Merge pull request #40 from windymelt/plastic-user-group

Dockerで実行時、アーティファクト生成時のownerをホスト環境のものに揃える
windymelt · Apr 25, 2023 · cb76ba4 · cb76ba4
2 parents 748276e + a43bd69
commit cb76ba4
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 25 deletions.
diff --git a/build.sbt b/build.sbt
@@ -1,9 +1,10 @@
 import Dependencies._
-import ReleaseTransformations._
 import com.typesafe.sbt.packager.docker._
 
-ThisBuild / scalaVersion     := "2.13.8"
-ThisBuild / organization     := "com.github.windymelt"
+import ReleaseTransformations._
+
+ThisBuild / scalaVersion := "2.13.8"
+ThisBuild / organization := "com.github.windymelt"
 ThisBuild / organizationName := "windymelt"
 
 lazy val root = (project in file("."))
@@ -23,9 +24,9 @@ lazy val root = (project in file("."))
       "com.monovore" %% "decline-effect" % "2.4.1",
       "com.mitchtalmadge" % "ascii-data" % "1.4.0",
       "org.slf4j" % "slf4j-simple" % "2.0.6",
-      scalaTest % Test,
+      scalaTest % Test
     ),
-    assembly / mainClass := Some("com.github.windymelt.zmm.Main"),
+    assembly / mainClass := Some("com.github.windymelt.zmm.Main")
   )
   .enablePlugins(SbtTwirl)
   .enablePlugins(BuildInfoPlugin)
@@ -37,19 +38,19 @@ lazy val root = (project in file("."))
   )
   .settings(
     releaseProcess := Seq[ReleaseStep](
-      checkSnapshotDependencies,              // : ReleaseStep
-      inquireVersions,                        // : ReleaseStep
-      runClean,                               // : ReleaseStep
-      runTest,                                // : ReleaseStep
-      setReleaseVersion,                      // : ReleaseStep
-      commitReleaseVersion,                   // : ReleaseStep, performs the initial git checks
-      tagRelease,                             // : ReleaseStep
+      checkSnapshotDependencies, // : ReleaseStep
+      inquireVersions, // : ReleaseStep
+      runClean, // : ReleaseStep
+      runTest, // : ReleaseStep
+      setReleaseVersion, // : ReleaseStep
+      commitReleaseVersion, // : ReleaseStep, performs the initial git checks
+      tagRelease, // : ReleaseStep
       // publishArtifacts, // : ReleaseStep, checks whether `publishTo` is properly set up
       releaseStepTask(assembly),
       releaseStepTask(Docker / publish),
-      setNextVersion,                         // : ReleaseStep
-      commitNextVersion,                      // : ReleaseStep
-      pushChanges                             // : ReleaseStep, also checks that an upstream branch is properly configured
+      setNextVersion, // : ReleaseStep
+      commitNextVersion, // : ReleaseStep
+      pushChanges // : ReleaseStep, also checks that an upstream branch is properly configured
     )
   )
   .settings(
@@ -59,36 +60,64 @@ lazy val root = (project in file("."))
     dockerRepository := Some("docker.io"),
     dockerUsername := Some("windymelt"),
     dockerUpdateLatest := true,
+    Universal / mappings += file("entrypoint.sh") -> "entrypoint.sh",
     /* zmmではScala highlightのためにカスタムしたhighlight.jsを同梱しているが、mappingが今のところ壊れているのでDocker Imageでは直接highlight.jsをダウンロードさせる */
     dockerCommands ++= Seq(
+      // Initnally, run as root. Go to protected user inside entrypoint.sh.
       Cmd("USER", "root"),
+      // coretto image does not have useradd utils
+      ExecCmd("RUN", "yum", "install", "-y", "shadow-utils"),
+      ExecCmd("RUN", "yum", "clean", "all"),
+      // Add protected user. entrypoint.sh uses this.
+      ExecCmd("RUN", "useradd", "-m", "zundamon"),
+      ExecCmd("RUN", "mkdir", "/app"),
       ExecCmd("RUN", "mkdir", "-p", "/app/artifacts/html"),
       ExecCmd("RUN", "mkdir", "/app/assets"),
-      ExecCmd("ADD", "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/highlight.min.js", "/app/highlight.min.js"),
+      // Install dependencies
+      ExecCmd(
+        "ADD",
+        "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/highlight.min.js",
+        "/app/highlight.min.js"
+      ),
       ExecCmd("RUN", "mkdir", "-p", "/app/highlight/styles"),
-      ExecCmd("ADD", "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/styles/default.min.css", "/app/highlight/styles/default.min.css"),
+      ExecCmd(
+        "ADD",
+        "https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/styles/default.min.css",
+        "/app/highlight/styles/default.min.css"
+      ),
       Cmd("WORKDIR", "/root"),
       ExecCmd("RUN", "yum", "-y", "install", "wget", "tar", "xz"),
-      ExecCmd("RUN", "wget", "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz"),
+      ExecCmd(
+        "RUN",
+        "wget",
+        "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz"
+      ),
       ExecCmd("RUN", "tar", "xvf", "ffmpeg-release-amd64-static.tar.xz"),
-      ExecCmd("RUN", "mv", "ffmpeg-5.1.1-amd64-static/ffmpeg", "/usr/bin/ffmpeg"),
-      ExecCmd("RUN", "mv", "ffmpeg-5.1.1-amd64-static/ffprobe", "/usr/bin/ffprobe"),
+      ExecCmd("RUN", "mv", "ffmpeg-6.0-amd64-static/ffmpeg", "/usr/bin/ffmpeg"),
+      ExecCmd(
+        "RUN",
+        "mv",
+        "ffmpeg-6.0-amd64-static/ffprobe",
+        "/usr/bin/ffprobe"
+      ),
       ExecCmd("RUN", "amazon-linux-extras", "install", "-y", "epel"),
       ExecCmd("RUN", "yum", "update", "-y"),
       ExecCmd("RUN", "yum", "install", "-y", "chromium"),
+      // entrypoint.sh is automatically copied into /opt/docker by sbt-native-packager.
+      ExecCmd("RUN", "chmod", "u+x", "/opt/docker/entrypoint.sh"),
+      ExecCmd("RUN", "chown", "-R", "zundamon", "/app"),
       Cmd("ENV", "IS_DOCKER_ZMM=1"),
-      Cmd("WORKDIR", "/app"),
+      Cmd("WORKDIR", "/app")
     ),
+    dockerEntrypoint := Seq("/opt/docker/entrypoint.sh")
   )
 
 ThisBuild / assemblyMergeStrategy := {
-  case PathList("META-INF", "versions", "9", "module-info.class") => MergeStrategy.first
+  case PathList("META-INF", "versions", "9", "module-info.class") =>
+    MergeStrategy.first
   case x =>
     val oldStrategy = (ThisBuild / assemblyMergeStrategy).value
     oldStrategy(x)
 }
 
-
-
-
 // See https://www.scala-sbt.org/1.x/docs/Using-Sonatype.html for instructions on how to publish to Sonatype.
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Script to adopt uid/gid to host's.
+# See https://zenn.dev/anyakichi/articles/73765814e57cba
+
+# Running as root here...
+
+export USER=zundamon
+export HOME=/home/zundamon
+
+uid=$(stat -c "%u" .)
+gid=$(stat -c "%g" .)
+
+if [ "$uid" -ne 0 ]; then
+    if [ "$(id -g $USER)" -ne $gid ]; then
+        # gid of $HOME should be host's
+        getent group $gid >/dev/null 2>&1 || groupmod -g $gid $USER
+        chgrp -R $gid $HOME
+    fi
+    if [ "$(id -u $USER)" -ne $uid ]; then
+        # uid of $HOME should be host's
+        usermod -u $uid $USER
+    fi
+fi
+
+# setpriv is a minimal tool like sudo/doas.
+# Masquerade to host's user
+# Coretto's setpriv does not have --init-groups option. we use --clear-groups.
+# Binaries will be deployed into /opt/docker by sbt-native-packager.
+exec setpriv --reuid=$USER --regid=$USER --clear-groups /opt/docker/bin/zmm "$@"