Fix for potential permission issues.

A number of permission issues have gone unnoticed, I became aware of them when I did a fresh build without cache on a newly installed computer. When building Docker images, Docker copies files/folders with the same permissions as they have on the host machine. Git does not track the permissions of files except for the executable bit on files. So depending on who builds the images files/folders can get different permissions. This changes it such that the Makefile will ensure the appropriate permissions are set when building. This is required as we run services as different users other than root in the container. Those users must be able to access and execute certain files.
Islandora-Devops · Sep 12, 2024 · 5c83e05 · 5c83e05
1 parent b7d358b
commit 5c83e05
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -77,6 +77,32 @@ build:
 %:
 	$(call executable-exists,$@)
 
+# Prior to building, all folders which might be copied into Docker images must
+# have the executable bit set for all users. So that they can be read by the
+# users we create like 'tomcat'. We can not insure this via Git as it does 
+# not track permissions for folders, so we rely on this hack.
+.PHONY: folder-permissions
+folder-permissions:
+	find . -type d -exec chmod +x {} \;
+
+# Prior to building, all scripts which might be copied into Docker images must
+# have the executable bit set for all users. So that they can be executed by
+# the users we create like 'nginx'. We can not insure this via Git as it does
+# not track executable permissions for "groups" or "others".
+.PHONY: executable-permissons
+executable-permissons:
+	find . -type f \
+    \( \
+      -name "*.sh" \
+      -o -name "run" \
+      -o -name "check" \
+      -o -name "finish" \
+      -o -name "bash.bashrc" \
+      -o -name "drush" \
+      -o -name "composer" \
+    \) \
+    -exec chmod +rx {} \;
+
 # Checks for docker compose plugin.
 .PHONY: docker-compose
 docker-compose: MISSING_DOCKER_PLUGIN_MESSAGE = ${RED}docker compose plugin is not installed${RESET}\n${README_MESSAGE}
@@ -165,7 +191,7 @@ docker-compose.override.yml:
 # Despite being a real target we make it PHONY so it is run everytime as $(TARGET) can change.
 .PHONY: build/bake.json
 .SILENT: build/bake.json
-build/bake.json: | docker-buildx jq build
+build/bake.json: | docker-buildx jq build folder-permissions executable-permissons
   # Generate build plan for the given target and update the contexts if provided by the CI.
 	BRANCH=$(BRANCH) \
 	CACHE_FROM_REPOSITORY=$(CACHE_FROM_REPOSITORY) \

diff --git a/drupal/Dockerfile b/drupal/Dockerfile
@@ -67,4 +67,4 @@ ENV \
 
 COPY --link rootfs /
 
-RUN chown -R nginx:nginx /var/www
+RUN chown -R nginx:nginx /var/www /usr/share/drush
Original file line number	Diff line number	Diff line change
Expand Up		@@ -67,4 +67,4 @@ ENV \

		COPY --link rootfs /

		RUN chown -R nginx:nginx /var/www
		RUN chown -R nginx:nginx /var/www /usr/share/drush