tests pass under app user

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:6.13.0
+FROM node:6.13.0 as app
 
 COPY ./ /app
 
@@ -6,11 +6,22 @@ WORKDIR /app
 
 RUN npm install
 
+
+RUN npm run compile:all
+
+FROM node:6.13.0
+
+COPY --from=app /app /app
+
+WORKDIR /app
+
+
+# All app and node_modules will be owned by root.
+# The app will run as the 'app' user, and so not have write permissions
+# on any files it doesn't need.
+RUN useradd --user-group --create-home --home-dir /app --shell /bin/bash app
+
 RUN [ -e ./install_deps.sh ] && ./install_deps.sh
 
-RUN npm run compile
-
-ENV SHARELATEX_CONFIG /app/config/settings.production.coffee
-ENV NODE_ENV production
-
-CMD ["node","/app/app.js"]
+USER app
+CMD ["node","app.js"]

Jenkinsfile

@@ -9,34 +9,9 @@ pipeline {
   }
 
   stages {
-    stage('Install') {
-      agent {
-        docker {
-          image 'node:6.13.0'
-          args "-v /var/lib/jenkins/.npm:/tmp/.npm -e HOME=/tmp"
-          reuseNode true
-        }
-      }
+    stage('Build') {
       steps {
-        // we need to disable logallrefupdates, else git clones 
-        // during the npm install will require git to lookup the 
-        // user id which does not exist in the container's 
-        // /etc/passwd file, causing the clone to fail.
-        sh 'git config --global core.logallrefupdates false'
-        sh 'rm -rf node_modules'
-        sh 'npm install && npm rebuild'
-      }
-    }
-
-    stage('Compile') {
-      agent {
-        docker {
-          image 'node:6.13.0'
-          reuseNode true
-        }
-      }
-      steps {
-        sh 'npm run compile:all'
+        sh 'make build'
       }
     }
 
@@ -54,12 +29,7 @@ pipeline {
 
     stage('Package and publish build') {
       steps {
-        sh 'echo ${BUILD_NUMBER} > build_number.txt'
-        sh 'touch build.tar.gz' // Avoid tar warning about files changing during read
-        sh 'tar -czf build.tar.gz --exclude=build.tar.gz --exclude-vcs .'
-        withAWS(credentials:'S3_CI_BUILDS_AWS_KEYS', region:"${S3_REGION_BUILD_ARTEFACTS}") {
-            s3Upload(file:'build.tar.gz', bucket:"${S3_BUCKET_BUILD_ARTEFACTS}", path:"${JOB_NAME}/${BUILD_NUMBER}.tar.gz")
-        }
+        sh 'make publish'
       }
     }
 

Makefile

@@ -28,5 +28,10 @@ test_acceptance: test_clean # clear the database before each acceptance test run
 
 test_clean:
 	$(DOCKER_COMPOSE) down -t 0
+build:
+	docker build --pull --tag quay.io/sharelatex/$(PROJECT_NAME):$(BRANCH_NAME)-$(BUILD_NUMBER) .
+
+publish:
+	docker push quay.io/sharelatex/$(PROJECT_NAME):$(BRANCH_NAME)-$(BUILD_NUMBER)
 
 .PHONY: clean test test_unit test_acceptance test_clean build publish

docker-compose.ci.yml

@@ -7,17 +7,11 @@ version: "2"
 
 services:
   test_unit:
-    image: node:6.13.0
-    volumes:
-      - .:/app
-    working_dir: /app
+    image: quay.io/sharelatex/$PROJECT_NAME:$BRANCH_NAME-$BUILD_NUMBER
     entrypoint: npm run test:unit:_run
 
   test_acceptance:
-    image: node:6.13.0
-    volumes:
-      - .:/app
-    working_dir: /app
+    image: quay.io/sharelatex/$PROJECT_NAME:$BRANCH_NAME-$BUILD_NUMBER
     environment:
       REDIS_HOST: redis
       MONGO_HOST: mongo

docker-compose.yml

@@ -14,7 +14,7 @@ services:
     entrypoint: npm run test:unit
 
   test_acceptance:
-    image: node:6.13.0
+    build: .
     volumes:
       - .:/app
     working_dir: /app

install_deps.sh

@@ -1,4 +1,8 @@
 /bin/sh
 wget -qO- https://get.docker.com/ | sh
-apt-get install poppler-utils vim ghostscript --yes
+apt-get install poppler-utils ghostscript --yes
 npm rebuild
+usermod -aG docker app
+
+touch /var/run/docker.sock
+chown root:docker /var/run/docker.sock