key found for this signature in database
GPG Key ID: FFBB624C43388E9E
8 changed files with 87 additions and 50 deletions

View File

@ -33,6 +33,8 @@ services:
LE_STAGING: 'true'
FORCE_COLOR: 1
DB_SQLITE_FILE: '/data/mydb.sqlite'
PUID: 1000
PGID: 1000
volumes:
- npm_data:/data
expose:

View File

@ -9,6 +9,19 @@ RED='\E[1;31m'
RESET='\E[0m'
export CYAN BLUE YELLOW RED RESET
PUID=${PUID:-0}
PGID=${PGID:-0}
if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then
# set group id to same as user id,
# the user probably forgot to specify the group id and
# it would be rediculous to intentionally use the root group
# for a non-root user
PGID=$PUID
fi
export PUID PGID
log_info () {
echo -e "${BLUE} ${CYAN}$1${RESET}"
}

View File

@ -5,18 +5,28 @@ set -e
. /bin/common.sh
log_info 'Starting backend ...'
cd /app || exit 1
if [ "$DEVELOPMENT" == "true" ]; then
cd /app || exit 1
# If yarn install fails: add --verbose --network-concurrency 1
if [ "${DEVELOPMENT:-}" = "true" ]; then
if [ "$PUID" = '0' ]; then
log_info 'Starting backend development ...'
yarn install
node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js
else
log_info "Starting backend development as npmuser ($PUID) ..."
s6-setuidgid npmuser yarn install
exec s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js'
fi
else
cd /app || exit 1
while :
do
if [ "$PUID" = '0' ]; then
log_info 'Starting backend ...'
node --abort_on_uncaught_exception --max_old_space_size=250 index.js
else
log_info "Starting backend as npmuser ($PUID) ..."
s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --abort_on_uncaught_exception --max_old_space_size=250 index.js'
fi
sleep 1
done
fi

View File

@ -8,14 +8,20 @@ set -e
if [ "$DEVELOPMENT" == "true" ]; then
. /bin/common.sh
cd /app/frontend || exit 1
log_info 'Starting frontend ...'
HOME=/tmp/npmuserhome
export HOME
mkdir -p /app/frontend/dist
chown -R npmuser:npmuser /app/frontend/dist
# If yarn install fails: add --verbose --network-concurrency 1
chown -R "$PUID:$PGID" /app/frontend/dist
if [ "$PUID" = '0' ]; then
log_info 'Starting frontend ...'
yarn install
exec yarn watch
else
log_info "Starting frontend as npmuser ($PUID) ..."
s6-setuidgid npmuser yarn install
exec s6-setuidgid npmuser yarn watch
fi
else
exit 0
fi

View File

@ -5,6 +5,10 @@ set -e
. /bin/common.sh
log_info 'Starting nginx ...'
exec s6-setuidgid npmuser nginx
if [ "$PUID" = '0' ]; then
log_info 'Starting nginx ...'
exec nginx
else
log_info "Starting nginx as npmuser ($PUID) ..."
exec s6-setuidgid npmuser nginx
fi

View File

@ -3,23 +3,23 @@
set -e
PUID=${PUID:-911}
PGID=${PGID:-911}
log_info 'Configuring npmuser ...'
groupmod -g 1000 users || exit 1
if id -u npmuser; then
# user already exists
usermod -u "${PUID}" npmuser || exit 1
if [ "$PUID" = '0' ]; then
log_info 'Skipping npmuser configuration'
else
# Add npmuser user
useradd -u "${PUID}" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1
fi
log_info 'Configuring npmuser ...'
groupmod -g 1000 users || exit 1
usermod -G users npmuser || exit 1
groupmod -o -g "${PGID}" npmuser || exit 1
# Home for npmuser
mkdir -p /tmp/npmuserhome
chown -R npmuser:npmuser /tmp/npmuserhome
if id -u npmuser; then
# user already exists
usermod -u "$PUID" npmuser || exit 1
else
# Add npmuser user
useradd -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1
fi
usermod -G users npmuser || exit 1
groupmod -o -g "$PGID" npmuser || exit 1
# Home for npmuser
mkdir -p /tmp/npmuserhome
chown -R npmuser:npmuser /tmp/npmuserhome
fi

View File

@ -9,16 +9,16 @@ log_info 'Setting ownership ...'
chown root /tmp/nginx
# npmuser
chown -R npmuser:npmuser /data
chown -R npmuser:npmuser /etc/letsencrypt
chown -R npmuser:npmuser /run/nginx
chown -R npmuser:npmuser /tmp/nginx
chown -R npmuser:npmuser /var/cache/nginx
chown -R npmuser:npmuser /var/lib/logrotate
chown -R npmuser:npmuser /var/lib/nginx
chown -R npmuser:npmuser /var/log/nginx
chown -R "$PUID:$PGID" /data \
/etc/letsencrypt \
/run/nginx \
/tmp/nginx \
/var/cache/nginx \
/var/lib/logrotate \
/var/lib/nginx \
/var/log/nginx
# Don't chown entire /etc/nginx folder as this causes crashes on some systems
chown -R npmuser:npmuser /etc/nginx/nginx
chown -R npmuser:npmuser /etc/nginx/nginx.conf
chown -R npmuser:npmuser /etc/nginx/conf.d
chown -R "$PUID:$PGID" /etc/nginx/nginx \
/etc/nginx/nginx.conf \
/etc/nginx/conf.d

View File

@ -10,8 +10,10 @@ echo "-------------------------------------
| \| | |_) | |\/| |
| |\ | __/| | | |
|_| \_|_| |_| |_|
-------------------------------------
User UID: $(id -u npmuser)
User GID: $(id -g npmuser)
-------------------------------------
"
-------------------------------------"
if [[ "$PUID" -ne '0' ]]; then
echo "User UID: $(id -u npmuser)"
echo "User GID: $(id -g npmuser)"
echo "-------------------------------------"
fi
echo