Merge pull request #18 from mitchya1/entrypoint

use entrypoint script

Dockerfile

@@ -10,10 +10,14 @@ RUN go build -o retriever ./cmd/retriever
 
 FROM alpine:latest
 
-RUN apk update && apk upgrade --no-cache && apk --no-cache add ca-certificates && rm -rf /var/cache/apk/*
+RUN apk update && apk upgrade --no-cache && apk --no-cache add ca-certificates su-exec && rm -rf /var/cache/apk/*
 
 COPY --from=builder /go/src/github.com/mitchya1/ecs-ssm-retriever/retriever /
 
+ADD docker-entrypoint.sh /
+
+RUN chmod +x /docker-entrypoint.sh
+
 RUN adduser --system --no-create-home --uid 121 retriever
 
 RUN mkdir /init-out
@@ -22,4 +26,7 @@ VOLUME "/init-out"
 
 RUN chown -R retriever /init-out
 
-USER retriever
+ENTRYPOINT [ "/docker-entrypoint.sh" ]
+
+# Run as root so entrypoint can chown the /init-out dir then su-exec as retriever
+USER root

README.md

@@ -149,7 +149,7 @@ You must not change the `containerPath` for the `retriever` container, otherwise
                 "awslogs-stream-prefix": "init"
             }
         },
-        "image": "mitchya1/ecs-ssm-retriever:v0.2.0",
+        "image": "mitchya1/ecs-ssm-retriever:v0.2.2",
         "memory": 100,
         "memoryReservation": 50,
         "name": "my-container-init",
@@ -163,3 +163,7 @@ You must not change the `containerPath` for the `retriever` container, otherwise
 ## Links
 
 [Fargate shared volumes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-task-storage.html)
+
+## Notes
+
+The container initially runs as root so it can `chown` the `/init-out` directory. The command passed to the container is run as the non-privileged `retriever` user.

docker-entrypoint.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+chown -R retriever /init-out || echo "Could not chown /init-out"
+
+if [ "$(id -u)" = '0' ]; then
+    su-exec retriever "$@"
+fi