diff --git a/Dockerfile b/Dockerfile index 42c4561d259..3507e0530ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,10 +13,6 @@ EXPOSE 4002/udp EXPOSE 5001 EXPOSE 8080 -# Volume for mounting an IPFS fs-repo -# This is moved to the bottom for technical reasons. -#VOLUME $IPFS_PATH - # IPFS API to use for fetching gx packages. # This can be a gateway too, since its read-only API provides all gx needs. # - e.g. /ip4/172.17.0.1/tcp/8080 if the Docker host @@ -33,14 +29,17 @@ ENV GOPATH /go ENV PATH /go/bin:$PATH ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs +# Expose the fs-repo as a volume. +# start_ipfs initializes an fs-repo if none is mounted +VOLUME $IPFS_PATH + # Get the go-ipfs sourcecode COPY . $SRC_PATH -RUN apk add --update musl-dev gcc go git bash wget ca-certificates \ - # Setup user and fs-repo directory - && mkdir -p $IPFS_PATH \ +RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \ + && apk add --no-cache tini su-exec bash wget ca-certificates \ + # Setup user && adduser -D -h $IPFS_PATH -u 1000 ipfs \ - && chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \ # Install gx && go get -u github.com/whyrusleeping/gx \ && go get -u github.com/whyrusleeping/gx-go \ @@ -58,22 +57,12 @@ RUN apk add --update musl-dev gcc go git bash wget ca-certificates \ && cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \ && chmod 755 /usr/local/bin/start_ipfs \ # Remove all build-time dependencies - && apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api - -# Call uid 1000 "ipfs" -USER ipfs - -# Expose the fs-repo as a volume. -# We're doing this down here (and not at the top), -# so that the overlay directory is owned by the ipfs user. -# start_ipfs initializes an ephemeral fs-repo if none is mounted, -# which is why uid=1000 needs write permissions there. -VOLUME $IPFS_PATH + && apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api # This just makes sure that: # 1. There's an fs-repo, and initializes one if there isn't. # 2. The API and Gateway are accessible from outside the container. -ENTRYPOINT ["/usr/local/bin/start_ipfs"] +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"] # Execute the daemon subcommand by default CMD ["daemon", "--migrate=true"] diff --git a/Dockerfile.fast b/Dockerfile.fast index b10568ad60b..ea659354484 100644 --- a/Dockerfile.fast +++ b/Dockerfile.fast @@ -19,6 +19,8 @@ ENV GOPATH /go ENV PATH /go/bin:$PATH ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs +VOLUME $IPFS_PATH + # This is an optimization which avoids rebuilding # of the gx dependencies every time anything changes. # gx will only be invoked if the dependencies have changed. @@ -28,10 +30,9 @@ ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs # and trigger a re-run of all following commands. COPY ./package.json $SRC_PATH/package.json -RUN apk add --update musl-dev gcc go git bash wget ca-certificates \ - && mkdir -p $IPFS_PATH \ +RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \ + && apk add --no-cache tini su-exec bash wget ca-certificates \ && adduser -D -h $IPFS_PATH -u 1000 ipfs \ - && chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \ && go get -u github.com/whyrusleeping/gx \ && go get -u github.com/whyrusleeping/gx-go \ && ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \ @@ -48,9 +49,7 @@ RUN cd $SRC_PATH \ && cp ipfs /usr/local/bin/ipfs \ && cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \ && chmod 755 /usr/local/bin/start_ipfs \ - && apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api + && apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api -USER ipfs -VOLUME $IPFS_PATH -ENTRYPOINT ["/usr/local/bin/start_ipfs"] +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"] CMD ["daemon", "--migrate=true"] diff --git a/README.md b/README.md index 4516c211471..affbbd0d64b 100644 --- a/README.md +++ b/README.md @@ -237,11 +237,6 @@ IPFS files that will persist when you restart the container. export ipfs_staging= export ipfs_data= -Make sure docker can access these folders: - - sudo chmod -R 777 /absolute/path/to/somewhere/ - sudo chmod -R 777 /absolute/path/to/somewhere_else/ - Start a container running ipfs and expose ports 4001, 5001 and 8080: docker run -d --name ipfs_host -v $ipfs_staging:/export -v $ipfs_data:/data/ipfs -p 8080:8080 -p 4001:4001 -p 5001:5001 ipfs/go-ipfs:latest diff --git a/bin/container_daemon b/bin/container_daemon index 8cf8ec422b8..04d1a9a4270 100644 --- a/bin/container_daemon +++ b/bin/container_daemon @@ -1,14 +1,16 @@ #!/bin/sh - -user=$(whoami) +set -e +user=ipfs repo="$IPFS_PATH" -# Test whether the mounted directory is writable for us -if [ ! -w "$repo" 2>/dev/null ]; then - echo "error: $repo is not writable for user $user (uid=$(id -u $user))" - exit 1 +if [ `id -u` -eq 0 ]; then + # ensure folder is writable + su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo" + # restart script with new privileges + exec su-exec "$user" "$0" "$@" fi +# 2nd invocation with regular user ipfs version if [ -e "$repo/config" ]; then