Skip to content

Commit

Permalink
use the USER directive
Browse files Browse the repository at this point in the history
We are currently using a custom entrypoint script.
However docker has a built in volume / user approach so we can get
rid of this custom approach altogether.
The benefit of this is that it just works across the stack and we don't
need to teach users to run it with `--user node` and such.
Further, using thelounge as an entrypoint means that you don't need to
exec to a running container but can just spawn a throwaway container
(probably with --rm) when you want to manage users etc.

This does have some limitations though if people use bind mounts.
Docker doesn't have the ability to auto chown things
(podman does, with the U option to -v).

So let's suggest named volumes instead (which is better anyways)

Existing users should not be impacted, as the entrypoint script
did the permission setup for them already, so even the new container
should just continue to work.

People who manually mess with the container will have to use
--entrypoint /bin/sh or such, but they shouldn't treat containers
like pets, so breaking that is of no concern.
  • Loading branch information
brunnre8 committed May 1, 2024
1 parent 30c6ed3 commit f6b7bff
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 31 deletions.
23 changes: 10 additions & 13 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,24 +10,21 @@ LABEL org.opencontainers.image.source "https://github.com/thelounge/thelounge-do
LABEL org.opencontainers.image.version "${THELOUNGE_VERSION}"
LABEL org.opencontainers.image.licenses "MIT"

ENV NODE_ENV production

EXPOSE 9000
ENV THELOUNGE_HOME "/var/opt/thelounge"
VOLUME "${THELOUNGE_HOME}"

# Expose HTTP.
ENV PORT 9000
EXPOSE ${PORT}

ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["thelounge", "start"]

COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

# Install thelounge.
ENV NODE_ENV production
RUN apk --update --no-cache --virtual build-deps add python3 build-base git && \
ln -sf python3 /usr/bin/python && \
yarn --non-interactive --frozen-lockfile global add thelounge@${THELOUNGE_VERSION} && \
yarn --non-interactive cache clean && \
apk del --purge build-deps && \
rm -rf /root/.cache /tmp /usr/bin/python

RUN install -d -o node -g node "${THELOUNGE_HOME}"
# order of the directives matters, keep VOLUME below the dir creation
VOLUME "${THELOUNGE_HOME}"

USER node:node
ENTRYPOINT ["/usr/local/bin/thelounge"]
CMD ["start"]
17 changes: 8 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,18 +39,18 @@ or starting a container manually:
$ docker run --detach \
--name thelounge \
--publish 9000:9000 \
--volume ~/.thelounge:/var/opt/thelounge \
--volume thelounge:/var/opt/thelounge \
--restart always \
ghcr.io/thelounge/thelounge:latest
```

### Executing commands in the container

Due to the way root permissions are dropped in the container, it's highly recommended to pass the `--user node` argument to any
commands you execute in the container via Docker to ensure that file permissions retain the correct owner, like so:
The container is setup to use an unprivileged user (node).
You can directly issue thelounge commands as follows:

```
$ docker exec --user node -it [container_name] thelounge add MyUser
$ docker exec -it [container_name] thelounge help
```

### Configuring identd
Expand All @@ -64,7 +64,7 @@ $ docker run --detach \
--name thelounge \
--publish 113:9001 \
--publish 9000:9000 \
--volume ~/.thelounge:/var/opt/thelounge \
--volume thelounge:/var/opt/thelounge \
--restart always \
ghcr.io/thelounge/thelounge:latest
```
Expand All @@ -75,8 +75,7 @@ Refer to the [identd / oidentd docs](https://thelounge.chat/docs/guides/identd-a

The Lounge reads and stores all of its configuration, logs and other data at `/var/opt/thelounge`.

By default, The Lounge will run using the `node (1000:1000)` system user in the container, leading to mounted data directories
on the host system being owned by said user. This is customizable by changing the container user (see [Container user (advanced usage)](#container-user-advanced-usage)).
By default, The Lounge will run using the `node (1000:1000)` system user in the container, meaning volume contents must be owned by said user.

_You will probably want to persist the data at this location by using [one of the means](https://docs.docker.com/storage/) to do so._

Expand All @@ -85,7 +84,7 @@ _You will probably want to persist the data at this location by using [one of th
Users can be added as follows:

```sh
$ docker exec --user node -it [container_name] thelounge add [username]
$ docker exec -it [container_name] thelounge add [username]
```

_Note: without [persisting data](#data-directory), added users will be lost when the container is removed._
Expand All @@ -99,7 +98,7 @@ change the host port in the port mapping. To make The Lounge available on e.g. p
$ docker run --detach \
--name thelounge \
--publish 5000:9000 \ # Change host port to listen on port 5000
--volume ~/.thelounge:/var/opt/thelounge \
--volume thelounge:/var/opt/thelounge \
--restart always \
ghcr.io/thelounge/thelounge:latest
```
Expand Down
2 changes: 1 addition & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ services:
- "9000:9000"
restart: always
volumes:
- ~/.thelounge:/var/opt/thelounge # bind lounge config from the host's file system
- thelounge:/var/opt/thelounge # uses a named volume on the host
8 changes: 0 additions & 8 deletions docker-entrypoint.sh

This file was deleted.

0 comments on commit f6b7bff

Please sign in to comment.