From 399d20eae6ec4e7a7fda1afd0e8b1a11a2cb1714 Mon Sep 17 00:00:00 2001 From: Florent Poinsaut Date: Sun, 15 Apr 2018 22:28:05 +0200 Subject: [PATCH] use gosu to fix /data permissions errors --- support/doc/docker.md | 12 ----- support/docker/production/Dockerfile.stretch | 44 +++++++++++++++++-- .../docker/production/docker-entrypoint.sh | 16 +++++++ 3 files changed, 57 insertions(+), 15 deletions(-) create mode 100644 support/docker/production/docker-entrypoint.sh diff --git a/support/doc/docker.md b/support/doc/docker.md index 3d25d06c4..e0c03a1dc 100644 --- a/support/doc/docker.md +++ b/support/doc/docker.md @@ -50,18 +50,6 @@ balancer, although any HTTP reverse proxy will work fine. See the example Nginx configuration `support/nginx/peertube` file to get an idea of recommendations and requirements to run PeerTube the most efficiently. -When starting the containers for the first time, you will get permissions errors for the data volume, like this one: - -``` -Error: EACCES: permission denied, mkdir '/data/logs' -``` - -The peertube user inside the container has a UID and GID of 991 so you have to change the folder's owner, in the case you're using `./data`: - -``` -chown -R 991:991 data/ -``` - **Important**: note that you'll get the initial `root` user password from the program output, so check out your logs to find them. diff --git a/support/docker/production/Dockerfile.stretch b/support/docker/production/Dockerfile.stretch index b1905b3a8..bf2bae510 100644 --- a/support/docker/production/Dockerfile.stretch +++ b/support/docker/production/Dockerfile.stretch @@ -1,13 +1,45 @@ FROM node:8-stretch +RUN set -ex; \ + if ! command -v gpg > /dev/null; then \ + apt-get update; \ + apt-get install -y --no-install-recommends \ + gnupg \ + dirmngr \ + ; \ + rm -rf /var/lib/apt/lists/*; \ +fi + # Install dependencies RUN apt-get update \ && apt-get -y install ffmpeg \ && rm /var/lib/apt/lists/* -fR # Add peertube user -RUN groupadd -g 991 peertube \ - && useradd -u 991 -g peertube -m peertube +RUN groupadd -r peertube \ + && useradd -r -g peertube -m peertube + +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.10 +RUN set -ex; \ + \ + fetchDeps='ca-certificates wget'; \ + apt-get update; \ + apt-get install -y --no-install-recommends $fetchDeps; \ + rm -rf /var/lib/apt/lists/*; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + chmod +x /usr/local/bin/gosu; \ + gosu nobody true; \ + \ + apt-get purge -y --auto-remove wget # Download the latest version RUN git clone https://github.com/Chocobozzz/PeerTube /app \ @@ -25,7 +57,13 @@ RUN cp /app/config/default.yaml /app/support/docker/production/config/default.ya ENV NODE_ENV production ENV NODE_CONFIG_DIR /app/support/docker/production/config +USER root +RUN mkdir /data && chown peertube:peertube /data +VOLUME /data + +COPY docker-entrypoint.sh /usr/local/bin/ +ENTRYPOINT ["docker-entrypoint.sh"] + # Run the application CMD ["npm", "start"] -VOLUME ["/data"] EXPOSE 9000 diff --git a/support/docker/production/docker-entrypoint.sh b/support/docker/production/docker-entrypoint.sh new file mode 100644 index 000000000..79f0e60f6 --- /dev/null +++ b/support/docker/production/docker-entrypoint.sh @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +# first arg is `-f` or `--some-option` +# or first arg is `something.conf` +if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then + set -- npm "$@" +fi + +# allow the container to be started with `--user` +if [ "$1" = 'npm' -a "$(id -u)" = '0' ]; then + chown -R peertube: /data + exec gosu peertube "$0" "$@" +fi + +exec "$@" -- 2.25.1