drop from root in entrypoint script (#73)

thelounge · Jan 27, 2019 · 7f7d9d3 · 7f7d9d3
1 parent e2a3070
commit 7f7d9d3
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 52 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -9,15 +9,19 @@ jobs:
   include:
     - stage: test
       script:
+        - mount_dir=$(mktemp -d)
         - docker build -t thelounge:main .
-        - docker run -d -p 9001:9000 --name main thelounge:main
+        - docker run --user "$UID" -v "${mount_dir}:/var/opt/thelounge" -d -p 9001:9000 --name main thelounge:main
         - docker exec main thelounge --version | grep --color=never -E "^v[0-9]\.[0-9]\.[0-9]" | cut -c 2- | grep -f /dev/stdin Dockerfile
         - sleep 3 # wait for the server to (hopefully) start
         - curl -sL localhost:9001 | grep "<title>The Lounge</title>"
+        - stat "${mount_dir}/config.js"
     - stage: test
       script:
+        - mount_dir=$(mktemp -d)
         - docker build -t thelounge:alpine -f alpine/Dockerfile alpine
-        - docker run -d -p 9002:9000 --name alpine thelounge:alpine
+        - docker run --user "$UID" -v "${mount_dir}:/var/opt/thelounge" -d -p 9002:9000 --name alpine thelounge:alpine
         - docker exec alpine thelounge --version | grep --color=never -E "^v[0-9]\.[0-9]\.[0-9]" | cut -c 2- | grep -f /dev/stdin alpine/Dockerfile
         - sleep 3 # wait for the server to (hopefully) start
         - curl -sL localhost:9002 | grep "<title>The Lounge</title>"
+        - stat "${mount_dir}/config.js"
diff --git a/README.md b/README.md
@@ -41,20 +41,17 @@ $ docker run --detach \
 
 The Lounge reads and stores all of its configuration, logs and other data at `/var/opt/thelounge`.
 
+By default, The Lounge will run using the `node (1000:1000)` system user in the container, leading to mounted data directories
+on the host system being owned by said user. This is customizable by changing the container user (see [Container user (advanced usage)](#container-user-advanced-usage)).
+
 _You will probably want to persist the data at this location by using [one of the means](https://docs.docker.com/storage/) to do so._
 
 ### Adding users
 
 Users can be added as follows:
 
 ```sh
-$ docker exec -it [container_name] thelounge add [username]
-```
-
-For example, if your container is called `thelounge` and you want to create a user `john` enter the following:
-
-```sh
-$ docker exec -it thelounge thelounge add john
+$ docker exec --user node -it [container_name] thelounge add [username]
 ```
 
 _Note: without [persisting data](#data-directory), added users will be lost when the container is removed._
@@ -73,10 +70,9 @@ $ docker run --detach \
              thelounge/thelounge:3.0.0-rc.6
 ```
 
-### Environment variables (advanced usage)
+### Container user (advanced usage)
 
-You can control how The Lounge is started through the following environment variables;
+By default, The Lounge will run using the `node (1000:1000)` user. This is customizable by running the container as a different, non-root, user.
+Beware that this may cause permission issues when a container process tries reading from the data disk unless you have manually set the permissions correctly.
 
--   `HOST` (equivalent to the `-c host` CLI option)
--   `PORT` (equivalent to the `-c port` CLI option)
--   `BIND` (equivalent to the `-c bind` CLI option)
+Also keep in mind that whenever executing one-off commands in the container you need to explicitly set the correct user.
diff --git a/alpine/docker-entrypoint.sh b/alpine/docker-entrypoint.sh
@@ -10,24 +10,9 @@ EOF
     exit 1
 fi
 
-if [ ! -z "$HOST" ]; then
-    CONF_OPT_HOST="-c host=$HOST"
-fi
-if [ ! -z "$PORT" ]; then
-    CONF_OPT_PORT="-c port=$PORT"
-fi
-if [ ! -z "$BIND" ]; then
-    CONF_OPT_BIND="-c bind=$BIND"
+if [ "$1" = "thelounge" -a "$(id -u)" = '0' ]; then
+    find "${THELOUNGE_HOME}" \! -user node -exec chown node '{}' +
+    exec su node -c "$*"
 fi
 
-if [ "$*" = "thelounge start" ]; then
-    # if the supplied command is the default (see the CMD directive in Dockerfile), append any
-    # optional flags defined via environment variables
-    exec "$@" \
-        $CONF_OPT_HOST \
-        $CONF_OPT_PORT \
-        $CONF_OPT_BIND \
-        ;
-else
-    exec "$@"
-fi
+exec "$@"
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -10,24 +10,9 @@ EOF
     exit 1
 fi
 
-if [ ! -z "$HOST" ]; then
-    CONF_OPT_HOST="-c host=$HOST"
-fi
-if [ ! -z "$PORT" ]; then
-    CONF_OPT_PORT="-c port=$PORT"
-fi
-if [ ! -z "$BIND" ]; then
-    CONF_OPT_BIND="-c bind=$BIND"
+if [ "$1" = "thelounge" -a "$(id -u)" = '0' ]; then
+    find "${THELOUNGE_HOME}" \! -user node -exec chown node '{}' +
+    exec su node -c "$*"
 fi
 
-if [ "$*" = "thelounge start" ]; then
-    # if the supplied command is the default (see the CMD directive in Dockerfile), append any
-    # optional flags defined via environment variables
-    exec "$@" \
-        $CONF_OPT_HOST \
-        $CONF_OPT_PORT \
-        $CONF_OPT_BIND \
-        ;
-else
-    exec "$@"
-fi
+exec "$@"