Run frontend, svelte, backend with a non-root user

Merge branch 'unix-permissions' In dev mode, NextJs has a issue with file owners, see #1.
tacone · May 19, 2021 · 5a0ac17 · 5a0ac17
2 parents 094cdeb + e3967ae
commit 5a0ac17
Show file tree

Hide file tree

Showing 15 changed files with 178 additions and 42 deletions.
diff --git a/backend/.gmrc b/backend/.gmrc
@@ -99,6 +99,10 @@
        // NOTE: this script does nothing when envvar `IN_TESTS` is `1`
        "command": "node src/dump-db.js"
     },
+    {
+       "_": "command",
+       "command": "chmod +r migrations -R"
+    },
   ],
 
   /*

diff --git a/docker/backend/Dockerfile b/docker/backend/Dockerfile
@@ -1,20 +1,20 @@
 FROM node:16-alpine
 
-RUN apk add --no-cache postgresql-client
+RUN apk add --no-cache postgresql-client su-exec
 
 # copy the deps files, download and cache dependencies
 COPY ./backend/package.json ./backend/yarn.loc[k] /deps/
 
 WORKDIR /deps
 
-ARG BUILD_COMMAND
-ENV BUILD_COMMAND ${BUILD_COMMAND}
-RUN echo 'BUILD_COMMAND set to '${BUILD_COMMAND}
-
+# declare the NODE_ENV. This will invalidate the cache from now on if
+# NODE_ENV changes.
 ARG NODE_ENV
 ENV NODE_ENV ${NODE_ENV}
 RUN echo 'NODE_ENV set to '${NODE_ENV}
 
+ENV YARN_CACHE_FOLDER /usr/local/share/.cache/yarn
+
 RUN [ "$NODE_ENV" = 'production' ] && yarn --frozen-lockfile || echo "Skipping dependencies download during non-production build"
 
 # copy the application code
@@ -25,4 +25,14 @@ RUN [ "$NODE_ENV" = 'production' ] && mv -f package.json /app && mv -f yarn.lock
 
 WORKDIR /app
 
+ARG BUILD_COMMAND
+ENV BUILD_COMMAND ${BUILD_COMMAND}
+RUN echo 'BUILD_COMMAND set to '${BUILD_COMMAND}
+
 RUN if [ "$NODE_ENV" = 'production' ]; then $BUILD_COMMAND || echo 'Skipping export'; fi
+
+# 🔑
+ARG USER_ID
+RUN echo 'USER_ID set to ${USER_ID}'
+
+RUN adduser -S app -u ${USER_ID} || echo USER ${USER_ID} already exists.
diff --git a/docker/backend/docker-compose.dev.yml b/docker/backend/docker-compose.dev.yml
@@ -14,7 +14,9 @@ services:
 
     # 🌳
     environment:
-      - NODE_ENV=development
+      NODE_ENV: development
+      chown_app: /app/generated
+      chown_migrations: /app/migrations
 
     # 👻
     restart: "no"

diff --git a/docker/backend/docker-compose.yml b/docker/backend/docker-compose.yml
@@ -14,16 +14,23 @@ services:
       args:
         BUILD_COMMAND: yarn run build
 
-        # env variables needed by the build
+        # the UID we'll use to run the app, use 0 if you want root
+        USER_ID: ${USER_ID} # 🔑
+        # other env variables needed by the build
         NODE_ENV: production
 
+    # 🚪 a custom entrypoint to fix permissions
+    entrypoint: /entrypoint.sh # 🔑
+
     # 🌳
     environment:
-      - NODE_ENV=production
-      - DATABASE_URL=${POSTGRES_CONNECTION_URL}/${POSTGRES_DATABASE}
-      - SHADOW_DATABASE_URL=${POSTGRES_CONNECTION_URL}/${POSTGRES_DATABASE}_shadow
-      - ROOT_DATABASE_URL=${POSTGRES_CONNECTION_URL}/${POSTGRES_DATABASE}_root
-      - YARN_DISABLE_SELF_UPDATE_CHECK=true
+      NODE_ENV: production
+      DATABASE_URL: ${POSTGRES_CONNECTION_URL}/${POSTGRES_DATABASE}
+      SHADOW_DATABASE_URL: ${POSTGRES_CONNECTION_URL}/${POSTGRES_DATABASE}_shadow
+      ROOT_DATABASE_URL: ${POSTGRES_CONNECTION_URL}/${POSTGRES_DATABASE}_root
+      YARN_DISABLE_SELF_UPDATE_CHECK: "true"
+      USER_ID: ${USER_ID}
+      chown_tmp: /tmp
 
     # 🔗
     ports:
@@ -35,10 +42,23 @@ services:
     # 🛡️ make everything read-only except the volumes
     read_only: true
 
+    # always use root here, we'll change the user in the entrypoint
+    # to $USER_ID
+    # 🔑
+    user: "0"
+
     # 📂
     volumes:
-      - ./data/yarn:/usr/local/share/.cache/yarn/
+      # a custom entrypoint to fix permissions (depends on su-exec)
+      - ./scripts/bin/entrypoint.sh:/entrypoint.sh # 🔑
+
+      # make these directories writable
       - /tmp/survey/backend:/tmp
+
+      # share yarn cache folder with the other containers
+      - ./data/yarn-${USER_ID}:/usr/local/share/.cache/yarn
+
+      # utility scripts
       - ./scripts/bin/wait-port:/usr/local/bin/wait-port:ro
 
     # 🔧

diff --git a/docker/frontend/Dockerfile b/docker/frontend/Dockerfile
@@ -1,7 +1,9 @@
 FROM node:16-alpine
 
-# we need it to brotli compress the static export
-RUN apk add brotli
+# we need:
+# - brotli compress the static export
+# - su-exec to downgrade user permissions ( https://github.com/ncopa/su-exec )
+RUN apk add brotli su-exec
 
 # declare the NODE_ENV. This will invalidate the cache from now on if
 # NODE_ENV changes.
@@ -43,4 +45,10 @@ RUN echo 'BUILD_COMMAND set to '${BUILD_COMMAND}
 
 RUN if [ "$NODE_ENV" = 'production' ]; then sh -c "$BUILD_COMMAND"; else echo 'Skipping export'; fi
 
-RUN  if [ "$NODE_ENV" = 'production' ]; then cp /app/.next /next-build-files -Rp; fi
+RUN  if [ "$NODE_ENV" = 'production' ]; then cp /app/.next /build-files -Rp; fi
+
+# 🔑
+ARG USER_ID
+RUN echo 'USER_ID set to ${USER_ID}'
+
+RUN adduser -S app -u ${USER_ID} || echo USER ${USER_ID} already exists.
diff --git a/docker/frontend/docker-compose.dev.yml b/docker/frontend/docker-compose.dev.yml
@@ -14,7 +14,7 @@ services:
 
     # 🌳
     environment:
-      - NODE_ENV=development
+      NODE_ENV: development
 
     # 👻
     restart: "no"
@@ -27,4 +27,4 @@ services:
     # and download the depencencies there so they can be parsed
     # by the IDE
     # 🚀
-    command: sh -c "yarn && yarn run dev"
+    command: sh -c "yarn && whoami && yarn run dev"
diff --git a/docker/frontend/docker-compose.yml b/docker/frontend/docker-compose.yml
@@ -16,17 +16,27 @@ services:
           yarn run build
           && brotli-compress /app/.next/static
 
-        # env variables needed by the build
+        # the UID we'll use to run the app, use 0 if you want root
+        USER_ID: ${USER_ID} # 🔑
+        # other env variables needed by the build
         NODE_ENV: production
         NEXT_TELEMETRY_DISABLED: 1
         NEXT_PUBLIC_GRAPHQL_ENDPOINT: ${GRAPHQL_ENDPOINT}
 
+    # 🚪 a custom entrypoint to fix permissions
+    entrypoint: /entrypoint.sh # 🔑
+
     # 🌳
     environment:
-      - NODE_ENV=production
-      - NEXT_PUBLIC_GRAPHQL_ENDPOINT=${GRAPHQL_ENDPOINT}
-      - NEXT_TELEMETRY_DISABLED=1
-      - YARN_DISABLE_SELF_UPDATE_CHECK=true
+      NODE_ENV: production
+      NEXT_PUBLIC_GRAPHQL_ENDPOINT: ${GRAPHQL_ENDPOINT}
+      NEXT_TELEMETRY_DISABLED: 1
+      YARN_DISABLE_SELF_UPDATE_CHECK: "true"
+      USER_ID: ${USER_ID}
+      chown_yarn: /usr/local/share/.cache/yarn
+      chown_tmp: /tmp
+      chown_app: /app/.next
+      chown_static_files: /static
 
     # 🔗
     ports:
@@ -38,14 +48,22 @@ services:
     # 🛡️ make everything read-only except the volumes
     read_only: true
 
+    # always use root here, we'll change the user in the entrypoint
+    # to $USER_ID
+    # 🔑
+    user: "0"
+
     # 📂
     volumes:
+      # a custom entrypoint to fix permissions (depends on su-exec)
+      - ./scripts/bin/entrypoint.sh:/entrypoint.sh # 🔑
+
       # make these directories writable
       - ./data/next:/app/.next # so we can write in /app/.next
       - /tmp/survey/frontend:/tmp
 
       # share yarn cache folder with the other containers
-      - ./data/yarn:/usr/local/share/.cache/yarn/
+      - ./data/yarn-${USER_ID}:/usr/local/share/.cache/yarn
 
       # utility scripts
       - ./scripts/bin/install-files:/usr/local/bin/install-files:ro
@@ -62,7 +80,7 @@ services:
     # 🚀
     command: >-
       sh -c '
-      replace-files /next-build-files /app/.next
+      replace-files /build-files /app/.next
       && install-files /app/.next/static /static
       && yarn run start
       '

diff --git a/docker/svelte/Dockerfile b/docker/svelte/Dockerfile
@@ -1,7 +1,9 @@
 FROM node:16-alpine
 
-# we need it to brotli compress the static export
-RUN apk add brotli
+# we need:
+# - brotli compress the static export
+# - su-exec to downgrade user permissions ( https://github.com/ncopa/su-exec )
+RUN apk add brotli su-exec
 
 # declare the NODE_ENV. This will invalidate the cache from now on if
 # NODE_ENV changes.
@@ -14,6 +16,7 @@ RUN echo 'NODE_ENV set to '${NODE_ENV}
 # yarn.lock change
 COPY ./svelte/package.json ./svelte/yarn.loc[k] /deps/
 WORKDIR /deps
+
 # we do not download dependencies in dev, because we do it when bootstraping
 # docker-compose
 # (we need to use the dev deps because of https://github.com/sveltejs/sapper/issues/592)
@@ -39,3 +42,12 @@ ENV BUILD_COMMAND ${BUILD_COMMAND}
 RUN echo 'BUILD_COMMAND set to '${BUILD_COMMAND}
 
 RUN if [ "$NODE_ENV" = 'production' ]; then sh -c "$BUILD_COMMAND"; else echo 'Skipping export'; fi
+
+RUN  if [ "$NODE_ENV" = 'production' ]; then cp /app/.svelte-kit /build-files -Rp; fi
+
+# 🔑
+ARG USER_ID
+ENV USER_ID ${USER_ID}
+RUN echo 'USER_ID set to ${USER_ID}'
+
+RUN adduser -S app -u ${USER_ID} || echo USER ${USER_ID} already exists.
diff --git a/docker/svelte/docker-compose.dev.yml b/docker/svelte/docker-compose.dev.yml
@@ -14,7 +14,7 @@ services:
 
     # 🌳
     environment:
-      - NODE_ENV=development
+      NODE_ENV: development
 
     # 🔗
     ports:
@@ -32,4 +32,7 @@ services:
     # and download the depencencies there so they can be parsed
     # by the IDE
     # 🚀
-    command: sh -c "yarn && yarn run dev"
+    command: >-
+      sh -c "
+        yarn && yarn run dev
+      "
diff --git a/docker/svelte/docker-compose.yml b/docker/svelte/docker-compose.yml
@@ -16,15 +16,24 @@ services:
           yarn run build
           && brotli-compress /app/build/assets
 
-        # env variables needed by the build
+        # the UID we'll use to run the app, use 0 if you want root
+        USER_ID: ${USER_ID} # 🔑
+        # other env variables needed by the build
         NODE_ENV: production
         VITE_GRAPHQL_ENDPOINT: ${GRAPHQL_ENDPOINT}
 
+    # 🚪 a custom entrypoint to fix permissions
+    entrypoint: /entrypoint.sh # 🔑
+
     # 🌳
     environment:
-      - NODE_ENV=production
-      - VITE_GRAPHQL_ENDPOINT=${GRAPHQL_ENDPOINT}
-      - YARN_DISABLE_SELF_UPDATE_CHECK=true
+      NODE_ENV: production
+      VITE_GRAPHQL_ENDPOINT: ${GRAPHQL_ENDPOINT}
+      YARN_DISABLE_SELF_UPDATE_CHECK: "true"
+      chown_yarn: /usr/local/share/.cache/yarn
+      chown_tmp: /tmp
+      chown_app: /app/.svelte-kit
+      chown_static_files: /static-svelte
 
     # 🔗
     ports:
@@ -36,14 +45,22 @@ services:
     # 🛡️ make everything read-only except the volumes
     read_only: true
 
+    # always use root here, we'll change the user in the entrypoint
+    # to $USER_ID
+    # 🔑
+    user: "0"
+
     # 📂
     volumes:
+      # a custom entrypoint to fix permissions (depends on su-exec)
+      - ./scripts/bin/entrypoint.sh:/entrypoint.sh # 🔑
+
       # make these directories writable
       - ./data/svelte:/app/.svelte-kit
       - /tmp/survey/svelte:/tmp
 
       # share yarn cache folder with the other containers
-      - ./data/yarn:/usr/local/share/.cache/yarn/
+      - ./data/yarn-${USER_ID}:/usr/local/share/.cache/yarn
 
       # utility scripts
       - ./scripts/bin/install-files:/usr/local/bin/install-files:ro
@@ -60,8 +77,9 @@ services:
     # 🚀
     command: >-
       sh -c '
-        replace-files /build-files /app/.svelte-kit
-        install-files /app/build/assets /static-svelte && yarn run start
+        replace-files /build-files /app/.svelte-kit &&
+        install-files /app/build/assets /static-svelte &&
+        yarn run start
       '
 
 # 📂