Small refactor of user/groups and add checks during startup. Only use -x in bash scripts when DEBUG=true set in env vars

2025-10-31 15:53:33 +00:00 · 2023-05-04 10:03:06 +10:00
parent a1245bc161
commit c432c34fb3
14 changed files with 70 additions and 45 deletions
--- a/docker/rootfs/bin/common.sh
+++ b/docker/rootfs/bin/common.sh
@@ -12,6 +12,11 @@ export CYAN BLUE YELLOW RED RESET
 PUID=${PUID:-0}
 PGID=${PGID:-0}
 NPMUSER=npm
 NPMGROUP=npm
 NPMHOME=/tmp/npmuserhome
 export NPMUSER NPMGROUP NPMHOME
 if [[ "$PUID" -ne '0' ]] && [ "$PGID" = '0' ]; then
 	# set group id to same as user id,
 	# the user probably forgot to specify the group id and
@@ -40,3 +45,10 @@ log_fatal () {
 	/run/s6/basedir/bin/halt
 	exit 1
 }
 # param $1: group_name
 get_group_id () {
 	if [ "${1:-}" != '' ]; then
 		getent group "$1" | cut -d: -f3
 	fi
 }
--- a/docker/rootfs/etc/nginx/nginx.conf
+++ b/docker/rootfs/etc/nginx/nginx.conf
@@ -1,7 +1,7 @@
 # run nginx in foreground
 daemon off;
 pid /run/nginx/nginx.pid;
-user npmuser;
+user npm;
 # Set number of worker processes automatically based on number of CPU cores.
 worker_processes auto;
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/backend/run
@@ -12,12 +12,12 @@ cd /app || exit 1
 log_info 'Starting backend ...'
 if [ "${DEVELOPMENT:-}" = 'true' ]; then
-	s6-setuidgid npmuser yarn install
+	s6-setuidgid "$PUID:$PGID" yarn install
-	exec s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js'
+	exec s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --max_old_space_size=250 --abort_on_uncaught_exception node_modules/nodemon/bin/nodemon.js"
 else
 	while :
 	do
-		s6-setuidgid npmuser bash -c 'export HOME=/tmp/npmuserhome;node --abort_on_uncaught_exception --max_old_space_size=250 index.js'
+		s6-setuidgid "$PUID:$PGID" bash -c "export HOME=$NPMHOME;node --abort_on_uncaught_exception --max_old_space_size=250 index.js"
 		sleep 1
 	done
 fi
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/frontend/run
@@ -8,14 +8,14 @@ set -e
 if [ "$DEVELOPMENT" = 'true' ]; then
 	. /bin/common.sh
 	cd /app/frontend || exit 1
-	HOME=/tmp/npmuserhome
+	HOME=$NPMHOME
 	export HOME
 	mkdir -p /app/frontend/dist
 	chown -R "$PUID:$PGID" /app/frontend/dist
 	log_info 'Starting frontend ...'
-	s6-setuidgid npmuser yarn install
+	s6-setuidgid "$PUID:$PGID" yarn install
-	exec s6-setuidgid npmuser yarn watch
+	exec s6-setuidgid "$PUID:$PGID" yarn watch
 else
 	exit 0
 fi
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@@ -6,4 +6,4 @@ set -e
 . /bin/common.sh
 log_info 'Starting nginx ...'
-exec s6-setuidgid npmuser nginx
+exec s6-setuidgid "$PUID:$PGID" nginx
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/00-all.sh
@@ -9,7 +9,11 @@ if [ "$(id -u)" != "0" ]; then
 	log_fatal "This docker container must be run as root, do not specify a user.\nYou can specify PUID and PGID env vars to run processes as that user and group after initialization."
 fi
-. /etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
+if [ "$DEBUG" = "true" ]; then
 	set -x
 fi
 . /etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
 . /etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
 . /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
 . /etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-npmuser.sh
@@ -1,22 +0,0 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 set -e
 # verbose
 set -x
 log_info 'Configuring npmuser ...'
 if id -u npmuser; then
 	# user already exists
 	usermod -u "$PUID" npmuser || exit 1
 else
 	# Add npmuser user
 	useradd -o -u "$PUID" -U -d /tmp/npmuserhome -s /bin/false npmuser || exit 1
 fi
 usermod -G "$PGID" npmuser || exit 1
 groupmod -o -g "$PGID" npmuser || exit 1
 # Home for npmuser
 mkdir -p /tmp/npmuserhome
 chown -R "$PUID:$PGID" /tmp/npmuserhome
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/10-usergroup.sh
@@ -0,0 +1,40 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 set -e
 log_info "Configuring $NPMUSER user ..."
 if id -u "$NPMUSER" 2>/dev/null; then
 	# user already exists
 	usermod -u "$PUID" "$NPMUSER"
 else
 	# Add user
 	useradd -o -u "$PUID" -U -d "$NPMHOME" -s /bin/false "$NPMUSER"
 fi
 log_info "Configuring $NPMGROUP group ..."
 if [ "$(get_group_id "$NPMGROUP")" = '' ]; then
 	# Add group. This will not set the id properly if it's already taken
 	groupadd -f -g "$PGID" "$NPMGROUP"
 else
 	groupmod -o -g "$PGID" "$NPMGROUP"
 fi
 # Set the group ID and check it
 groupmod -o -g "$PGID" "$NPMGROUP"
 if [ "$(get_group_id "$NPMGROUP")" != "$PGID" ]; then
 	echo "ERROR: Unable to set group id properly"
 	exit 1
 fi
 # Set the group against the user and check it
 usermod -G "$PGID" "$NPMGROUP"
 if [ "$(id -g "$NPMUSER")" != "$PGID" ] ; then
 	echo "ERROR: Unable to set group against the user properly"
 	exit 1
 fi
 # Home for user
 mkdir -p "$NPMHOME"
 chown -R "$PUID:$PGID" "$NPMHOME"
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh
@@ -2,8 +2,6 @@
 # shellcheck shell=bash
 set -e
 # verbose
 set -x
 log_info 'Checking paths ...'
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh
@@ -2,15 +2,13 @@
 # shellcheck shell=bash
 set -e
 # verbose
 set -x
 log_info 'Setting ownership ...'
 # root
 chown root /tmp/nginx
-# npmuser
+# npm user and group
 chown -R "$PUID:$PGID" /data
 chown -R "$PUID:$PGID" /etc/letsencrypt
 chown -R "$PUID:$PGID" /run/nginx
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh
@@ -2,8 +2,6 @@
 # shellcheck shell=bash
 set -e
 # verbose
 set -x
 log_info 'Dynamic resolvers ...'
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
@@ -5,8 +5,6 @@
 # or disable ipv6 in all nginx configs based on this setting.
 set -e
 # verbose
 set -x
 log_info 'IPv6 ...'
@@ -33,7 +31,7 @@ process_folder () {
 		sed -E -i "$SED_REGEX" "$FILE"
 	done
-	# ensure the files are still owned by the npmuser
+	# ensure the files are still owned by the npm user
 	chown -R "$PUID:$PGID" "$1"
 }
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/60-secrets.sh
@@ -2,8 +2,6 @@
 # shellcheck shell=bash
 set -e
 # verbose
 set -x
 # in s6, environmental variables are written as text files for s6 to monitor
 # search through full-path filenames for files ending in "__FILE"
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/90-banner.sh
@@ -2,6 +2,7 @@
 # shellcheck shell=bash
 set -e
 set +x
 echo "
 -------------------------------------
@@ -11,7 +12,7 @@ echo "
 | |\  |  __/| |  | |
 |_| \_|_|   |_|  |_|
 -------------------------------------
-User ID:  $PUID
+User:  $NPMUSER PUID:$PUID ID:$(id -u "$NPMUSER") GROUP:$(id -g "$NPMUSER")
-Group ID: $PGID
+Group: $NPMGROUP PGID:$PGID ID:$(get_group_id "$NPMGROUP")
 -------------------------------------
 "