This is an automated email from the ASF dual-hosted git repository. willholley pushed a commit to branch custom_uid in repository https://gitbox.apache.org/repos/asf/couchdb-docker.git
commit bdc37a78e038e5f886421521bf65ec5bee548b39 Author: Will Holley <[email protected]> AuthorDate: Tue Aug 13 11:45:43 2019 +0100 allow running as arbitrary uid * Adds guards around entrypoints commands that require root * Broaden permissions within the container filesystem to allow access by non-couchdb users. Note that in production, the container filesystem could be read-only if all persistent volumes are mounted externally. * Added an example to the documentation which specifies `--user`. --- 2.3.1/Dockerfile | 4 +++- 2.3.1/docker-entrypoint.sh | 53 ++++++++++++++++++++++++++-------------------- README.md | 9 ++++++++ 3 files changed, 42 insertions(+), 24 deletions(-) diff --git a/2.3.1/Dockerfile b/2.3.1/Dockerfile index a266ed8..83eae40 100644 --- a/2.3.1/Dockerfile +++ b/2.3.1/Dockerfile @@ -122,7 +122,9 @@ RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards c ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] # Setup directories and permissions -RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + +RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chmod 777 '{}' +; \ + chmod -R 777 /opt/couchdb/etc; + VOLUME /opt/couchdb/data # 5984: Main CouchDB endpoint diff --git a/2.3.1/docker-entrypoint.sh b/2.3.1/docker-entrypoint.sh index 7fdb04b..b5658ed 100755 --- a/2.3.1/docker-entrypoint.sh +++ b/2.3.1/docker-entrypoint.sh @@ -25,28 +25,32 @@ if [ "$1" = 'couchdb' ]; then fi if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then - # Check that we own everything in /opt/couchdb and fix if necessary. We also - # add the `-f` flag in all the following invocations because there may be - # cases where some of these ownership and permissions issues are non-fatal - # (e.g. a config file owned by root with o+r is actually fine), and we don't - # to be too aggressive about crashing here ... - find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + + # if user is root, assume running under the couchdb user (default) + # and ensure it is able to access files and directories that may be mounted externally + if [ "$(id -u)" = '0' ]; then + # Check that we own everything in /opt/couchdb and fix if necessary. We also + # add the `-f` flag in all the following invocations because there may be + # cases where some of these ownership and permissions issues are non-fatal + # (e.g. a config file owned by root with o+r is actually fine), and we don't + # to be too aggressive about crashing here ... + find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + - # Ensure that data files have the correct permissions. We were previously - # preventing any access to these files outside of couchdb:couchdb, but it - # turns out that CouchDB itself does not set such restrictive permissions - # when it creates the files. The approach taken here ensures that the - # contents of the datadir have the same permissions as they had when they - # were initially created. This should minimize any startup delay. - find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + - find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + + # Ensure that data files have the correct permissions. We were previously + # preventing any access to these files outside of couchdb:couchdb, but it + # turns out that CouchDB itself does not set such restrictive permissions + # when it creates the files. The approach taken here ensures that the + # contents of the datadir have the same permissions as they had when they + # were initially created. This should minimize any startup delay. + find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + - # Do the same thing for configuration files and directories. Technically - # CouchDB only needs read access to the configuration files as all online - # changes will be applied to the "docker.ini" file below, but we set 644 - # for the sake of consistency. - find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + - find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + + # Do the same thing for configuration files and directories. Technically + # CouchDB only needs read access to the configuration files as all online + # changes will be applied to the "docker.ini" file below, but we set 644 + # for the sake of consistency. + find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + + fi if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args @@ -69,7 +73,9 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then fi fi - chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true + if [ "$(id -u)" = '0' ]; then + chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true + fi # if we don't find an [admins] section followed by a non-comment, display a warning if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini; then @@ -88,8 +94,9 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then EOWARN fi - - exec gosu couchdb "$@" + if [ "$(id -u)" = '0' ]; then + exec gosu couchdb "$@" + fi fi exec "$@" diff --git a/README.md b/README.md index 42f0a93..7f7d73a 100644 --- a/README.md +++ b/README.md @@ -170,6 +170,15 @@ file = /opt/couchdb/log/couch.log It is recommended to then mount this path to a directory on the host, as CouchDB logging can be quite voluminous. +## Running under a custom UID + +By default, CouchDB will run as the `couchdb` user with UID 5984. Running under a different UID is supported, so long as any volume mounts have appropriate read/write permissions. For example, assuming user `myuser` has write access to `/home/couchdb/data`, the following command will run CouchDB as that user: + +``` +docker run --name my-couchdb --user myuser -v /home/couchdb/data:/opt/couchdb/data %%IMAGE%%:tag +``` + + ----- # Development images
