Merge pull request 'set runner user of web service' (!79) from feature/set-runner-user-of-web-service into develop

Reviewed-on: #79
2023-09-26 22:07:40 +02:00 · 2023-09-26 22:07:40 +02:00 · 390c13608a
commit 390c13608a
parent fc6141e2b9 345cf31bb3
5 changed files with 30 additions and 18 deletions
--- a/18
+++ b/18
@ -67,18 +67,16 @@ pipeline {
                script {
                    sh script: 'git clean -ffdx', label: 'Clean repository'

-                    def version = sh(script: 'git describe --tags --always --match "Release_*" HEAD', returnStdout: true).trim()
-                    def imageUrl = "git.esoko.eu/esoko/mapguesser:${version}"
-
-                    sh script: """docker buildx build \
-                                    -t ${imageUrl} \
-                                    -f docker/Dockerfile \
-                                    --target mapg_release \
-                                    .""",
-                        label: 'Build Docker image'
+                    env.VERSION = sh(script: 'git describe --tags --always --match "Release_*" HEAD', returnStdout: true).trim()

                    withDockerRegistry([credentialsId: 'gitea-system-user', url: 'https://git.esoko.eu/']) {
-                        sh script: "docker push ${imageUrl}", label: 'Push Docker image to registry'
+                        sh script: """docker buildx build \
+                                        -f docker/Dockerfile \
+                                        --target mapg_release \
+                                        -t git.esoko.eu/esoko/mapguesser:${env.VERSION} \
+                                        --push \
+                                        .""",
+                           label: 'Build Docker image'
                    }
                }
            }
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -2,7 +2,7 @@ FROM ubuntu:focal AS mapg_base

 ENV DEBIAN_FRONTEND noninteractive

-RUN apt update --fix-missing && apt install -y curl git unzip mariadb-client nginx \
+RUN apt update --fix-missing && apt install -y sudo curl git unzip mariadb-client nginx \
    php-apcu php7.4-cli php7.4-curl php7.4-fpm php7.4-mbstring php7.4-mysql php7.4-zip php7.4-xml

 RUN mkdir -p /run/php
@ -30,6 +30,7 @@ EXPOSE 8090
 EXPOSE 9229
 ENTRYPOINT docker/scripts/entry-point-dev.sh

+
 FROM mapg_base AS mapg_release

 RUN apt update --fix-missing && apt install -y cron
@ -37,7 +38,7 @@ RUN apt update --fix-missing && apt install -y cron
 WORKDIR /var/www/mapguesser
 COPY ./ /var/www/mapguesser
 RUN docker/scripts/release.sh &&\
-    rm -rf /var/www/mapguesser/.git /var/www/mapguesser/.env
+    rm -rf /var/www/mapguesser/.git

 EXPOSE 80
 EXPOSE 8090
--- a/docker/scripts/entry-point-dev.sh
+++ b/docker/scripts/entry-point-dev.sh
@ -2,8 +2,6 @@

 set -e

-chmod 777 cache
-
 echo "Installing Composer packages..."
 if [ -f .env ]; then
    composer install
@ -20,11 +18,18 @@ echo "Installing Yarn packages..."
 echo "Migrating DB..."
 ./mapg db:migrate

+echo "Set runner user based on owner of .env..."
+USER_UID=$(stat -c "%u" .env)
+USER_GID=$(stat -c "%g" .env)
+groupadd --gid $USER_GID mapg
+useradd --uid $USER_UID --gid $USER_GID mapg
+sed -i -e "s/^user = .*$/user = mapg/g" -e "s/^group = .*$/group = mapg/g" /etc/php/7.4/fpm/pool.d/www.conf
+
 set +e

 /usr/sbin/php-fpm7.4 -F &
 /usr/sbin/nginx -g 'daemon off;' &
-/usr/bin/node --inspect=0.0.0.0:9229 multi &
+sudo -u mapg -g mapg /usr/bin/node --inspect=0.0.0.0:9229 multi &

 wait -n

--- a/docker/scripts/entry-point.sh
+++ b/docker/scripts/entry-point.sh
@ -8,12 +8,20 @@ echo "Migrating DB..."
 echo "Installing crontab..."
 /usr/bin/crontab docker/scripts/cron

+echo "Set runner user based on owner of .env..."
+USER_UID=$(stat -c "%u" .env)
+USER_GID=$(stat -c "%g" .env)
+groupadd --gid $USER_GID mapg
+useradd --uid $USER_UID --gid $USER_GID mapg
+chown mapg:mapg cache
+sed -i -e "s/^user = .*$/user = mapg/g" -e "s/^group = .*$/group = mapg/g" /etc/php/7.4/fpm/pool.d/www.conf
+
 set +e

 /usr/sbin/cron -f &
 /usr/sbin/php-fpm7.4 -F &
 /usr/sbin/nginx -g 'daemon off;' &
-/usr/bin/node multi &
+sudo -u mapg -g mapg /usr/bin/node multi &

 wait -n

--- a/docker/scripts/release.sh
+++ b/docker/scripts/release.sh
@ -2,8 +2,6 @@

 set -e

-chmod 777 cache
-
 echo "Installing Composer packages..."
 composer create-project --no-dev

@ -28,3 +26,5 @@ find public/static/img -type f -iname '*.svg' -exec svgo {} -o {} \;

 echo "Linking view files..."
 ./mapg view:link
+
+rm .env