From 50142f65806ef80ab44ed3097312667aea276fd2 Mon Sep 17 00:00:00 2001 From: Pierre Prinetti Date: Sun, 1 Dec 2019 15:08:20 +0100 Subject: [PATCH] docker: Set the home directory for the user Before this change, the docker user had home in a directory it had no permissions on. The inability of creating a cache directory in `$HOME` prevented npm to work properly. Additionally, the `node_modules` in the base working directory had its owner set to root, preventing further changes. With this change, the `etherpad` user has a home directory. Additionally, `npm i` is now run by `etherpad` rather than the root user; this way, it is possible to dynamically change the `node_modules` content in day 2 operations. Note that while switching to the `useradd` builtin, a conflict was discovered with the GID 65534 that was previously used. This change is changing the `etherpad` user's UID to 5001 to avoid said conflict. As a consequence, a `chmod -R 5001:5001` must be run prior to attaching volumes created from previous Etherpad versions. --- Dockerfile | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2448ba93..50996126 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,9 +19,19 @@ ARG ETHERPAD_PLUGINS= # this can be done with build args (and is mandatory to build ARM version) ENV NODE_ENV=development +# Follow the principle of least privilege: run as unprivileged user. +# +# Running as non-root enables running this image in platforms like OpenShift +# that do not allow images running as root. +RUN useradd --uid 5001 --create-home etherpad + +RUN mkdir /opt/etherpad-lite && chown etherpad:etherpad /opt/etherpad-lite + +USER etherpad:etherpad + WORKDIR /opt/etherpad-lite -COPY ./ ./ +COPY --chown=etherpad:etherpad ./ ./ # install node dependencies for Etherpad RUN bin/installDeps.sh && \ @@ -34,18 +44,7 @@ RUN bin/installDeps.sh && \ RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; done # Copy the configuration file. -COPY ./settings.json.docker /opt/etherpad-lite/settings.json - -# Follow the principle of least privilege: run as unprivileged user. -# -# Running as non-root enables running this image in platforms like OpenShift -# that do not allow images running as root. -RUN \ - echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \ - echo 'etherpad:x:65534:' > /etc/group && \ - chown -R etherpad:etherpad ./ - -USER etherpad:etherpad +COPY --chown=etherpad:etherpad ./settings.json.docker /opt/etherpad-lite/settings.json EXPOSE 9001 CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]