From bfd49eabd0c4d7e0f94dfe4f73d938ebdb9e9cd5 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 18 Jun 2024 14:57:35 -0700 Subject: [PATCH] Replace `su-exec` with `gosu` See https://github.com/docker-library/postgres/commit/cefde5ff6f102fcd381a03210c7734816c59aa3e + https://github.com/docker-library/postgres/commit/3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7 + linked PR for more details/discussion. --- 5/alpine/Dockerfile | 48 +++++++++++++++++++++++++++-------- 5/alpine/docker-entrypoint.sh | 2 +- 5/debian/Dockerfile | 2 +- 3 files changed, 40 insertions(+), 12 deletions(-) diff --git a/5/alpine/Dockerfile b/5/alpine/Dockerfile index cc0c9d8f..e6273a68 100644 --- a/5/alpine/Dockerfile +++ b/5/alpine/Dockerfile @@ -2,13 +2,41 @@ # https://github.com/nodejs/Release (looking for "LTS") FROM node:18-alpine3.19 -# grab su-exec for easy step-down from root -RUN apk add --no-cache 'su-exec>=0.2' - RUN apk add --no-cache \ # add "bash" for "[[" bash +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ +# verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ +# clean up fetch dependencies + apk del --no-network .gosu-deps; \ + \ + chmod +x /usr/local/bin/gosu; \ +# verify that the binary works + gosu --version; \ + gosu nobody true +RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (TODO remove in Ghost 6+) + ENV NODE_ENV production ENV GHOST_CLI_VERSION 1.26.0 @@ -27,7 +55,7 @@ RUN set -eux; \ \ apkDel=; \ \ - installCmd='su-exec node ghost install "$GHOST_VERSION" --db mysql --dbhost mysql --no-prompt --no-stack --no-setup --dir "$GHOST_INSTALL"'; \ + installCmd='gosu node ghost install "$GHOST_VERSION" --db mysql --dbhost mysql --no-prompt --no-stack --no-setup --dir "$GHOST_INSTALL"'; \ if ! eval "$installCmd"; then \ virtual='.build-deps-ghost'; \ apkDel="$apkDel $virtual"; \ @@ -37,11 +65,11 @@ RUN set -eux; \ \ # Tell Ghost to listen on all ips and not prompt for additional configuration cd "$GHOST_INSTALL"; \ - su-exec node ghost config --no-prompt --ip '::' --port 2368 --url 'http://localhost:2368'; \ - su-exec node ghost config paths.contentPath "$GHOST_CONTENT"; \ + gosu node ghost config --no-prompt --ip '::' --port 2368 --url 'http://localhost:2368'; \ + gosu node ghost config paths.contentPath "$GHOST_CONTENT"; \ \ # make a config.json symlink for NODE_ENV=development (and sanity check that it's correct) - su-exec node ln -s config.production.json "$GHOST_INSTALL/config.development.json"; \ + gosu node ln -s config.production.json "$GHOST_INSTALL/config.development.json"; \ readlink -f "$GHOST_INSTALL/config.development.json"; \ \ # need to save initial content for pre-seeding empty volumes @@ -65,7 +93,7 @@ RUN set -eux; \ ')"; \ if echo "$packages" | grep 'undefined'; then exit 1; fi; \ for package in $packages; do \ - installCmd='su-exec node yarn add "$package" --force'; \ + installCmd='gosu node yarn add "$package" --force'; \ if ! eval "$installCmd"; then \ # must be some non-amd64 architecture pre-built binaries aren't published for, so let's install some build deps and do-it-all-over-again virtualPackages='g++ make python3'; \ @@ -85,8 +113,8 @@ RUN set -eux; \ apk del --no-network $apkDel; \ fi; \ \ - su-exec node yarn cache clean; \ - su-exec node npm cache clean --force; \ + gosu node yarn cache clean; \ + gosu node npm cache clean --force; \ npm cache clean --force; \ rm -rv /tmp/yarn* /tmp/v8* diff --git a/5/alpine/docker-entrypoint.sh b/5/alpine/docker-entrypoint.sh index c4d007b5..f4614d4e 100755 --- a/5/alpine/docker-entrypoint.sh +++ b/5/alpine/docker-entrypoint.sh @@ -4,7 +4,7 @@ set -e # allow the container to be started with `--user` if [[ "$*" == node*current/index.js* ]] && [ "$(id -u)" = '0' ]; then find "$GHOST_CONTENT" \! -user node -exec chown node '{}' + - exec su-exec node "$BASH_SOURCE" "$@" + exec gosu node "$BASH_SOURCE" "$@" fi if [[ "$*" == node*current/index.js* ]]; then diff --git a/5/debian/Dockerfile b/5/debian/Dockerfile index d73ad8ea..0b727437 100644 --- a/5/debian/Dockerfile +++ b/5/debian/Dockerfile @@ -4,7 +4,7 @@ FROM node:18-bookworm-slim # grab gosu for easy step-down from root # https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.16 +ENV GOSU_VERSION 1.17 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \