From 9cbd6d0223d0826ac3ff4e333bf33d112c38205f Mon Sep 17 00:00:00 2001 From: David Kennedy Date: Mon, 2 Dec 2024 12:42:45 -0500 Subject: [PATCH 1/5] node container permissions fixes --- src/docker-compose.yml | 1 + src/node.Dockerfile | 10 +++++++--- src/node_entrypoint.sh | 12 ++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100755 src/node_entrypoint.sh diff --git a/src/docker-compose.yml b/src/docker-compose.yml index 8cb2bd60f..f20aa61e4 100644 --- a/src/docker-compose.yml +++ b/src/docker-compose.yml @@ -85,6 +85,7 @@ services: volumes: - .:/app working_dir: /app + entrypoint: /app/node_entrypoint.sh stdin_open: true tty: true command: ./run_node_watch.sh diff --git a/src/node.Dockerfile b/src/node.Dockerfile index 0fcab7d92..b78a26d2d 100644 --- a/src/node.Dockerfile +++ b/src/node.Dockerfile @@ -1,9 +1,13 @@ FROM docker.io/cimg/node:current-browsers WORKDIR /app +# Install gosu +USER root +RUN apt-get update && \ + apt-get install -y gosu && \ + rm -rf /var/lib/apt/lists/* + # Install app dependencies # A wildcard is used to ensure both package.json AND package-lock.json are copied # where available (npm@5+) -COPY --chown=circleci:circleci package*.json ./ - -RUN npm install \ No newline at end of file +COPY --chown=circleci:circleci package*.json ./ \ No newline at end of file diff --git a/src/node_entrypoint.sh b/src/node_entrypoint.sh new file mode 100755 index 000000000..ba3b9791d --- /dev/null +++ b/src/node_entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# Get UID and GID of the /app directory owner +HOST_UID=$(stat -c '%u' /app) +HOST_GID=$(stat -c '%g' /app) + +# Update circleci user's UID and GID to match the host +echo "Updating circleci user and group to match host UID:GID ($HOST_UID:$HOST_GID)" +sudo groupmod -g "$HOST_GID" circleci +sudo usermod -u "$HOST_UID" circleci + +exec gosu circleci "$@" From ad998246caf93940e36706297dd9d458fa9dce7f Mon Sep 17 00:00:00 2001 From: David Kennedy Date: Mon, 2 Dec 2024 13:37:35 -0500 Subject: [PATCH 2/5] updated comments --- src/node.Dockerfile | 2 +- src/node_entrypoint.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/node.Dockerfile b/src/node.Dockerfile index b78a26d2d..5db6648df 100644 --- a/src/node.Dockerfile +++ b/src/node.Dockerfile @@ -1,7 +1,7 @@ FROM docker.io/cimg/node:current-browsers WORKDIR /app -# Install gosu +# Install gosu to run command as a specific user, circleci. Clean up lists. USER root RUN apt-get update && \ apt-get install -y gosu && \ diff --git a/src/node_entrypoint.sh b/src/node_entrypoint.sh index ba3b9791d..0eb160f0a 100755 --- a/src/node_entrypoint.sh +++ b/src/node_entrypoint.sh @@ -9,4 +9,5 @@ echo "Updating circleci user and group to match host UID:GID ($HOST_UID:$HOST_GI sudo groupmod -g "$HOST_GID" circleci sudo usermod -u "$HOST_UID" circleci +# Run command as circleci user. Note that command, run_node_watch.sh, is passed as arg to entrypoint exec gosu circleci "$@" From 07b76fe002915752f1c001fc38bbeee8c44604d1 Mon Sep 17 00:00:00 2001 From: David Kennedy Date: Wed, 4 Dec 2024 20:08:58 -0500 Subject: [PATCH 3/5] testing permissions on node --- src/node_entrypoint.sh | 3 +++ src/run_node_watch.sh | 2 ++ 2 files changed, 5 insertions(+) diff --git a/src/node_entrypoint.sh b/src/node_entrypoint.sh index 0eb160f0a..2d0c584b7 100755 --- a/src/node_entrypoint.sh +++ b/src/node_entrypoint.sh @@ -1,5 +1,8 @@ #!/bin/bash +echo "In node_entrypoint.sh" +whoami + # Get UID and GID of the /app directory owner HOST_UID=$(stat -c '%u' /app) HOST_GID=$(stat -c '%g' /app) diff --git a/src/run_node_watch.sh b/src/run_node_watch.sh index c45aa72f1..04bf58a6d 100755 --- a/src/run_node_watch.sh +++ b/src/run_node_watch.sh @@ -1,4 +1,6 @@ #!/bin/bash +echo "In run_node_watch.sh" +whoami npm install npm rebuild dir=./registrar/assets From c3a3fd282ae2792083e6b91a0e3f357a9b567b0a Mon Sep 17 00:00:00 2001 From: David Kennedy Date: Wed, 4 Dec 2024 21:00:40 -0500 Subject: [PATCH 4/5] removed gosu and sudo dependencies --- src/node.Dockerfile | 4 ---- src/node_entrypoint.sh | 13 +++++++------ src/run_node_watch.sh | 3 +-- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/src/node.Dockerfile b/src/node.Dockerfile index 5db6648df..3e4f5d1ba 100644 --- a/src/node.Dockerfile +++ b/src/node.Dockerfile @@ -1,11 +1,7 @@ FROM docker.io/cimg/node:current-browsers WORKDIR /app -# Install gosu to run command as a specific user, circleci. Clean up lists. USER root -RUN apt-get update && \ - apt-get install -y gosu && \ - rm -rf /var/lib/apt/lists/* # Install app dependencies # A wildcard is used to ensure both package.json AND package-lock.json are copied diff --git a/src/node_entrypoint.sh b/src/node_entrypoint.sh index 2d0c584b7..7e9173908 100755 --- a/src/node_entrypoint.sh +++ b/src/node_entrypoint.sh @@ -1,16 +1,17 @@ #!/bin/bash -echo "In node_entrypoint.sh" -whoami - # Get UID and GID of the /app directory owner HOST_UID=$(stat -c '%u' /app) HOST_GID=$(stat -c '%g' /app) # Update circleci user's UID and GID to match the host echo "Updating circleci user and group to match host UID:GID ($HOST_UID:$HOST_GID)" -sudo groupmod -g "$HOST_GID" circleci -sudo usermod -u "$HOST_UID" circleci +groupmod -g "$HOST_GID" circleci +usermod -u "$HOST_UID" circleci + +echo "Updating ownership of /app recursively to circleci:circleci" +chown -R circleci:circleci /app # Run command as circleci user. Note that command, run_node_watch.sh, is passed as arg to entrypoint -exec gosu circleci "$@" +echo "Switching to circleci user and running command: $@" +su -s /bin/bash -c "$*" circleci diff --git a/src/run_node_watch.sh b/src/run_node_watch.sh index 04bf58a6d..c5afe0727 100755 --- a/src/run_node_watch.sh +++ b/src/run_node_watch.sh @@ -1,6 +1,5 @@ #!/bin/bash -echo "In run_node_watch.sh" -whoami + npm install npm rebuild dir=./registrar/assets From 3f062a96e858cbd5747cde301ae5395420a28550 Mon Sep 17 00:00:00 2001 From: David Kennedy Date: Thu, 5 Dec 2024 07:01:36 -0500 Subject: [PATCH 5/5] updated to execute properly in github actions --- src/node_entrypoint.sh | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/src/node_entrypoint.sh b/src/node_entrypoint.sh index 7e9173908..113e51c30 100755 --- a/src/node_entrypoint.sh +++ b/src/node_entrypoint.sh @@ -4,14 +4,21 @@ HOST_UID=$(stat -c '%u' /app) HOST_GID=$(stat -c '%g' /app) -# Update circleci user's UID and GID to match the host -echo "Updating circleci user and group to match host UID:GID ($HOST_UID:$HOST_GID)" -groupmod -g "$HOST_GID" circleci -usermod -u "$HOST_UID" circleci +# Check if the circleci user exists +if id "circleci" &>/dev/null; then + echo "circleci user exists. Updating UID and GID to match host UID:GID ($HOST_UID:$HOST_GID)" -echo "Updating ownership of /app recursively to circleci:circleci" -chown -R circleci:circleci /app + # Update circleci user's UID and GID + groupmod -g "$HOST_GID" circleci + usermod -u "$HOST_UID" circleci -# Run command as circleci user. Note that command, run_node_watch.sh, is passed as arg to entrypoint -echo "Switching to circleci user and running command: $@" -su -s /bin/bash -c "$*" circleci + echo "Updating ownership of /app recursively to circleci:circleci" + chown -R circleci:circleci /app + + # Switch to circleci user and execute the command + echo "Switching to circleci user and running command: $@" + su -s /bin/bash -c "$*" circleci +else + echo "circleci user does not exist. Running command as the current user." + exec "$@" +fi