From c733b0895c1704d351ce8b4c8dce669670c04c75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Pineau?= Date: Sat, 1 Jul 2023 14:42:54 +0200 Subject: [PATCH] -- --- .castor/utils.php | 7 +++---- infrastructure/docker/docker-compose.builder.yml | 1 + infrastructure/docker/services/php/Dockerfile | 8 +++----- infrastructure/docker/services/php/entrypoint | 12 ++++++++---- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.castor/utils.php b/.castor/utils.php index 70c0ff4..5292217 100644 --- a/.castor/utils.php +++ b/.castor/utils.php @@ -47,7 +47,7 @@ function about(): void } #[AsTask(description: 'Opens a shell (bash) into a builder container')] -function builder(string $user = 'app'): void +function builder(): void { $c = get_context() ->withTimeout(null) @@ -56,7 +56,7 @@ function builder(string $user = 'app'): void ->withQuiet() ->withAllowFailure() ; - docker_compose_run('bash', c: $c, user: $user); + docker_compose_run('bash', c: $c); } #[AsContext(default: true)] @@ -110,7 +110,6 @@ function docker_compose_run( string $runCommand, Context $c = null, string $service = 'builder', - string $user = 'app', bool $noDeps = true, string $workDir = null, bool $portMapping = false, @@ -119,7 +118,6 @@ function docker_compose_run( $command = [ 'run', '--rm', - '-u', $user, ]; if ($noDeps) { @@ -160,6 +158,7 @@ function docker_compose(array $subCommand, Context $c = null, bool $withBuilder 'PROJECT_DIRECTORY' => variable('project_directory'), 'PROJECT_ROOT_DOMAIN' => variable('root_domain'), 'PROJECT_DOMAINS' => $domains, + 'USER_ID' => variable('user_id'), 'COMPOSER_CACHE_DIR' => variable('composer_cache_dir'), 'PHP_VERSION' => variable('php_version'), ], true) diff --git a/infrastructure/docker/docker-compose.builder.yml b/infrastructure/docker/docker-compose.builder.yml index 53155fe..b72f25a 100644 --- a/infrastructure/docker/docker-compose.builder.yml +++ b/infrastructure/docker/docker-compose.builder.yml @@ -17,6 +17,7 @@ services: - postgres environment: - COMPOSER_MEMORY_LIMIT=-1 + - UID=${USER_ID} - GITHUB_ACTIONS volumes: - "../../${PROJECT_DIRECTORY}:/home/app/application:cached" diff --git a/infrastructure/docker/services/php/Dockerfile b/infrastructure/docker/services/php/Dockerfile index 9b093ae..97c36af 100644 --- a/infrastructure/docker/services/php/Dockerfile +++ b/infrastructure/docker/services/php/Dockerfile @@ -37,11 +37,11 @@ RUN apt-get update \ # Fake user to maps with the one on the host COPY entrypoint / ARG USER_ID -RUN addgroup --gid 1000 app && \ +RUN addgroup --gid $USER_ID app && \ adduser --system --uid $USER_ID --home /home/app --shell /bin/bash app && \ - wget -O- https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64 | \ + curl -Ls https://github.com/tianon/gosu/releases/download/1.16/gosu-amd64 | \ install /dev/stdin /usr/local/bin/gosu && \ - sed "s/{{ application_user_id }}/$USER_ID/g" -i /entrypoint + sed "s/{{ application_user }}/app/g" -i /entrypoint # Configuration COPY base/php-configuration /etc/php/${PHP_VERSION} @@ -101,5 +101,3 @@ RUN mkdir -p "/home/app/.composer/cache" \ ENV PATH="$PATH:/home/app/application/tools/php-cs-fixer/vendor/bin" ENV PATH="$PATH:/home/app/application/tools/phpstan/vendor/bin" - -USER app diff --git a/infrastructure/docker/services/php/entrypoint b/infrastructure/docker/services/php/entrypoint index 03a939d..37187bb 100755 --- a/infrastructure/docker/services/php/entrypoint +++ b/infrastructure/docker/services/php/entrypoint @@ -3,18 +3,22 @@ set -e set -u +if [ $(id -u) != 0 ]; then + echo "Running this image as non root is not allowed" + exit 1 +fi + : "${UID:=0}" : "${GID:=${UID}}" if [ "$#" = 0 ]; then - echo "A" set -- "$(command -v bash 2>/dev/null || command -v sh)" -l fi if [ "$UID" != 0 ]; then - usermod -u "$UID" "{{ application_user_id }}" 2>/dev/null && { - groupmod -g "$GID" "{{ application_user_id }}" 2>/dev/null || - usermod -a -G "$GID" "{{ application_user_id }}" + usermod -u "$UID" "{{ application_user }}" 2>/dev/null && { + groupmod -g "$GID" "{{ application_user }}" 2>/dev/null || + usermod -a -G "$GID" "{{ application_user }}" } set -- gosu "${UID}:${GID}" "${@}" fi