feat: more effectively step-down from root in entrypoint

gamersoutreach · Jan 31, 2024 · ca5de8f · ca5de8f
1 parent b249ded
commit ca5de8f
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 13 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -9,34 +9,34 @@ ENV PYTHONUNBUFFERED=1 \
 # Create app directory
 RUN set -eux; \
     mkdir /app
-WORKDIR /app
 
-# Create user for ssh
+# Create ansible user with explicit uid
 RUN <<EOF
     set -eux
-    useradd -m ansible
+    groupadd -r ansible --gid=1000
+    useradd -m -u 1000 -g 1000 ansible
     mkdir -p /home/ansible/.ssh
-    chown -R ansible:ansible /home/ansible/.ssh
+    chown -R ansible:ansible /home/ansible
 EOF
 
-# Install runtime dependencies
+# Install system runtime dependencies
 RUN <<EOF
     set -eux
     apt-get update
-    apt-get install -y --no-install-recommends libssh-dev
+    apt-get install -y --no-install-recommends libssh-dev gosu
     rm -rf /var/lib/apt/lists/*
 EOF
 
-# Install python dependencies
+# Install python runtime dependencies
 COPY overlay/ /
 RUN <<EOF
     set -eux
     pip install -r /opt/buildpack/requirements.txt
+    su -c "ansible-galaxy collection install -r /opt/buildpack/requirements.yaml" ansible
 EOF
 
-# Install ansible dependencies
-USER ansible
-RUN <<EOF
-    set -eux
-    ansible-galaxy collection install -r /opt/buildpack/requirements.yaml
-EOF
+VOLUME /app
+VOLUME /home/ansible/.ssh
+WORKDIR /app
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/bin/bash"]
diff --git a/README.md b/README.md
@@ -4,6 +4,13 @@ This project builds a docker image with all of the dependencies required to run
 
 ## Image Details
 
+### Environment Variables
+
+| Environment Variable | Description                            |
+| -------------------- | -------------------------------------- |
+| `PUID`               | User ID of the primary ansible user    |
+| `PGID`               | Group ID for the priamry ansible group |
+
 ### Users
 
 | User      | Description                                                                                                                                            |
@@ -26,6 +33,8 @@ docker run \
     --rm -it \
     --pull always \
     --network host \
+    -e PUID=${id -u} \
+    -e PGID=${id -g} \
     --mount type=bind,source=".",target=/app \
     --mount type=bind,source="${HOME}/.ssh",target=/home/ansible/.ssh,readonly \
     ghcr.io/gamersoutreach/ansible-runner:latest \

diff --git a/overlay/docker-entrypoint.sh b/overlay/docker-entrypoint.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+set -e
+
+PUID="${PUID:-1000}"
+PGID="${PGID:-1000}"
+
+# Set UID/GID of ansible user
+sed -i "s/^ansible\:x\:1000\:1000/ansible\:x\:$PUID\:$PGID/" /etc/passwd
+sed -i "s/^ansible\:x\:1000/ansible\:x\:$PGID/" /etc/group
+
+# Set permissions on home folder, excluding .ssh mount
+chown $PUID:$PGID /home/ansible
+find /home/ansible -mindepth 1 -maxdepth 1 -not -name ".ssh" -exec chown -R $PUID:$PGID {} \;
+
+# Step-down from root
+exec gosu ansible "${@}"