From 2e29b61a815994b646dda204b975e1c8d7926b79 Mon Sep 17 00:00:00 2001 From: Manuel Kaufmann Date: Mon, 1 Apr 2019 09:52:25 +0200 Subject: [PATCH] Run Docker container with a specific user. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pass --user (`DOCKER_USER`) attribute when creating the container. This has no effect in production since we are using the same user and group than the one defined inside the Dockerfile image (docs:docs). Although, this allow us to avoid permissions conflicts when running the build with Docker locally (development) since we can pass our current user. That way, every file created/modified inside the container will be done using the current UID and GID defined by the developer. This can be done as, local_settings.py DOCKER_USER = f'{os.geteuid()}:{os.getegid()}' With this change, there is no need to re-build the Docker image used in production with our own custom `USER` instruction. https://docs.docker.com/engine/reference/run/#user Co-authored-by: Raúl Cumplido --- readthedocs/doc_builder/environments.py | 1 + readthedocs/settings/base.py | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/readthedocs/doc_builder/environments.py b/readthedocs/doc_builder/environments.py index 8a40d389885..30821c157c1 100644 --- a/readthedocs/doc_builder/environments.py +++ b/readthedocs/doc_builder/environments.py @@ -1025,6 +1025,7 @@ def create_container(self): host_config=self.get_container_host_config(), detach=True, environment=self.environment, + user=settings.DOCKER_USER, ) client.start(container=self.container_id) except ConnectionError: diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py index 3cf62523d59..8cde20a7c00 100644 --- a/readthedocs/settings/base.py +++ b/readthedocs/settings/base.py @@ -276,6 +276,15 @@ def USE_PROMOS(self): # noqa # Docker DOCKER_ENABLE = False + + # User used to create the container. + # In production we use the same user than the one defined by the + # ``USER docs`` instruction inside the Dockerfile. + # In development, we can use the "UID:GID" of the current user running the + # instance to avoid file permissions issues. + # https://docs.docker.com/engine/reference/run/#user + DOCKER_USER = 'docs:docs' + DOCKER_DEFAULT_IMAGE = 'readthedocs/build' DOCKER_DEFAULT_VERSION = 'latest' DOCKER_IMAGE = '{}:{}'.format(DOCKER_DEFAULT_IMAGE, DOCKER_DEFAULT_VERSION)