From c432c34fb3117da32c04acd1ca7826e9d63e6c85 Mon Sep 17 00:00:00 2001 From: Jamie Curnow Date: Thu, 4 May 2023 10:03:06 +1000 Subject: [PATCH] Small refactor of user/groups and add checks during startup. Only use -x in bash scripts when DEBUG=true set in env vars --- docker/rootfs/bin/common.sh | 12 ++++++ docker/rootfs/etc/nginx/nginx.conf | 2 +- .../rootfs/etc/s6-overlay/s6-rc.d/backend/run | 6 +-- .../etc/s6-overlay/s6-rc.d/frontend/run | 6 +-- .../rootfs/etc/s6-overlay/s6-rc.d/nginx/run | 2 +- .../etc/s6-overlay/s6-rc.d/prepare/00-all.sh | 6 ++- .../s6-overlay/s6-rc.d/prepare/10-npmuser.sh | 22 ---------- .../s6-rc.d/prepare/10-usergroup.sh | 40 +++++++++++++++++++ .../s6-overlay/s6-rc.d/prepare/20-paths.sh | 2 - .../s6-rc.d/prepare/30-ownership.sh | 4 +- .../s6-overlay/s6-rc.d/prepare/40-dynamic.sh | 2 - .../etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 4 +- .../s6-overlay/s6-rc.d/prepare/60-secrets.sh | 2 - .../s6-overlay/s6-rc.d/prepare/90-banner.sh | 5 ++- 14 files changed, 70 insertions(+), 45 deletions(-) delete mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh diff --git a/docker/rootfs/bin/common.sh b/docker/rootfs/bin/common.sh index 0bc6468..913dd3e 100644 --- a/docker/rootfs/bin/common.sh +++ b/docker/rootfs/bin/common.sh @@ -12,6 +12,11 @@ export CYAN BLUE YELLOW RED RESET PUID=${PUID:-0} PGID=${PGID:-0} +NPMUSER=npm +NPMGROUP=npm +NPMHOME=/tmp/npmuserhome +export NPMUSER NPMGROUP NPMHOME + if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then # set group id to same as user id, # the user probably forgot to specify the group id and @@ -40,3 +45,10 @@ log_fatal () { /run/s6/basedir/bin/halt exit 1 } + +# param $1: group_name +get_group_id () { + if [ "${1:-}" != '' ]; then + getent group "$1" | cut -d: -f3 + fi +} diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf index c2ee97c..8261833 100644 --- a/docker/rootfs/etc/nginx/nginx.conf +++ b/docker/rootfs/etc/nginx/nginx.conf @@ -1,7 +1,7 @@ # run nginx in foreground daemon off; pid /run/nginx/nginx.pid; -user npmuser; +user npm; # Set number of worker processes automatically based on number of CPU cores. worker_processes auto; diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run index 9fe0831..f3209de 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run @@ -12,12 +12,12 @@ cd /app || exit 1 log_info 'Starting backend ...' if [ "${DEVELOPMENT:-}" = 'true' ]; then - s6-setuidgid npmuser yarn install - exec s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js' + s6-setuidgid "$PUID:$PGID" yarn install + exec s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js" else while : do - s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --abort_on_uncaught_exception --max_old_space_size=250 index.js' + s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --abort_on_uncaught_exception --max_old_space_size=250 index.js" sleep 1 done fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run index 1181c53..e62f749 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run @@ -8,14 +8,14 @@ set -e if [ "$DEVELOPMENT" = 'true' ]; then . /bin/common.sh cd /app/frontend || exit 1 - HOME=/tmp/npmuserhome + HOME=$NPMHOME export HOME mkdir -p /app/frontend/dist chown -R "$PUID:$PGID" /app/frontend/dist log_info 'Starting frontend ...' - s6-setuidgid npmuser yarn install - exec s6-setuidgid npmuser yarn watch + s6-setuidgid "$PUID:$PGID" yarn install + exec s6-setuidgid "$PUID:$PGID" yarn watch else exit 0 fi diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run index fa8c1fc..b1bed7a 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run @@ -6,4 +6,4 @@ set -e . /bin/common.sh log_info 'Starting nginx ...' -exec s6-setuidgid npmuser nginx +exec s6-setuidgid "$PUID:$PGID" nginx diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh index 1d5899e..82fbefb 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh @@ -9,7 +9,11 @@ if [ "$(id -u)" != "0" ]; then log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization." fi -. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +if [ "$DEBUG" = "true" ]; then + set -x +fi + +. /etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh deleted file mode 100755 index 1f290de..0000000 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/command/with-contenv bash -# shellcheck shell=bash - -set -e -# verbose -set -x - -log_info 'Configuring npmuser ...' - -if id -u npmuser; then - # user already exists - usermod -u "$PUID" npmuser || exit 1 -else - # Add npmuser user - useradd -o -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1 -fi - -usermod -G "$PGID" npmuser || exit 1 -groupmod -o -g "$PGID" npmuser || exit 1 -# Home for npmuser -mkdir -p /tmp/npmuserhome -chown -R "$PUID:$PGID" /tmp/npmuserhome diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh new file mode 100755 index 0000000..ea10019 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh @@ -0,0 +1,40 @@ +#!/command/with-contenv bash +# shellcheck shell=bash + +set -e + +log_info "Configuring $NPMUSER user ..." + +if id -u "$NPMUSER" 2>/dev/null; then + # user already exists + usermod -u "$PUID" "$NPMUSER" +else + # Add user + useradd -o -u "$PUID" -U -d "$NPMHOME" -s /bin/false "$NPMUSER" +fi + +log_info "Configuring $NPMGROUP group ..." +if [ "$(get_group_id "$NPMGROUP")" = '' ]; then + # Add group. This will not set the id properly if it's already taken + groupadd -f -g "$PGID" "$NPMGROUP" +else + groupmod -o -g "$PGID" "$NPMGROUP" +fi + +# Set the group ID and check it +groupmod -o -g "$PGID" "$NPMGROUP" +if [ "$(get_group_id "$NPMGROUP")" != "$PGID" ]; then + echo "ERROR: Unable to set group id properly" + exit 1 +fi + +# Set the group against the user and check it +usermod -G "$PGID" "$NPMGROUP" +if [ "$(id -g "$NPMUSER")" != "$PGID" ] ; then + echo "ERROR: Unable to set group against the user properly" + exit 1 +fi + +# Home for user +mkdir -p "$NPMHOME" +chown -R "$PUID:$PGID" "$NPMHOME" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh index 12f6400..2f59ef4 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x log_info 'Checking paths ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh index 3c583ab..817c2c8 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh @@ -2,15 +2,13 @@ # shellcheck shell=bash set -e -# verbose -set -x log_info 'Setting ownership ...' # root chown root /tmp/nginx -# npmuser +# npm user and group chown -R "$PUID:$PGID" /data chown -R "$PUID:$PGID" /etc/letsencrypt chown -R "$PUID:$PGID" /run/nginx diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh index d13fae7..0cb9f12 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x log_info 'Dynamic resolvers ...' diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index 3e583bf..76e9a65 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -5,8 +5,6 @@ # or disable ipv6 in all nginx configs based on this setting. set -e -# verbose -set -x log_info 'IPv6 ...' @@ -33,7 +31,7 @@ process_folder () { sed -E -i "$SED_REGEX" "$FILE" done - # ensure the files are still owned by the npmuser + # ensure the files are still owned by the npm user chown -R "$PUID:$PGID" "$1" } diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh index 1a72438..faa22ac 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh @@ -2,8 +2,6 @@ # shellcheck shell=bash set -e -# verbose -set -x # in s6, environmental variables are written as text files for s6 to monitor # search through full-path filenames for files ending in "__FILE" diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh index 7991ddf..48ba639 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh @@ -2,6 +2,7 @@ # shellcheck shell=bash set -e +set +x echo " ------------------------------------- @@ -11,7 +12,7 @@ echo " | |\ | __/| | | | |_| \_|_| |_| |_| ------------------------------------- -User ID: $PUID -Group ID: $PGID +User: $NPMUSER PUID:$PUID ID:$(id -u "$NPMUSER") GROUP:$(id -g "$NPMUSER") +Group: $NPMGROUP PGID:$PGID ID:$(get_group_id "$NPMGROUP") ------------------------------------- "