From 06f654f4bef1ad7f20e044c21dc4049b7cf74365 Mon Sep 17 00:00:00 2001
From: Vincent De Borger <48948316+DB-Vincent@users.noreply.github.com>
Date: Thu, 19 Dec 2024 16:16:25 +0100
Subject: [PATCH] Add UID and GID to set the user & group ID's during runtime
 (#10)

This PR add the option to set UID/GID during runtime, making sure the
application is running as a non-root user.
Besides this, it also helps with making sure UID/GID match between
containers.
---
 Dockerfile    | 16 ++++++++++++----
 entrypoint.sh | 22 ++++++++++++++++++++++
 readme.md     |  2 ++
 3 files changed, 36 insertions(+), 4 deletions(-)
 create mode 100644 entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 8f8d4e0..ef04af7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,13 +18,16 @@ ENV INGEST_DIR=/cwa-book-ingest
 ENV STATUS_TIMEOUT=3600
 ENV PYTHONPATH=/app
 
-RUN mkdir -p ${INGEST_DIR}
+# Default UID and GID (can be overridden at runtime)
+ENV UID=1000
+ENV GID=100
+
 # Set working directory
 WORKDIR /app
 
 # Install system dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests\
-    calibre p7zip curl \
+RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \
+    calibre p7zip curl gosu \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy requirements first for better caching
@@ -35,7 +38,8 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
-RUN chmod +x /app/check_health.sh
+RUN chmod +x /app/check_health.sh && \
+    chmod +x /app/entrypoint.sh
 
 # Expose port
 EXPOSE ${FLASK_PORT}
@@ -44,5 +48,9 @@ EXPOSE ${FLASK_PORT}
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
     CMD curl -f http://localhost:${FLASK_PORT}/request/api/status || exit 1
 
+# Entrypoint
+ENTRYPOINT ["/app/entrypoint.sh"]
+
 # Start application
 CMD ["python", "-m", "app"]
+
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..78abb7a
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+mkdir -p /var/logs
+mkdir -p "$INGEST_DIR"
+
+# Create group if it doesn't exist
+if ! getent group "$GID" >/dev/null; then
+    groupadd -g "$GID" abc
+fi
+
+# Create user if it doesn't exist
+if ! id -u "$UID" >/dev/null 2>&1; then
+    useradd -u "$UID" -g "$GID" -d /app -s /sbin/nologin abc
+fi
+
+# Adjust ownership of application directories
+chown -R $UID:$GID /app "$INGEST_DIR" /var/logs
+
+# Switch to the created user and execute the main command
+exec gosu $UID "$@"
+
diff --git a/readme.md b/readme.md
index 2f64d6f..8d3231b 100644
--- a/readme.md
+++ b/readme.md
@@ -52,6 +52,8 @@ An intuitive web interface for searching and requesting book downloads, designed
 | `FLASK_DEBUG` | Debug mode toggle | `false` |
 | `FLASK_HOST` | Web interface binding | `0.0.0.0` |
 | `INGEST_DIR` | Book download directory | `/cwa-book-ingest` |
+| `UID` | Runtime user ID | `1000` |
+| `GID` | Runtime group ID | `100` |
 
 #### Download Settings
 | Variable | Description | Default Value |