Ubi with runit #150
Ubi with runit #150
Conversation
|
Cool. Can you explain the reasoning behind the root group and the use of unit in this way? |
|
Sure, the root group use is based on OpenShift advice specifically: OpenShift will run the container with a UID that also belongs to the root group, so assigning file permissions to the root group ensures that at execute time the user will have the required permissions. The container expects to be run as an arbitrary user that starts the runit service, this uses chpst to run the couchdb process as the couchdb user. The runit setup is based on the CouchDB docs. With the main tweak being that while a default run file is provided, the docker entry point can also lay down a custom run file if the user wants to run couchdb with specific parameters. This is for compatibility with existing Dockerfiles. |
| io.openshift.min-cpu="1" | ||
|
|
||
| # Add CouchDB user account to make sure the IDs are assigned consistently | ||
| # CouchDB user added to root group for OpenShift support |
There was a problem hiding this comment.
perhaps reference https://docs.openshift.com/enterprise/3.2/creating_images/guidelines.html#openshift-enterprise-specific-guidelines in the comment here
| # cases where some of these ownership and permissions issues are non-fatal | ||
| # (e.g. a config file owned by root with o+r is actually fine), and we don't | ||
| # to be too aggressive about crashing here ... | ||
| find /opt/couchdb \! \( -user couchdb -group 0 \) -exec chown -f couchdb:0 '{}' + |
There was a problem hiding this comment.
so this entrypoint (which is the default) doesn't support arbitrary UIDs? Does that work in OpenShift?
| # cases where some of these ownership and permissions issues are non-fatal | ||
| # (e.g. a config file owned by root with o+r is actually fine), and we don't | ||
| # to be too aggressive about crashing here ... | ||
| find /opt/couchdb \! \( -user couchdb -group 0 \) -exec chown -f couchdb:0 '{}' + |
|
@willholley if you can help out here vis a vis the chmod/chown changes in the other PR I just approved, we can get this merged, too. |
welshDoug
force-pushed
the
ubi-with-runit
branch
from
b71490c to
b264a6d
Compare
|
@wohali I've had Wills help in pulling the chmod/chown changes into this PR, are there any other changes you think are necessary? |
|
@kocolosk can i get one final PR review on this from you please with special attention to the chmod/chown stuff? thanks :) |
2.3.1-ubi7/Dockerfile
Outdated
| # Setup directories and permissions for config. Technically these could be 555 and 444 respectively | ||
| # but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint. | ||
| find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0775 '{}' +; \ | ||
| find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0664 '{}' +; \ |
There was a problem hiding this comment.
Should the check here be looking for 0775 / 0664 instead of 0755 / 0644? Looks like it might have been an oversight in the switch to the root group.
| # changes will be applied to the "docker.ini" file below, but we set 644 | ||
| # for the sake of consistency. | ||
| find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' + | ||
| find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' + |
There was a problem hiding this comment.
So this will end up removing g+w from the config files and directories if we're starting up as root. I ... suppose that's fine. Perhaps it's worth a comment as it is a discrepancy from the Dockerfile? Also, not sure the comment about docker.ini is accurate in this case as the file has been reordered so docker.ini is already created above (and will have its permissions modified here).
welshDoug
force-pushed
the
ubi-with-runit
branch
from
b264a6d to
9e03b9d
Compare
|
@kocolosk good spot with the permissions :-) I've made those changes and cleaned up the git history a bit |
Installs CouchDB 2.3.1 via the official rpm. To build: ``` $ cd 2.3.1 $ docker build . -f ubi7/Dockerfile ``` Move the ubi-based Dockerfile into its own top level folder, similar to the couchperuser variant. This makes integration with existing build scripts/processes simpler though means a bit of duplication of config files between the different base images. Update UBI based image to use runit instead of gosu to launch CouchDB. Also, includes changes necessary for Red Hat Certification: - licenses folder - Specific labels - couchdb user moved to root group - runit can be launched by any userid
welshDoug
force-pushed
the
ubi-with-runit
branch
from
9e03b9d to
73ea81e
Compare
2.3.1-ubi7/Dockerfile
Outdated
| # Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh | ||
| find /opt/couchdb \! \( -user couchdb -group 0 \) -exec chown -f couchdb:0 '{}' +; \ | ||
| # Setup directories and permissions for config. Technically these could be 555 and 444 respectively | ||
| # but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint. |
| # Do the same thing for configuration files and directories. Technically | ||
| # CouchDB only needs read access to the configuration files, except "docker.ini" | ||
| # (created above) as that is where all online changes will be writted. | ||
| # But we set 644 for the sake of consistency. |
There was a problem hiding this comment.
Outdated comment again (664 not 644).
Overview
This PR supersedes #146 to contribute the latest UBI based container, which now makes use of runit to start/stop the CouchDB process. The docker entry point has been adapted so custom parameters can be passed to couch as with the other CouchDB Dockerfiles.
Also, includes changes necessary for Red Hat Certification: