From 3c96b09ae7de09fa10a0d012d24898363cf505f3 Mon Sep 17 00:00:00 2001 From: kpcyrd Date: Fri, 3 Mar 2017 21:10:02 +0100 Subject: [PATCH] docker: Automatically fix permissions This patch is delaying the point where permissions are dropped into the `start_ipfs` script. This way, instead of exiting on permission issues, we can fix them on our own inside the script, then drop privileges and continue doing ipfs specific stuff with the correct user. I've removed the `chmod 0777` step from the readme since it's not needed anymore. License: MIT Signed-off-by: kpcyrd --- Dockerfile | 29 +++++++++-------------------- Dockerfile.fast | 13 ++++++------- README.md | 5 ----- bin/container_daemon | 14 ++++++++------ 4 files changed, 23 insertions(+), 38 deletions(-) diff --git a/Dockerfile b/Dockerfile index 42c4561d259..3507e0530ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,10 +13,6 @@ EXPOSE 4002/udp EXPOSE 5001 EXPOSE 8080 -# Volume for mounting an IPFS fs-repo -# This is moved to the bottom for technical reasons. -#VOLUME $IPFS_PATH - # IPFS API to use for fetching gx packages. # This can be a gateway too, since its read-only API provides all gx needs. # - e.g. /ip4/172.17.0.1/tcp/8080 if the Docker host @@ -33,14 +29,17 @@ ENV GOPATH /go ENV PATH /go/bin:$PATH ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs +# Expose the fs-repo as a volume. +# start_ipfs initializes an fs-repo if none is mounted +VOLUME $IPFS_PATH + # Get the go-ipfs sourcecode COPY . $SRC_PATH -RUN apk add --update musl-dev gcc go git bash wget ca-certificates \ - # Setup user and fs-repo directory - && mkdir -p $IPFS_PATH \ +RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \ + && apk add --no-cache tini su-exec bash wget ca-certificates \ + # Setup user && adduser -D -h $IPFS_PATH -u 1000 ipfs \ - && chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \ # Install gx && go get -u github.com/whyrusleeping/gx \ && go get -u github.com/whyrusleeping/gx-go \ @@ -58,22 +57,12 @@ RUN apk add --update musl-dev gcc go git bash wget ca-certificates \ && cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \ && chmod 755 /usr/local/bin/start_ipfs \ # Remove all build-time dependencies - && apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api - -# Call uid 1000 "ipfs" -USER ipfs - -# Expose the fs-repo as a volume. -# We're doing this down here (and not at the top), -# so that the overlay directory is owned by the ipfs user. -# start_ipfs initializes an ephemeral fs-repo if none is mounted, -# which is why uid=1000 needs write permissions there. -VOLUME $IPFS_PATH + && apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api # This just makes sure that: # 1. There's an fs-repo, and initializes one if there isn't. # 2. The API and Gateway are accessible from outside the container. -ENTRYPOINT ["/usr/local/bin/start_ipfs"] +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"] # Execute the daemon subcommand by default CMD ["daemon", "--migrate=true"] diff --git a/Dockerfile.fast b/Dockerfile.fast index b10568ad60b..ea659354484 100644 --- a/Dockerfile.fast +++ b/Dockerfile.fast @@ -19,6 +19,8 @@ ENV GOPATH /go ENV PATH /go/bin:$PATH ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs +VOLUME $IPFS_PATH + # This is an optimization which avoids rebuilding # of the gx dependencies every time anything changes. # gx will only be invoked if the dependencies have changed. @@ -28,10 +30,9 @@ ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs # and trigger a re-run of all following commands. COPY ./package.json $SRC_PATH/package.json -RUN apk add --update musl-dev gcc go git bash wget ca-certificates \ - && mkdir -p $IPFS_PATH \ +RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \ + && apk add --no-cache tini su-exec bash wget ca-certificates \ && adduser -D -h $IPFS_PATH -u 1000 ipfs \ - && chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \ && go get -u github.com/whyrusleeping/gx \ && go get -u github.com/whyrusleeping/gx-go \ && ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \ @@ -48,9 +49,7 @@ RUN cd $SRC_PATH \ && cp ipfs /usr/local/bin/ipfs \ && cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \ && chmod 755 /usr/local/bin/start_ipfs \ - && apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api + && apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api -USER ipfs -VOLUME $IPFS_PATH -ENTRYPOINT ["/usr/local/bin/start_ipfs"] +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"] CMD ["daemon", "--migrate=true"] diff --git a/README.md b/README.md index 4516c211471..affbbd0d64b 100644 --- a/README.md +++ b/README.md @@ -237,11 +237,6 @@ IPFS files that will persist when you restart the container. export ipfs_staging= export ipfs_data= -Make sure docker can access these folders: - - sudo chmod -R 777 /absolute/path/to/somewhere/ - sudo chmod -R 777 /absolute/path/to/somewhere_else/ - Start a container running ipfs and expose ports 4001, 5001 and 8080: docker run -d --name ipfs_host -v $ipfs_staging:/export -v $ipfs_data:/data/ipfs -p 8080:8080 -p 4001:4001 -p 5001:5001 ipfs/go-ipfs:latest diff --git a/bin/container_daemon b/bin/container_daemon index 8cf8ec422b8..04d1a9a4270 100644 --- a/bin/container_daemon +++ b/bin/container_daemon @@ -1,14 +1,16 @@ #!/bin/sh - -user=$(whoami) +set -e +user=ipfs repo="$IPFS_PATH" -# Test whether the mounted directory is writable for us -if [ ! -w "$repo" 2>/dev/null ]; then - echo "error: $repo is not writable for user $user (uid=$(id -u $user))" - exit 1 +if [ `id -u` -eq 0 ]; then + # ensure folder is writable + su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo" + # restart script with new privileges + exec su-exec "$user" "$0" "$@" fi +# 2nd invocation with regular user ipfs version if [ -e "$repo/config" ]; then