From b9deec10951aef07caca13ef4ebf1b9a90e801de Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Wed, 19 Feb 2020 12:06:28 +0100 Subject: [PATCH] [misc] narrow down write access/ownership for the run-time user --- services/clsi/.dockerignore | 2 ++ services/clsi/Dockerfile | 4 ++-- services/clsi/buildscript.txt | 2 +- services/clsi/entrypoint.sh | 17 ++++++++--------- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/services/clsi/.dockerignore b/services/clsi/.dockerignore index 35f8905ec5..74fdc35e80 100644 --- a/services/clsi/.dockerignore +++ b/services/clsi/.dockerignore @@ -5,4 +5,6 @@ gitrev .npm .nvmrc nodemon.json +cache/ +compiles/ db/ diff --git a/services/clsi/Dockerfile b/services/clsi/Dockerfile index 3fbae08b32..40615ad8c3 100644 --- a/services/clsi/Dockerfile +++ b/services/clsi/Dockerfile @@ -24,7 +24,7 @@ COPY . /app FROM base COPY --from=app /app /app -RUN mkdir -p db \ -&& chown node:node db +RUN mkdir -p cache compiles db \ +&& chown node:node cache compiles db CMD ["node", "--expose-gc", "app.js"] diff --git a/services/clsi/buildscript.txt b/services/clsi/buildscript.txt index 72b0f6a3d6..81d65464f9 100644 --- a/services/clsi/buildscript.txt +++ b/services/clsi/buildscript.txt @@ -1,6 +1,6 @@ clsi --acceptance-creds=None ---data-dirs=db +--data-dirs=cache,compiles,db --dependencies= --docker-repos=gcr.io/overleaf-ops --env-add= diff --git a/services/clsi/entrypoint.sh b/services/clsi/entrypoint.sh index e28bbe6624..3e3f838258 100755 --- a/services/clsi/entrypoint.sh +++ b/services/clsi/entrypoint.sh @@ -2,22 +2,21 @@ docker --version >&2 +# add the node user to the docker group on the host DOCKER_GROUP=$(stat -c '%g' /var/run/docker.sock) groupadd --non-unique --gid ${DOCKER_GROUP} dockeronhost usermod -aG dockeronhost node -mkdir -p /app/cache -chown -R node:node /app/cache +# compatibility: initial volume setup +chown node:node /app/cache +chown node:node /app/compiles +chown node:node /app/db -mkdir -p /app/compiles -chown -R node:node /app/compiles - -chown -R node:node /app/bin/synctex +# acceptance tests mkdir -p /app/test/acceptance/fixtures/tmp/ -chown -R node:node /app - -chown -R node:node /app/bin +chown -R node:node /app/test/acceptance/fixtures +# make synctex available for remount in compiles cp /app/bin/synctex /app/bin/synctex-mount/synctex exec runuser -u node -- "$@"