[GitHub] [couchdb-docker] willholley commented on a change in pull request #151: allow running as arbitrary uid
willholley commented on a change in pull request #151: allow running as arbitrary uid URL: https://github.com/apache/couchdb-docker/pull/151#discussion_r318467202 ## File path: 2.3.1/Dockerfile ## @@ -121,8 +121,17 @@ COPY docker-entrypoint.sh /usr/local/bin RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] -# Setup directories and permissions -RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + + +RUN set -xe; \ +# Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh +find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \ +# Setup directories and permissions for config. Technically these could be 555 and 444 respectively +# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh. +find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \ +find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \ +# only local.d needs to be writable for the docker_entrypoint.sh +chmod -f 0777 /opt/couchdb/etc/local.d Review comment: ok - suggested change has been pushed This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [couchdb-docker] willholley commented on a change in pull request #151: allow running as arbitrary uid
willholley commented on a change in pull request #151: allow running as arbitrary uid URL: https://github.com/apache/couchdb-docker/pull/151#discussion_r317974140 ## File path: 2.3.1/Dockerfile ## @@ -121,8 +121,17 @@ COPY docker-entrypoint.sh /usr/local/bin RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] -# Setup directories and permissions -RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + + +RUN set -xe; \ +# Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh +find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \ +# Setup directories and permissions for config. Technically these could be 555 and 444 respectively +# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh. +find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \ +find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \ +# only local.d needs to be writable for the docker_entrypoint.sh +chmod -f 0777 /opt/couchdb/etc/local.d Review comment: thanks @tianon - I've pushed another commit which does this. @wohali @kocolosk probably best to have another quick review before merging. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [couchdb-docker] willholley commented on a change in pull request #151: allow running as arbitrary uid
willholley commented on a change in pull request #151: allow running as arbitrary uid URL: https://github.com/apache/couchdb-docker/pull/151#discussion_r317274947 ## File path: 2.3.1/Dockerfile ## @@ -121,8 +121,13 @@ COPY docker-entrypoint.sh /usr/local/bin RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] -# Setup directories and permissions -RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + Review comment: Ok - I've added this line back at https://github.com/apache/couchdb-docker/pull/151/commits/f9a639120bda80e3b252b089cd50aa33483ed148#diff-ff57d65ca713e117d90559824747793aR127 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [couchdb-docker] willholley commented on a change in pull request #151: allow running as arbitrary uid
willholley commented on a change in pull request #151: allow running as arbitrary uid URL: https://github.com/apache/couchdb-docker/pull/151#discussion_r313784293 ## File path: 2.3.1/docker-entrypoint.sh ## @@ -25,36 +25,44 @@ if [ "$1" = 'couchdb' ]; then fi if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then - # Check that we own everything in /opt/couchdb and fix if necessary. We also - # add the `-f` flag in all the following invocations because there may be - # cases where some of these ownership and permissions issues are non-fatal - # (e.g. a config file owned by root with o+r is actually fine), and we don't - # to be too aggressive about crashing here ... - find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + + # this is where runtime configuration changes will be written. + # we need to explicitly touch it here in case /opt/couchdb/etc has + # been mounted as an external volume, in which case it won't exist. + # If running as the couchdb user (i.e. container starts as root), + # write permissions will be granted below. + touch /opt/couchdb/etc/local.d/docker.ini + + # if user is root, assume running under the couchdb user (default) + # and ensure it is able to access files and directories that may be mounted externally + if [ "$(id -u)" = '0' ]; then + # Check that we own everything in /opt/couchdb and fix if necessary. We also + # add the `-f` flag in all the following invocations because there may be + # cases where some of these ownership and permissions issues are non-fatal + # (e.g. a config file owned by root with o+r is actually fine), and we don't + # to be too aggressive about crashing here ... + find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + - # Ensure that data files have the correct permissions. We were previously - # preventing any access to these files outside of couchdb:couchdb, but it - # turns out that CouchDB itself does not set such restrictive permissions - # when it creates the files. The approach taken here ensures that the - # contents of the datadir have the same permissions as they had when they - # were initially created. This should minimize any startup delay. - find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + - find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + + # Ensure that data files have the correct permissions. We were previously Review comment: the existing Dockerfile uses a mix of tabs and spaces - what's the preferred option? :) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [couchdb-docker] willholley commented on a change in pull request #151: allow running as arbitrary uid
willholley commented on a change in pull request #151: allow running as arbitrary uid URL: https://github.com/apache/couchdb-docker/pull/151#discussion_r313782460 ## File path: 2.3.1/Dockerfile ## @@ -121,8 +121,13 @@ COPY docker-entrypoint.sh /usr/local/bin RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"] -# Setup directories and permissions -RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + Review comment: I didn't notice any issue with startup times when testing but have added this line back for consistency. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services