Move from running application containers with root user to dedicated scinote user [SCI-11020] (#7834)

.travis.yml

@@ -13,6 +13,7 @@ before_install:
   - curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64 > docker-compose
   - chmod +x docker-compose
   - sudo mv docker-compose /usr/local/bin
+  - sudo chown --recursive 1000 .
   - make docker-ci
 script:
   - make tests-ci

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.2.2-bookworm
+FROM ruby:3.2.5-bookworm
 MAINTAINER SciNote <info@scinote.net>
 
 # additional dependecies
@@ -20,7 +20,8 @@ RUN apt-get update -qq && \
   fonts-wqy-microhei \
   fonts-wqy-zenhei \
   libfile-mimeinfo-perl \
-  chromium-driver \
+  chromium \
+  chromium-sandbox \
   yarnpkg && \
   ln -s /usr/lib/x86_64-linux-gnu/libvips.so.42 /usr/lib/x86_64-linux-gnu/libvips.so && \
   rm -rf /var/lib/apt/lists/*
@@ -35,6 +36,10 @@ ENV BUNDLE_PATH /usr/local/bundle/
 ENV APP_HOME /usr/src/app
 ENV PATH $APP_HOME/bin:$PATH
 RUN mkdir $APP_HOME
+RUN adduser --uid 1000 scinote
+RUN chown scinote:scinote $APP_HOME
+USER scinote
+ENV CHROMIUM_PATH /usr/bin/chromium
 WORKDIR $APP_HOME
 
 CMD rails s -b 0.0.0.0

Dockerfile.production

@@ -1,5 +1,5 @@
 # Building stage
-FROM ruby:3.2.2-bookworm AS builder
+FROM ruby:3.2.5-bookworm AS builder
 
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN \
@@ -23,7 +23,7 @@ COPY . $APP_HOME
 RUN rm -f $APP_HOME/config/application.yml $APP_HOME/production.env
 WORKDIR $APP_HOME
 RUN \
-  --mount=target=$APP_HOME/tmp/bundle,type=cache \
+  --mount=target=/usr/src/app/tmp/bundle,type=cache \
   bundle config set without 'development test' && \
   bundle config set path '/usr/src/app/tmp/bundle' && \
   bundle install --jobs `nproc` && \
@@ -34,14 +34,14 @@ RUN \
 
 RUN \
   --mount=type=cache,target=/usr/local/share/.cache/yarn/v6,sharing=locked \
-  --mount=type=cache,target=$APP_HOME/node_modules,sharing=locked \
+  --mount=type=cache,target=/usr/src/app/node_modules,sharing=locked \
   DATABASE_URL=postgresql://postgres@db/scinote_production \
   SECRET_KEY_BASE=dummy \
   DEFACE_ENABLED=true \
-  bash -c "rake assets:precompile && rake deface:precompile"
+  bash -c "rake assets:precompile && rake deface:precompile && rm -rf ./tmp/cache"
 
 # Final stage
-FROM ruby:3.2.2-bookworm AS runner
+FROM ruby:3.2.5-bookworm AS runner
 MAINTAINER SciNote <info@scinote.net>
 
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
@@ -76,6 +76,7 @@ RUN \
   libvips42 \
   graphviz \
   chromium \
+  chromium-sandbox \
   libfile-mimeinfo-perl \
   yarnpkg && \
   /usr/share/nodejs/yarn/bin/yarn add puppeteer@npm:puppeteer-core@^22.15.0 && \
@@ -98,8 +99,13 @@ ENV GEM_HOME=$APP_HOME/vendor/bundle/ruby/3.2.0
 ENV PATH=$GEM_HOME/bin:$PATH
 ENV BUNDLE_APP_CONFIG=.bundle
 
-COPY --from=builder $APP_HOME $APP_HOME
+RUN adduser --uid 1000 scinote
+RUN chown scinote:scinote $APP_HOME
+USER scinote
 
+COPY --from=builder --chown=scinote:scinote $APP_HOME $APP_HOME
+
+ENV CHROMIUM_PATH /usr/bin/chromium
 WORKDIR $APP_HOME
 
 CMD rails s -b 0.0.0.0

Gemfile

@@ -2,7 +2,7 @@
 
 source 'http://rubygems.org'
 
-ruby '3.2.2'
+ruby '~> 3.2.2'
 
 gem 'activerecord-session_store'
 gem 'bootsnap', require: false

Gemfile.lock

@@ -902,4 +902,4 @@ RUBY VERSION
    ruby 3.2.2p53
 
 BUNDLED WITH
-   2.4.10
+   2.5.11

Makefile

@@ -22,13 +22,13 @@ heroku:
 	@echo "Set environment variables, DATABASE_URL, RAILS_SERVE_STATIC_FILES, RAKE_ENV, RAILS_ENV, SECRET_KEY_BASE"
 
 docker:
-	@docker-compose build
+	@docker-compose --progress plain build
 
 docker-ci:
 	@docker-compose --progress plain build web
 
 docker-production:
-	@docker-compose -f docker-compose.production.yml build --build-arg BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)
+	@docker-compose --progress plain -f docker-compose.production.yml build --build-arg BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)
 
 config-production:
 ifeq (production.env,$(wildcard production.env))

bin/chromium

@@ -1,2 +0,0 @@
-#!/bin/bash
-env -i /usr/bin/chromium $@

config/initializers/grover.rb

@@ -3,8 +3,8 @@
 Grover.configure do |config|
   config.options = {
     cache: false,
-    executable_path: './bin/chromium',
-    launch_args: %w(--disable-gpu --no-sandbox),
+    executable_path: ENV['CHROMIUM_PATH'] || '/usr/bin/chromium',
+    launch_args: %w(--disable-dev-shm-usage --disable-gpu --no-sandbox),
     timeout: Constants::GROVER_TIMEOUT_MS
   }
 end

docker-compose.yml

@@ -19,6 +19,7 @@ services:
     container_name: scinote_web_development
     stdin_open: true
     tty: true
+    user: scinote
     depends_on:
       - db
     ports:
@@ -43,6 +44,7 @@ services:
     container_name: scinote_webpack_development
     stdin_open: true
     tty: true
+    user: scinote
     command: >
       bash -c "yarn install && yarn build --watch"
     environment:
@@ -60,6 +62,7 @@ services:
     container_name: scinote_css_bundling_development
     stdin_open: true
     tty: true
+    user: scinote
     command: >
       bash -c "yarn build:css --watch"
     environment:
@@ -77,6 +80,7 @@ services:
     container_name: scinote_tailwind_development
     stdin_open: true
     tty: true
+    user: scinote
     command: >
       bash -c "rails tailwindcss:watch"
     environment: