Run app as unprivileged user

scitran · Jan 11, 2018 · 9458f7f · 9458f7f
1 parent 1303bbd
commit 9458f7f
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 8 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -25,7 +25,7 @@ script:
     - test -f "$DOCKER_DIR/image.tar" && docker load -i "$DOCKER_DIR/image.tar" || true
     - docker build -t core:build --target build .
     - docker build -t core:dist --target dist --build-arg VCS_BRANCH="$TRAVIS_BRANCH" --build-arg VCS_COMMIT="$TRAVIS_COMMIT" .
-    - docker build -t core:testing --target testing .
+    - docker build -t core:testing --target dev .
     - docker save -o "$DOCKER_DIR/image.tar" $(docker history -q core:build | grep -v '<missing>') $(docker history -q core:dist | grep -v '<missing>')
     - ./tests/bin/run-tests-docker.sh --image core:testing
 

diff --git a/Dockerfile b/Dockerfile
@@ -17,9 +17,12 @@ RUN apk add --no-cache git
 COPY --from=build /usr/local/sbin/unitd /usr/local/sbin/unitd
 COPY --from=build /usr/local/lib/python.unit.so /usr/local/lib/python.unit.so
 
-EXPOSE 80 8080 27017
+EXPOSE 80 8080
 VOLUME /data/db
+VOLUME /data/persistent
+
 WORKDIR /src/core
+ENV SCITRAN_PERSISTENT_DATA_PATH=/data/persistent
 
 COPY docker/unit.json /var/local/unit/conf.json
 COPY requirements.txt requirements.txt
@@ -28,14 +31,17 @@ RUN pip install -r requirements.txt
 COPY . .
 RUN pip install -e .
 
-CMD ["unitd", "--control", "*:8080", "--no-daemon", "--log", "/dev/stdout"]
-
 ARG VCS_BRANCH=NULL
 ARG VCS_COMMIT=NULL
 RUN docker/build_info.sh $VCS_BRANCH $VCS_COMMIT | tee /version.json
 
+ENTRYPOINT ["./entrypoint.sh"]
+CMD ["unitd", "--control", "*:8080", "--no-daemon", "--log", "/dev/stdout"]
+
+
+FROM dist as dev
 
-FROM dist as testing
+EXPOSE 27017
 
 RUN apk add --no-cache mongodb
 

diff --git a/docker/dev+mongo.sh b/docker/dev+mongo.sh
@@ -3,4 +3,6 @@
 mongod &
 MONGOD_PID=$!
 
-exec unitd --control "*:8888" --no-daemon --log /dev/stdout
+chown nobody:nobody -R $SCITRAN_PERSISTENT_DATA_PATH
+
+exec unitd --control "*:8080" --no-daemon --log /dev/stdout
diff --git a/docker/unit.json b/docker/unit.json
@@ -9,8 +9,7 @@
         "scitran-core": {
             "type": "python",
             "workers": 2,
-            "user": "root",
-            "group": "root",
+            "user": "nobody",
             "path": "/src/core",
             "module": "api.app"
         }

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+
+set -e
+
+# If running unitd and started as root, update file ownership
+if [ "$1" == "unitd" -a "$(id -u)" == "0" ]; then
+    chown nobody:nobody -R $SCITRAN_PERSISTENT_DATA_PATH
+fi
+
+exec "$@"