From bbd15dce97da080f5eda5cce67af5f28d628f23f Mon Sep 17 00:00:00 2001 From: Adam Kocoloski Date: Thu, 18 Oct 2018 10:38:16 -0400 Subject: [PATCH 1/3] Chown files in /opt/couchdb only when necessary Recursive modification of ownership and permissions in the entrypoint has been implicated in slow container startup times. This change checks the ownership first and only modifies it if necessary. It is modeled after similar changes recently applied to a number of other projects e.g. docker-library/redis#166. --- 2.2.0/docker-entrypoint.sh | 8 ++++++-- dev/docker-entrypoint.sh | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/2.2.0/docker-entrypoint.sh b/2.2.0/docker-entrypoint.sh index 4ba69b4..7c1be54 100755 --- a/2.2.0/docker-entrypoint.sh +++ b/2.2.0/docker-entrypoint.sh @@ -25,8 +25,12 @@ if [ "$1" = 'couchdb' ]; then fi if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then - # we need to set the permissions here because docker mounts volumes as root - chown -fR couchdb:couchdb /opt/couchdb || true + # Check that we own everything in /opt/couchdb and fix if necessary. We also + # add the `-f` flag in all the following invocations because there may be + # cases where some of these ownership and permissions issues are non-fatal + # (e.g. a config file owned by root with o+r is actually fine), and we don't + # to be too aggressive about crashing here ... + find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + chmod -fR 0770 /opt/couchdb/data || true diff --git a/dev/docker-entrypoint.sh b/dev/docker-entrypoint.sh index 4ba69b4..7c1be54 100755 --- a/dev/docker-entrypoint.sh +++ b/dev/docker-entrypoint.sh @@ -25,8 +25,12 @@ if [ "$1" = 'couchdb' ]; then fi if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then - # we need to set the permissions here because docker mounts volumes as root - chown -fR couchdb:couchdb /opt/couchdb || true + # Check that we own everything in /opt/couchdb and fix if necessary. We also + # add the `-f` flag in all the following invocations because there may be + # cases where some of these ownership and permissions issues are non-fatal + # (e.g. a config file owned by root with o+r is actually fine), and we don't + # to be too aggressive about crashing here ... + find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + chmod -fR 0770 /opt/couchdb/data || true From 1171e3dc9960cc13c8609b707804d78dcca784b0 Mon Sep 17 00:00:00 2001 From: Adam Kocoloski Date: Thu, 18 Oct 2018 10:53:55 -0400 Subject: [PATCH 2/3] Chmod data files only if necessary Previously we had been doing a blanket recursive chmod to 770 on everything in the datadir. This had a few problems: - The files themselves need not have the executable bit set - CouchDB itself creates directories and files with 755/644 - Executing lots of chmod operations caused startup delays This patch makes the execution of chmod conditional, and works to set the permissions to what they would normally be when CouchDB creates the the files and directories. --- 2.2.0/docker-entrypoint.sh | 9 ++++++++- dev/docker-entrypoint.sh | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/2.2.0/docker-entrypoint.sh b/2.2.0/docker-entrypoint.sh index 7c1be54..f08e9f1 100755 --- a/2.2.0/docker-entrypoint.sh +++ b/2.2.0/docker-entrypoint.sh @@ -32,7 +32,14 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # to be too aggressive about crashing here ... find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + - chmod -fR 0770 /opt/couchdb/data || true + # Ensure that data files have the correct permissions. We were previously + # preventing any access to these files outside of couchdb:couchdb, but it + # turns out that CouchDB itself does not set such restrictive permissions + # when it creates the files. The approach taken here ensures that the + # contents of the datadir have the same permissions as they had when they + # were initially created. This should minimize any startup delay. + find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + find /opt/couchdb/etc -name \*.ini -exec chmod -f 664 {} \; chmod -f 775 /opt/couchdb/etc/*.d || true diff --git a/dev/docker-entrypoint.sh b/dev/docker-entrypoint.sh index 7c1be54..f08e9f1 100755 --- a/dev/docker-entrypoint.sh +++ b/dev/docker-entrypoint.sh @@ -32,7 +32,14 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then # to be too aggressive about crashing here ... find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' + - chmod -fR 0770 /opt/couchdb/data || true + # Ensure that data files have the correct permissions. We were previously + # preventing any access to these files outside of couchdb:couchdb, but it + # turns out that CouchDB itself does not set such restrictive permissions + # when it creates the files. The approach taken here ensures that the + # contents of the datadir have the same permissions as they had when they + # were initially created. This should minimize any startup delay. + find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + find /opt/couchdb/etc -name \*.ini -exec chmod -f 664 {} \; chmod -f 775 /opt/couchdb/etc/*.d || true From be3fd23e58d3a4922666451ed8fb7305992374f6 Mon Sep 17 00:00:00 2001 From: Adam Kocoloski Date: Thu, 18 Oct 2018 11:16:22 -0400 Subject: [PATCH 3/3] Chmod config files only if necessary This patch also drops the target permissions from 775/664 to 755/644, as the latter permissions are the ones set by the CouchDB installation itself. --- 2.2.0/docker-entrypoint.sh | 8 ++++++-- dev/docker-entrypoint.sh | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/2.2.0/docker-entrypoint.sh b/2.2.0/docker-entrypoint.sh index f08e9f1..7fdb04b 100755 --- a/2.2.0/docker-entrypoint.sh +++ b/2.2.0/docker-entrypoint.sh @@ -41,8 +41,12 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + - find /opt/couchdb/etc -name \*.ini -exec chmod -f 664 {} \; - chmod -f 775 /opt/couchdb/etc/*.d || true + # Do the same thing for configuration files and directories. Technically + # CouchDB only needs read access to the configuration files as all online + # changes will be applied to the "docker.ini" file below, but we set 644 + # for the sake of consistency. + find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args diff --git a/dev/docker-entrypoint.sh b/dev/docker-entrypoint.sh index f08e9f1..7fdb04b 100755 --- a/dev/docker-entrypoint.sh +++ b/dev/docker-entrypoint.sh @@ -41,8 +41,12 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' + find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' + - find /opt/couchdb/etc -name \*.ini -exec chmod -f 664 {} \; - chmod -f 775 /opt/couchdb/etc/*.d || true + # Do the same thing for configuration files and directories. Technically + # CouchDB only needs read access to the configuration files as all online + # changes will be applied to the "docker.ini" file below, but we set 644 + # for the sake of consistency. + find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + + find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args