[misc] narrow down write access/ownership for the run-time user

2020-02-19 12:06:28 +01:00
parent c5d10d02fc
commit 4ee0dc2471
4 changed files with 13 additions and 12 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -5,4 +5,6 @@ gitrev
 .npm
 .nvmrc
 nodemon.json
 cache/
 compiles/
 db/
--- a/4
+++ b/4
@@ -24,7 +24,7 @@ COPY . /app
 FROM base
 COPY --from=app /app /app
-RUN mkdir -p db \
+RUN mkdir -p cache compiles db \
-&&  chown node:node db
+&&  chown node:node cache compiles db
 CMD ["node", "--expose-gc", "app.js"]
--- a/buildscript.txt
+++ b/buildscript.txt
@@ -1,6 +1,6 @@
 clsi
 --acceptance-creds=None
--data-dirs=db
+--data-dirs=cache,compiles,db
 --dependencies=
 --docker-repos=gcr.io/overleaf-ops
 --env-add=
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,22 +2,21 @@
 docker --version >&2
 # add the node user to the docker group on the host
 DOCKER_GROUP=$(stat -c '%g' /var/run/docker.sock)
 groupadd --non-unique --gid ${DOCKER_GROUP} dockeronhost
 usermod -aG dockeronhost node
-mkdir -p /app/cache
+# compatibility: initial volume setup
-chown -R node:node /app/cache
+chown node:node /app/cache
 chown node:node /app/compiles
 chown node:node /app/db
-mkdir -p /app/compiles
+# acceptance tests
 chown -R node:node /app/compiles
 chown -R node:node /app/bin/synctex
 mkdir -p /app/test/acceptance/fixtures/tmp/
-chown -R node:node /app
+chown -R node:node /app/test/acceptance/fixtures
 chown -R node:node /app/bin
 # make synctex available for remount in compiles
 cp /app/bin/synctex /app/bin/synctex-mount/synctex
 exec runuser -u node -- "$@"