docker: Fix permission issues, remove user from container

2023-04-12 14:25:13 +00:00 · 2021-11-27 20:19:55 +01:00 · 2021-11-27 20:19:55 +01:00 · 7bf490cb47
commit 7bf490cb47
parent 3ebca01180
3 changed files with 32 additions and 18 deletions
--- a/26
+++ b/26
@ -42,26 +42,16 @@ RUN cargo build --release -p lldap \
 # Final image
 FROM alpine:3.14

-RUN set -x \
-    # Add user
-    && addgroup --gid 10001 app \
-    && adduser --disabled-password \
-        --gecos '' \
-        --ingroup app \
-        --home /app \
-        --uid 10001 \
-        app \
-    # Create the /data folder
-    && mkdir /data && chown app:app /data \
-    && apk add --no-cache bash
-
-USER app
 WORKDIR /app

-COPY --chown=app:app --from=builder /app/app/index.html /app/app/main.js /app/app/style.css app/
-COPY --chown=app:app --from=builder /app/app/pkg app/pkg
-COPY --chown=app:app --from=builder /app/target/release/lldap lldap
-COPY docker-entrypoint.sh .
+COPY --from=builder /app/app/index.html /app/app/main.js /app/app/style.css app/
+COPY --from=builder /app/app/pkg app/pkg
+COPY --from=builder /app/target/release/lldap lldap
+COPY docker-entrypoint.sh lldap_config.docker_template.toml ./
+
+RUN set -x \
+    && apk add --no-cache bash \
+    && chmod a+r -R .

 ENV LDAP_PORT=3890
 ENV HTTP_PORT=17170
--- a/README.md
+++ b/README.md
@ -83,6 +83,8 @@ volumes:
 services:
  lldap:
    image: nitnelave/lldap
+    # Change this to the user:group you want.
+    user: "33:33"
    ports:
      # For LDAP
      - "3890:3890"
@ -90,6 +92,8 @@ services:
      - "17170:17170"
    volumes:
      - "lldap_data:/data"
+      # Alternatively, you can mount a local folder
+      # - "./lldap_data:/data"
    environment:
      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
      - LLDAP_LDAP_USER_PASS=REPLACE_WITH_PASSWORD
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -15,4 +15,24 @@ for SECRET in LLDAP_JWT_SECRET LLDAP_LDAP_USER_PASS; do
    fi
 done

+CONFIG_FILE=/data/lldap_config.toml
+
+if [[ ( ! -w "/data" ) ]] || [[ ( ! -d "/data" ) ]]; then
+  echo "[entrypoint] The /data folder doesn't exist or cannot be written to. Make sure to mount
+  a volume or folder to /data to persist data across restarts, and that the current user can
+  write to it."
+  exit 1
+fi
+
+if [[ ! -f "$CONFIG_FILE" ]]; then
+  echo "[entrypoint] Copying the default config to $CONFIG_FILE"
+  echo "[entrypoint] Edit this file to configure LLDAP."
+  cp /app/lldap_config.docker_template.toml $CONFIG_FILE
+fi
+
+if [[ ! -r "$CONFIG_FILE" ]]; then
+  echo "[entrypoint] Config file is not readable. Check the permissions"
+  exit 1;
+fi
+
 exec /app/lldap "$@"