Merge pull request #17 from pestotoast/fix-docker-issues

fix docker permission issues

Containers/mastercontainer/Dockerfile

@@ -2,16 +2,14 @@
 FROM php:8.0-apache-bullseye
 
 EXPOSE 80
-# EXPOSE 8080
+EXPOSE 8080
 EXPOSE 8443
 
-RUN mkdir -p /mnt/docker-aio-config/; \
+RUN mkdir -p /mnt/docker-aio-config/;
-    chown www-data:www-data /mnt/docker-aio-config;
 
 VOLUME /mnt/docker-aio-config/
 
-RUN mkdir -p /var/www/docker-aio; \
+RUN mkdir -p /var/www/docker-aio;
-    chown -R www-data:www-data /var/www;
 
 WORKDIR /var/www/docker-aio
 
@@ -25,18 +23,16 @@ RUN apt-get update; \
     rm -rf /var/lib/apt/lists/*
 
 RUN curl "https://caddyserver.com/api/download?os=linux&arch=amd64" -o "/usr/bin/caddy" \
-    && chmod 0755 /usr/bin/caddy \
+    && chmod +x /usr/bin/caddy \
     && /usr/bin/caddy version
 
 RUN cd /var/www/docker-aio; \
     git clone https://github.com/nextcloud/all-in-one.git .; \
-    chown -R www-data:www-data ./; \
     chmod 770 -R ./
 
 RUN mkdir -p /etc/apache2/certs && \
     cd /etc/apache2/certs && \
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt; \
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt;
-    chown www-data:www-data -R /etc/apache2/certs;
 
 COPY mastercontainer.conf /etc/apache2/sites-available/
 
@@ -60,29 +56,20 @@ RUN a2dissite 000-default && \
     service apache2 restart
 
 RUN mkdir /var/log/supervisord; \
-    mkdir /var/run/supervisord; \
+    mkdir /var/run/supervisord;
-    chown www-data:www-data /var/run/supervisord; \
-    chown www-data:www-data /var/log/supervisord;
 
-RUN mkdir -p /usr/src/php/ext/apcu && curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && docker-php-ext-install apcu
+RUN mkdir -p /usr/src/php/ext/apcu && \
+    curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && \
+    docker-php-ext-install apcu
 
 COPY Caddyfile /
 COPY start.sh /usr/bin/
 COPY cron.sh /
 COPY supervisord.conf /
 RUN chmod +x /usr/bin/start.sh; \
-    chmod +r /supervisord.conf; \
-    chmod +r /Caddyfile; \
     chmod +x /cron.sh
 
-# add docker group
+USER root
-RUN groupadd -g 998 docker && \
-    usermod -aG docker www-data
-
-# Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
-
-USER www-data
 
 ENTRYPOINT ["start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

Containers/mastercontainer/start.sh

@@ -11,10 +11,20 @@ if ! [ -a "/var/run/docker.sock" ]; then
     echo "Docker socket is not available. Cannot continue."
     exit 1
 elif ! test -r /var/run/docker.sock; then
-    echo "Docker socket is not readable by the www-data user. Cannot continue."
+    echo "Trying to fix docker.sock permissions internally..."
-    exit 1
+    GROUP="$(stat -c '%g' /var/run/docker.sock)"
+    groupadd -g "$GROUP" docker && \
+    usermod -aG docker root
+    if ! test -r /var/run/docker.sock; then
+        echo "Docker socket is not readable by the root user. Cannot continue."
+        exit 1
+    fi
 fi
 
+# Adjust permissions for all instances
+chown root:root -R /mnt/docker-aio-config
+chmod 770 -R /mnt/docker-aio-config
+
 # Check if volume is writeable
 if ! [ -w /mnt/docker-aio-config ]; then
     echo "/mnt/docker-aio-config is not writeable."
@@ -36,11 +46,9 @@ else
     sleep 10
 fi
 
-# Adjust data permissions
+# Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
-
-# Adjust caddy permissions
 mkdir -p /mnt/docker-aio-config/caddy/
 
 # Adjust certs

Containers/mastercontainer/supervisord.conf

@@ -5,7 +5,7 @@ logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
-logfile_backups=10                              
+logfile_backups=10                 
 loglevel=error
 
 [program:apache]

Containers/watchtower/Dockerfile

@@ -8,7 +8,6 @@ RUN set -ex; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
         ca-certificates \
-        openssl \
     ; \
     rm -rf /var/lib/apt/lists/*
 
@@ -17,12 +16,5 @@ COPY --from=watchtower /watchtower /
 COPY start.sh /
 RUN chmod +x /start.sh
 
-# Give root a random password
+USER root
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
-
-# add docker group
-RUN groupadd -g 998 docker && \
-    usermod -aG docker nobody
-
-USER nobody
 ENTRYPOINT ["/start.sh"]

Containers/watchtower/start.sh

@@ -4,15 +4,22 @@
 if ! [ -a "/var/run/docker.sock" ]; then
     echo "Docker socket is not available. Cannot continue."
     exit 1
-elif ! [ -r "/var/run/docker.sock" ]; then
+elif ! test -r /var/run/docker.sock; then
-    echo "Docker socket is not readable by the nobody user. Cannot continue."
+    echo "Trying to fix docker.sock permissions internally..."
-    exit 1
+    GROUP="$(stat -c '%g' /var/run/docker.sock)"
+    groupadd -g "$GROUP" docker && \
+    usermod -aG docker root
+    if ! test -r /var/run/docker.sock; then
+        echo "Docker socket is not readable by the root user. Cannot continue."
+        exit 1
+    fi
 fi
 
 if [ -n "$CONTAINER_TO_UPDATE" ]; then
     exec /watchtower --cleanup --run-once "$CONTAINER_TO_UPDATE"
 else
     echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
+    exit 1
 fi