Merge pull request #2 from mshuler/docker-as-user Run container build steps as non-root user

commit: 06eb3baf51dfcfec4dfda0790e323e10dc5e4a4c [log] [tgz]
author: Michael Shuler <michael@pbandjelly.org> Sat Mar 07 10:35:49 2020 -0600
committer: GitHub <noreply@github.com> Sat Mar 07 10:35:49 2020 -0600
tree: ef4d3fee5d75ed544a68bc09b3599a3ea2c215af
parent: 5d37bee5ce4c8167e3e9064f1c6e2b94738d4b01 [diff]
parent: 8c5f3d57dd9f313d0b81e5a429e5c99120fed036 [diff]
diff --git a/Dockerfile b/Dockerfile
index 99c312f..8ddb50d 100644
--- a/Dockerfile
+++ b/Dockerfile

@@ -1,5 +1,18 @@
 FROM debian:stretch
 
+# Set up non-root user, 'build', with default uid:gid
+# This allows passing --build-arg to use local host user's uid:gid:
+#   $ docker-compose build \
+#     --build-arg UID=$(id -u) \
+#     --build-arg GID=$(id -g) \
+#     cassandra-website
+ARG UID=1000
+ARG GID=1000
+RUN echo "Setting up user 'build' with UID=${UID} GID=${GID}"
+RUN groupadd --gid $GID --non-unique build
+RUN useradd --create-home --shell /bin/bash \
+    --uid $UID --gid $GID --non-unique build
+
 # Install tools
 RUN apt-get update && \
     apt-get install -y \
@@ -26,16 +39,18 @@
     bundle install && \
     rm /Gemfile /Gemfile.lock
 
-ENV CASSANDRA_DIR="/usr/src/cassandra"
+# Run as build user from here
+USER build
+
+ENV CASSANDRA_DIR="/home/build/cassandra"
 
 # Setup repositories to building the docs
-RUN mkdir -p /usr/src/cassandra-site && \
+RUN mkdir -p /home/build/cassandra-site && \
     git clone https://gitbox.apache.org/repos/asf/cassandra.git ${CASSANDRA_DIR}
 
 EXPOSE 4000/tcp
 
-COPY docker-entrypoint.sh /
-RUN chmod +x /docker-entrypoint.sh
-ENTRYPOINT ["/docker-entrypoint.sh"]
+COPY docker-entrypoint.sh /home/build/
+ENTRYPOINT ["/home/build/docker-entrypoint.sh"]
 
 CMD [""]

diff --git a/README.md b/README.md
index cc9b5ea..5ef42ed 100644
--- a/README.md
+++ b/README.md

@@ -27,6 +27,13 @@
 $ docker-compose run cassandra-website
 ```
 
+:warning: *Tip:* In order to prevent root-owned modified files in your repository, the container user, `build`, is set up with a default UID=1000:GID=1000, which is usually the first user configured on a linux machine. If your local user is different you should set up the container user with your local host user's UID:GID, replace the above with:
+
+```bash
+$ docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g) cassandra-website
+$ docker-compose run cassandra-website
+```
+
 Go make yourself a cup of coffee, this will take a while...
 
 Once building has completed, the site content will be in the `./cassandra-website/content` directory ready to be committed.

diff --git a/docker-compose.yml b/docker-compose.yml
index 0729142..5d4f546 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml

@@ -4,20 +4,22 @@
   cassandra-website:
     build: .
     image: cassandra-website:latest
+    user: build
     volumes:
-      - ./src:/usr/src/cassandra-site/src
-      - ./content:/usr/src/cassandra-site/publish
+      - ./src:/home/build/cassandra-site/src
+      - ./content:/home/build/cassandra-site/publish
 
   cassandra-website-serve:
     build: .
     image: cassandra-website:latest
-    entrypoint: /docker-entrypoint-jekyll-serve.sh
+    user: build
+    entrypoint: /home/build/docker-entrypoint-jekyll-serve.sh
     ports:
       - 4000:4000
     volumes:
-      - ./src:/usr/src/cassandra-site/src
-      - ./content:/usr/src/cassandra-site/publish
-      - ./docker-entrypoint-jekyll-serve.sh:/docker-entrypoint-jekyll-serve.sh
+      - ./src:/home/build/cassandra-site/src
+      - ./content:/home/build/cassandra-site/publish
+      - ./docker-entrypoint-jekyll-serve.sh:/home/build/docker-entrypoint-jekyll-serve.sh
 
   preview:
     image: nginx
@@ -27,5 +29,3 @@
       - "./content:/usr/share/nginx/html"
     command: [nginx-debug, '-g', 'daemon off;']
 
-
-

diff --git a/docker-entrypoint-jekyll-serve.sh b/docker-entrypoint-jekyll-serve.sh
index 21a8f10..b34b927 100755
--- a/docker-entrypoint-jekyll-serve.sh
+++ b/docker-entrypoint-jekyll-serve.sh

@@ -2,6 +2,8 @@
 
 set -e
 
+export CASSANDRA_SITE_DIR="/home/build/cassandra-site"
+
 GREEN='\033[1;32m'
 YELLOW='\033[0;33m'
 NC='\033[0m' # No Color
@@ -10,11 +12,11 @@
 # version in the publish directory
 while [ 1 ]
 do
-    sed -i 's/\.\/\.\.\//\.\/\.\.\/\.\.\//g' /usr/src/cassandra-site/publish/doc/*/index.html
+    sed -i 's/\.\/\.\.\//\.\/\.\.\/\.\.\//g' ${CASSANDRA_SITE_DIR}/publish/doc/*/index.html
     sleep 5
 done &
 
-cd /usr/src/cassandra-site/src
+cd ${CASSANDRA_SITE_DIR}/src
 
 JEKYLL_COMMAND="jekyll serve --host 0.0.0.0"
 

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index d729f46..578804c 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh

@@ -2,7 +2,7 @@
 
 set -xe
 
-export CASSANDRA_SITE_DIR="/usr/src/cassandra-site"
+export CASSANDRA_SITE_DIR="/home/build/cassandra-site"
 
 jekyll --version
commit	06eb3baf51dfcfec4dfda0790e323e10dc5e4a4c	[log] [tgz]
author	Michael Shuler <michael@pbandjelly.org>	Sat Mar 07 10:35:49 2020 -0600
committer	GitHub <noreply@github.com>	Sat Mar 07 10:35:49 2020 -0600
tree	ef4d3fee5d75ed544a68bc09b3599a3ea2c215af
parent	5d37bee5ce4c8167e3e9064f1c6e2b94738d4b01 [diff]
parent	8c5f3d57dd9f313d0b81e5a429e5c99120fed036 [diff]