Run most docker commands as nonroot

Author: santiagolizardo

Makefile

@@ -9,6 +9,9 @@ MAKEFLAGS += --no-builtin-rules
 
 DB_CONTAINER=rmap-mysql
 
+HOST_UID=$(shell id -u)
+HOST_GID=$(shell id -g)
+
 DOCKER_IMAGE_NAME = quay.io/reconmap/rest-api
 DOCKER_DEFAULT_TAG = $(DOCKER_IMAGE_NAME)
 
@@ -22,13 +25,17 @@ endif
 prepare-config:
 	[ -f config.json ] || cp config-template.json config.json
 
+.PHONY: prepare-dirs
+prepare-dirs:
+	mkdir -p vendor logs data-mysql data-redis
+
 .PHONY: prepare
-prepare: prepare-config build
-	docker-compose run --rm -w /var/www/webapp --entrypoint composer api install
+prepare: prepare-config prepare-dirs build
+	docker-compose run --rm --user reconmapper -w /var/www/webapp --entrypoint composer api install
 
 .PHONY: build
 build:
-	docker-compose build --no-cache
+	docker-compose build --no-cache --build-arg HOST_UID=$(HOST_UID) --build-arg HOST_GID=$(HOST_GID)
 
 .PHONY: tests
 tests: start validate

docker/api/Dockerfile

@@ -1,9 +1,14 @@
 FROM debian:bookworm-slim
 
 ARG PHP_VERSION=8.3
-
 ARG DEBIAN_FRONTEND=noninteractive
 
+ARG HOST_UID
+ARG HOST_GID
+
+RUN groupadd -g ${HOST_GID} reconmappers && \
+    useradd -u ${HOST_UID} -g ${HOST_GID} -m -s /bin/bash reconmapper
+
 RUN apt-get update && apt-get upgrade -y --fix-missing
 RUN apt-get install -y wget unzip lsb-release
 RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
@@ -21,7 +26,7 @@ RUN wget --no-verbose https://getcomposer.org/installer -O - -q | php -- --insta
 
 RUN apt-get install -y cron
 COPY docker/api/crontab.txt /tmp/crontab
-RUN crontab /tmp/crontab && rm /tmp/crontab
+RUN crontab -u reconmapper /tmp/crontab && rm /tmp/crontab
 
 RUN sed -i "s/;clear_env = no/clear_env = no/" /etc/php/${PHP_VERSION}/fpm/pool.d/www.conf
 RUN rm /etc/nginx/sites-enabled/default
@@ -30,13 +35,15 @@ COPY docker/api/nginx/sites-enabled/* /etc/nginx/sites-enabled/
 RUN sed -i 's/upload_max_filesize = [[:digit:]]\+M/upload_max_filesize = 20M/' /etc/php/${PHP_VERSION}/fpm/php.ini
 RUN sed -i 's/post_max_size = [[:digit:]]\+M/post_max_size = 28M/' /etc/php/${PHP_VERSION}/fpm/php.ini
 
+RUN mkdir -p /var/www/webapp /var/www/webapp/data/vendor /var/www/webapp/data/attachments /var/www/webapp/logs && \
+    chown -R reconmapper:reconmappers /var/www/webapp
+
+RUN chmod -R a+w /var/www/webapp/logs
+
 WORKDIR /var/www/webapp
-COPY composer.json /var/www/webapp
-COPY composer.lock /var/www/webapp
-RUN composer install --no-ansi --no-dev --no-interaction --no-plugins --no-progress --no-scripts --optimize-autoloader
 
-RUN mkdir -p data/attachments && chown www-data data/attachments
-RUN mkdir logs && chown www-data logs && chmod a+w logs
+COPY composer.json composer.lock /var/www/webapp/
+RUN composer install --no-ansi --no-dev --no-interaction --no-plugins --no-progress --no-scripts --optimize-autoloader
 
 COPY public /var/www/webapp/public
 COPY database/ /var/www/webapp/database/
@@ -47,5 +54,6 @@ COPY src/ /var/www/webapp/src/
 VOLUME /var/www/webapp
 
 COPY docker/api/entrypoint.sh /entrypoint
+
 ENTRYPOINT ["/entrypoint"]
 CMD nginx -g 'daemon off;' && bash

docker/api/crontab.txt

@@ -1,4 +1,5 @@
 SHELL=/bin/bash
+BASH_ENV=/home/reconmapper/crontab.env
 
 # .---------------- minute (0 - 59)
 # |  .------------- hour (0 - 23)

docker/api/entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-printenv | grep "REDIS_" > /etc/environment
+printenv | grep "REDIS_" > /home/reconmapper/crontab.env
 service cron start
 
 # 'service php-fpm start' does not pass env variables to process.

docker/mysql/Dockerfile

@@ -8,6 +8,14 @@ LABEL maintainer="Reconmap engineering" \
     org.opencontainers.image.licenses="GPL" \
     org.opencontainers.image.url="https://github.com/reconmap/rest-api"
 
+ARG HOST_UID
+ARG HOST_GID
+
+RUN groupadd -g ${HOST_GID} reconmappers && \
+    useradd -r -u ${HOST_UID} -g reconmappers reconmapper
+
 COPY database/ /docker-entrypoint-initdb.d/
 COPY docker/mysql/overrides.cnf /etc/mysql/conf.d/overrides.cnf
 
+USER reconmapper
+