proper permission usage for volumes

olegabr · olegabr · commit 2467ebffb88d · 2016-12-28T17:03:44.000+07:00
The official images used as a reference (http://stackoverflow.com/a/29799703)
diff --git a/Dockerfile b/Dockerfile
@@ -4,37 +4,51 @@ MAINTAINER Kyle Manna <kyle@kylemanna.com>
 ARG USER_ID
 ARG GROUP_ID
 
-RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8842ce5e && \
-    echo "deb http://ppa.launchpad.net/bitcoin/bitcoin/ubuntu xenial main" > /etc/apt/sources.list.d/bitcoin.list
-
-RUN apt-get update && \
-    apt-get install -y bitcoind && \
-    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
 ENV HOME /bitcoin
 
 # add user with specified (or default) user/group ids
 ENV USER_ID ${USER_ID:-1000}
 ENV GROUP_ID ${GROUP_ID:-1000}
-RUN groupadd -g ${GROUP_ID} bitcoin
-RUN useradd -u ${USER_ID} -g bitcoin -s /bin/bash -m -d /bitcoin bitcoin
 
-RUN chown bitcoin:bitcoin -R /bitcoin
+# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
+RUN groupadd -g ${GROUP_ID} bitcoin \
+	&& useradd -u ${USER_ID} -g bitcoin -s /bin/bash -m -d /bitcoin bitcoin
 
-ADD ./bin /usr/local/bin
-RUN chmod a+x /usr/local/bin/*
+RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8842ce5e && \
+    echo "deb http://ppa.launchpad.net/bitcoin/bitcoin/ubuntu xenial main" > /etc/apt/sources.list.d/bitcoin.list
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+		bitcoind \
+	&& apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# grab gosu for easy step-down from root
+ENV GOSU_VERSION 1.7
+RUN set -x \
+	&& apt-get update && apt-get install -y --no-install-recommends \
+		ca-certificates \
+		wget \
+	&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
+	&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
+	&& export GNUPGHOME="$(mktemp -d)" \
+	&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
+	&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
+	&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \
+	&& chmod +x /usr/local/bin/gosu \
+	&& gosu nobody true \
+	&& apt-get purge \
+		ca-certificates \
+		wget \
+	&& apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# For some reason, docker.io (0.9.1~dfsg1-2) pkg in Ubuntu 14.04 has permission
-# denied issues when executing /bin/bash from trusted builds.  Building locally
-# works fine (strange).  Using the upstream docker (0.11.1) pkg from
-# http://get.docker.io/ubuntu works fine also and seems simpler.
-USER bitcoin
+ADD ./bin /usr/local/bin
 
 VOLUME ["/bitcoin"]
 
 EXPOSE 8332 8333 18332 18333
 
 WORKDIR /bitcoin
 
-CMD ["btc_oneshot"]
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
 
+CMD ["btc_oneshot"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+# first arg is `-f` or `--some-option`
+# or first arg is `something.conf`
+if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then
+	set -- btc_oneshot "$@"
+fi
+
+# allow the container to be started with `--user`
+if [ "$1" = 'btc_oneshot' -a "$(id -u)" = '0' ]; then
+	chown -R bitcoin .
+	exec gosu bitcoin "$0" "$@"
+fi
+
+exec "$@"
+
