fix(builder): Non-root slugrunner and slugbuilder

johanneswuerbach · johanneswuerbach · commit edca91bc54be · 2014-09-30T18:43:41.000-07:00
This improves the compatibility to heroku and stops running apps as root
diff --git a/builder/Dockerfile b/builder/Dockerfile
@@ -59,6 +59,8 @@ ENTRYPOINT ["/app/bin/entry"]
 CMD ["/app/bin/boot"]
 EXPOSE 22
 
+RUN addgroup --quiet --gid 2000 slug && useradd slug --uid=2000 --gid=2000
+
 ADD . /app
 ADD sshd_config /etc/ssh/sshd_config
 RUN chown -R root:root /app
diff --git a/builder/slugbuilder/Dockerfile b/builder/slugbuilder/Dockerfile
@@ -1,7 +1,12 @@
 FROM progrium/cedarish:cedar
 MAINTAINER OpDemand <info@opdemand.com>
 
-RUN useradd slugbuilder --home-dir /app
+RUN mkdir /app
+RUN addgroup --quiet --gid 2000 slug && \
+  useradd slug --uid=2000 --gid=2000 --home-dir /app --no-create-home
+RUN chown -R slug:slug /app
+USER slug
+ENV HOME /app
 
 ADD ./builder/ /tmp/builder
 RUN /tmp/builder/install-buildpacks
diff --git a/builder/slugbuilder/builder/build.sh b/builder/slugbuilder/builder/build.sh
@@ -50,14 +50,6 @@ fi
 # buildpacks expect that.
 cp -r $app_dir/. $build_root
 
-# Grant the slugbuilder user access to all relevant
-# directories, then run the rest as slugbuilder
-chown -R slugbuilder:slugbuilder	$app_dir \
-					$cache_root \
-					$buildpack_root \
-					$build_root
-su slugbuilder
-
 ## Buildpack fixes
 
 export APP_DIR="$app_dir"
diff --git a/builder/slugrunner/Dockerfile b/builder/slugrunner/Dockerfile
@@ -1,9 +1,19 @@
 FROM progrium/cedarish:cedar
 MAINTAINER OpDemand <info@opdemand.com>
 
-ADD ./runner /runner
-ENTRYPOINT ["/runner/init"]
+RUN mkdir /app
+RUN addgroup --quiet --gid 2000 slug && \
+    useradd slug --uid=2000 --gid=2000 --home-dir /app --no-create-home \
+        --shell /bin/bash
+RUN chown slug:slug /app
+WORKDIR /app
 
 # add default port to expose (can be overridden)
 ENV PORT 5000
 EXPOSE 5000
+
+ADD ./runner /runner
+RUN chown slug:slug /runner/init
+USER slug
+ENV HOME /app
+ENTRYPOINT ["/runner/init"]
diff --git a/builder/templates/builder b/builder/templates/builder
@@ -25,10 +25,16 @@ def parse_args():
     return user, repo, branch, app
 
 
+def recursive_chown(path, uid, guid):
+    os.chown(os.path.join(path), uid, guid)
+    for root, dirs, files in os.walk(path):
+        for d in dirs:
+            os.chown(os.path.join(root, d), uid, guid)
+        for f in files:
+            os.chown(os.path.join(root, f), uid, guid)
+
+
 DOCKERFILE_SHIM = """FROM deis/slugrunner
-RUN mkdir -p /app
-WORKDIR /app
-ENTRYPOINT ["/runner/init"]
 ADD slug.tgz /app
 """
 
@@ -73,7 +79,13 @@ if __name__ == '__main__':
         config_env = " ".join([ "-e {}='{}'".format(*kv) for kv in json.loads(r.json().get('values', '{}')).items()])
         # some applications do not have a Procfile, so only check for a Dockerfile
         if not os.path.exists(dockerfile):
+            # fix permissions
+            slug_uid = 2000
+            slug_guid = 2000
+            for path in (cache_dir, temp_dir):
+                recursive_chown(path, slug_uid, slug_guid)
             if os.path.exists('/buildpacks'):
+                recursive_chown('/buildpacks', slug_uid, slug_guid)
                 build_cmd = "docker run -i -a stdin {config_env} -v {temp_dir}:/tmp/app -v {cache_dir}:/tmp/cache:rw -v /buildpacks:/tmp/buildpacks deis/slugbuilder".format(**locals())
             else:
                 build_cmd = "docker run -i -a stdin {config_env} -v {temp_dir}:/tmp/app -v {cache_dir}:/tmp/cache:rw deis/slugbuilder".format(**locals())
