From f44d7a06e867841594aaaf45fddf59a77fad5337 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 18 Jun 2024 15:07:17 -0700 Subject: [PATCH] Replace `su-exec` with `gosu` See https://github.com/docker-library/postgres/commit/cefde5ff6f102fcd381a03210c7734816c59aa3e + https://github.com/docker-library/postgres/commit/3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7 + linked PR for more details/discussion. --- 5.0/alpine3.19/Dockerfile | 33 ++++++++++++++++++++++++--- 5.0/alpine3.19/docker-entrypoint.sh | 2 +- 5.0/alpine3.20/Dockerfile | 33 ++++++++++++++++++++++++--- 5.0/alpine3.20/docker-entrypoint.sh | 2 +- 5.0/bookworm/Dockerfile | 1 - 5.1/alpine3.19/Dockerfile | 33 ++++++++++++++++++++++++--- 5.1/alpine3.19/docker-entrypoint.sh | 2 +- 5.1/alpine3.20/Dockerfile | 33 ++++++++++++++++++++++++--- 5.1/alpine3.20/docker-entrypoint.sh | 2 +- 5.1/bookworm/Dockerfile | 1 - Dockerfile-alpine.template | 35 ++++++++++++++++++++++++++--- Dockerfile-debian.template | 1 - apply-templates.sh | 5 ++--- 13 files changed, 158 insertions(+), 25 deletions(-) diff --git a/5.0/alpine3.19/Dockerfile b/5.0/alpine3.19/Dockerfile index e5a52ed..17a2b89 100644 --- a/5.0/alpine3.19/Dockerfile +++ b/5.0/alpine3.19/Dockerfile @@ -16,7 +16,6 @@ RUN set -eux; \ bash \ ca-certificates \ findutils \ - su-exec \ tini \ tzdata \ wget \ @@ -34,6 +33,34 @@ RUN set -eux; \ imagemagick \ ; +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + apk del --no-network .gosu-deps; \ + \ +# smoke test + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true +RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in Redmine 5.2+) + ENV RAILS_ENV production WORKDIR /usr/src/redmine @@ -81,7 +108,7 @@ RUN set -eux; \ zlib-dev \ ; \ \ - su-exec redmine bundle config --local without 'development test'; \ + gosu redmine bundle config --local without 'development test'; \ # https://github.com/redmine/redmine/commit/23dc108e70a0794f444803ac827a690085dcd557 # ("gem puma" already exists in the Gemfile, but under "group :test" and we want it all the time) puma="$(grep -E "^[[:space:]]*gem [:'\"]puma['\",[:space:]].*\$" Gemfile)"; \ @@ -93,7 +120,7 @@ RUN set -eux; \ echo "$adapter:" >> ./config/database.yml; \ echo " adapter: $adapter" >> ./config/database.yml; \ done; \ - su-exec redmine bundle install --jobs "$(nproc)"; \ + gosu redmine bundle install --jobs "$(nproc)"; \ rm ./config/database.yml; \ # fix permissions for running as an arbitrary user chmod -R ugo=rwX Gemfile.lock "$GEM_HOME"; \ diff --git a/5.0/alpine3.19/docker-entrypoint.sh b/5.0/alpine3.19/docker-entrypoint.sh index be466aa..ff3f94b 100755 --- a/5.0/alpine3.19/docker-entrypoint.sh +++ b/5.0/alpine3.19/docker-entrypoint.sh @@ -51,7 +51,7 @@ _fix_permissions() { # allow the container to be started with `--user` if [ -n "$isLikelyRedmine" ] && [ "$(id -u)" = '0' ]; then _fix_permissions - exec su-exec redmine "$BASH_SOURCE" "$@" + exec gosu redmine "$BASH_SOURCE" "$@" fi if [ -n "$isLikelyRedmine" ]; then diff --git a/5.0/alpine3.20/Dockerfile b/5.0/alpine3.20/Dockerfile index fa6a339..f958325 100644 --- a/5.0/alpine3.20/Dockerfile +++ b/5.0/alpine3.20/Dockerfile @@ -16,7 +16,6 @@ RUN set -eux; \ bash \ ca-certificates \ findutils \ - su-exec \ tini \ tzdata \ wget \ @@ -34,6 +33,34 @@ RUN set -eux; \ imagemagick \ ; +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + apk del --no-network .gosu-deps; \ + \ +# smoke test + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true +RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in Redmine 5.2+) + ENV RAILS_ENV production WORKDIR /usr/src/redmine @@ -81,7 +108,7 @@ RUN set -eux; \ zlib-dev \ ; \ \ - su-exec redmine bundle config --local without 'development test'; \ + gosu redmine bundle config --local without 'development test'; \ # https://github.com/redmine/redmine/commit/23dc108e70a0794f444803ac827a690085dcd557 # ("gem puma" already exists in the Gemfile, but under "group :test" and we want it all the time) puma="$(grep -E "^[[:space:]]*gem [:'\"]puma['\",[:space:]].*\$" Gemfile)"; \ @@ -93,7 +120,7 @@ RUN set -eux; \ echo "$adapter:" >> ./config/database.yml; \ echo " adapter: $adapter" >> ./config/database.yml; \ done; \ - su-exec redmine bundle install --jobs "$(nproc)"; \ + gosu redmine bundle install --jobs "$(nproc)"; \ rm ./config/database.yml; \ # fix permissions for running as an arbitrary user chmod -R ugo=rwX Gemfile.lock "$GEM_HOME"; \ diff --git a/5.0/alpine3.20/docker-entrypoint.sh b/5.0/alpine3.20/docker-entrypoint.sh index be466aa..ff3f94b 100755 --- a/5.0/alpine3.20/docker-entrypoint.sh +++ b/5.0/alpine3.20/docker-entrypoint.sh @@ -51,7 +51,7 @@ _fix_permissions() { # allow the container to be started with `--user` if [ -n "$isLikelyRedmine" ] && [ "$(id -u)" = '0' ]; then _fix_permissions - exec su-exec redmine "$BASH_SOURCE" "$@" + exec gosu redmine "$BASH_SOURCE" "$@" fi if [ -n "$isLikelyRedmine" ]; then diff --git a/5.0/bookworm/Dockerfile b/5.0/bookworm/Dockerfile index 570b780..ea0b4b1 100644 --- a/5.0/bookworm/Dockerfile +++ b/5.0/bookworm/Dockerfile @@ -64,7 +64,6 @@ RUN set -eux; \ gosu --version; \ gosu nobody true - ENV RAILS_ENV production WORKDIR /usr/src/redmine diff --git a/5.1/alpine3.19/Dockerfile b/5.1/alpine3.19/Dockerfile index d48795e..2997495 100644 --- a/5.1/alpine3.19/Dockerfile +++ b/5.1/alpine3.19/Dockerfile @@ -16,7 +16,6 @@ RUN set -eux; \ bash \ ca-certificates \ findutils \ - su-exec \ tini \ tzdata \ wget \ @@ -34,6 +33,34 @@ RUN set -eux; \ imagemagick \ ; +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + apk del --no-network .gosu-deps; \ + \ +# smoke test + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true +RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in Redmine 5.2+) + ENV RAILS_ENV production WORKDIR /usr/src/redmine @@ -81,7 +108,7 @@ RUN set -eux; \ zlib-dev \ ; \ \ - su-exec redmine bundle config --local without 'development test'; \ + gosu redmine bundle config --local without 'development test'; \ # https://github.com/redmine/redmine/commit/23dc108e70a0794f444803ac827a690085dcd557 # ("gem puma" already exists in the Gemfile, but under "group :test" and we want it all the time) puma="$(grep -E "^[[:space:]]*gem [:'\"]puma['\",[:space:]].*\$" Gemfile)"; \ @@ -93,7 +120,7 @@ RUN set -eux; \ echo "$adapter:" >> ./config/database.yml; \ echo " adapter: $adapter" >> ./config/database.yml; \ done; \ - su-exec redmine bundle install --jobs "$(nproc)"; \ + gosu redmine bundle install --jobs "$(nproc)"; \ rm ./config/database.yml; \ # fix permissions for running as an arbitrary user chmod -R ugo=rwX Gemfile.lock "$GEM_HOME"; \ diff --git a/5.1/alpine3.19/docker-entrypoint.sh b/5.1/alpine3.19/docker-entrypoint.sh index be466aa..ff3f94b 100755 --- a/5.1/alpine3.19/docker-entrypoint.sh +++ b/5.1/alpine3.19/docker-entrypoint.sh @@ -51,7 +51,7 @@ _fix_permissions() { # allow the container to be started with `--user` if [ -n "$isLikelyRedmine" ] && [ "$(id -u)" = '0' ]; then _fix_permissions - exec su-exec redmine "$BASH_SOURCE" "$@" + exec gosu redmine "$BASH_SOURCE" "$@" fi if [ -n "$isLikelyRedmine" ]; then diff --git a/5.1/alpine3.20/Dockerfile b/5.1/alpine3.20/Dockerfile index a150cfe..edb73c9 100644 --- a/5.1/alpine3.20/Dockerfile +++ b/5.1/alpine3.20/Dockerfile @@ -16,7 +16,6 @@ RUN set -eux; \ bash \ ca-certificates \ findutils \ - su-exec \ tini \ tzdata \ wget \ @@ -34,6 +33,34 @@ RUN set -eux; \ imagemagick \ ; +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + apk del --no-network .gosu-deps; \ + \ +# smoke test + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true +RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in Redmine 5.2+) + ENV RAILS_ENV production WORKDIR /usr/src/redmine @@ -81,7 +108,7 @@ RUN set -eux; \ zlib-dev \ ; \ \ - su-exec redmine bundle config --local without 'development test'; \ + gosu redmine bundle config --local without 'development test'; \ # https://github.com/redmine/redmine/commit/23dc108e70a0794f444803ac827a690085dcd557 # ("gem puma" already exists in the Gemfile, but under "group :test" and we want it all the time) puma="$(grep -E "^[[:space:]]*gem [:'\"]puma['\",[:space:]].*\$" Gemfile)"; \ @@ -93,7 +120,7 @@ RUN set -eux; \ echo "$adapter:" >> ./config/database.yml; \ echo " adapter: $adapter" >> ./config/database.yml; \ done; \ - su-exec redmine bundle install --jobs "$(nproc)"; \ + gosu redmine bundle install --jobs "$(nproc)"; \ rm ./config/database.yml; \ # fix permissions for running as an arbitrary user chmod -R ugo=rwX Gemfile.lock "$GEM_HOME"; \ diff --git a/5.1/alpine3.20/docker-entrypoint.sh b/5.1/alpine3.20/docker-entrypoint.sh index be466aa..ff3f94b 100755 --- a/5.1/alpine3.20/docker-entrypoint.sh +++ b/5.1/alpine3.20/docker-entrypoint.sh @@ -51,7 +51,7 @@ _fix_permissions() { # allow the container to be started with `--user` if [ -n "$isLikelyRedmine" ] && [ "$(id -u)" = '0' ]; then _fix_permissions - exec su-exec redmine "$BASH_SOURCE" "$@" + exec gosu redmine "$BASH_SOURCE" "$@" fi if [ -n "$isLikelyRedmine" ]; then diff --git a/5.1/bookworm/Dockerfile b/5.1/bookworm/Dockerfile index 16b79fc..68cc00e 100644 --- a/5.1/bookworm/Dockerfile +++ b/5.1/bookworm/Dockerfile @@ -64,7 +64,6 @@ RUN set -eux; \ gosu --version; \ gosu nobody true - ENV RAILS_ENV production WORKDIR /usr/src/redmine diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 76d8b4e..9a26cc2 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -10,7 +10,6 @@ RUN set -eux; \ bash \ ca-certificates \ findutils \ - su-exec \ tini \ tzdata \ wget \ @@ -28,6 +27,36 @@ RUN set -eux; \ imagemagick \ ; +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + apk del --no-network .gosu-deps; \ + \ +# smoke test + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true +{{ if [ "5.0", "5.1" ] | index(env.version) then ( -}} +RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in Redmine 5.2+) +{{ ) else "" end -}} + ENV RAILS_ENV production WORKDIR /usr/src/redmine @@ -75,7 +104,7 @@ RUN set -eux; \ zlib-dev \ ; \ \ - su-exec redmine bundle config --local without 'development test'; \ + gosu redmine bundle config --local without 'development test'; \ # https://github.com/redmine/redmine/commit/23dc108e70a0794f444803ac827a690085dcd557 # ("gem puma" already exists in the Gemfile, but under "group :test" and we want it all the time) puma="$(grep -E "^[[:space:]]*gem [:'\"]puma['\",[:space:]].*\$" Gemfile)"; \ @@ -87,7 +116,7 @@ RUN set -eux; \ echo "$adapter:" >> ./config/database.yml; \ echo " adapter: $adapter" >> ./config/database.yml; \ done; \ - su-exec redmine bundle install --jobs "$(nproc)"; \ + gosu redmine bundle install --jobs "$(nproc)"; \ rm ./config/database.yml; \ # fix permissions for running as an arbitrary user chmod -R ugo=rwX Gemfile.lock "$GEM_HOME"; \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index d88394c..54f0523 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -58,7 +58,6 @@ RUN set -eux; \ gosu --version; \ gosu nobody true - ENV RAILS_ENV production WORKDIR /usr/src/redmine diff --git a/apply-templates.sh b/apply-templates.sh index 41cb3bb..56e00b9 100755 --- a/apply-templates.sh +++ b/apply-templates.sh @@ -53,12 +53,9 @@ for version; do mkdir -p "$dir" - cp -f docker-entrypoint.sh "$dir/" - case "$variant" in alpine*) template='Dockerfile-alpine.template' - sed -i -e 's/gosu/su-exec/g' "$dir/docker-entrypoint.sh" ;; *) template='Dockerfile-debian.template' @@ -69,5 +66,7 @@ for version; do generated_warning gawk -f "$jqt" "$template" } > "$dir/Dockerfile" + + cp -a docker-entrypoint.sh "$dir/" done done