If container running as non-root don't use gosu.

In OpenShift containers are run as a random user id. In this case, we
don't need to use gosu.

Fixes #345

Dockerfile

@@ -2,7 +2,6 @@
 FROM runatlantis/atlantis-base:latest
 LABEL authors="Anubhav Mishra, Luke Kysow"
 
-# install terraform binaries
 ENV DEFAULT_TERRAFORM_VERSION=0.11.10
 
 # In the official Atlantis image we only have the latest of each Terrafrom version.
@@ -19,10 +18,7 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="0.8.8 0.9.11 0.10.8 ${DEFAULT_TERRAFORM_VERSIO
     done && \
     ln -s /usr/local/bin/tf/versions/${DEFAULT_TERRAFORM_VERSION}/terraform /usr/local/bin/terraform
 
-# copy binary
 COPY atlantis /usr/local/bin/atlantis
-
-# copy docker entrypoint
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 ENTRYPOINT ["docker-entrypoint.sh"]

docker-base/Dockerfile

@@ -4,13 +4,19 @@
 FROM alpine:3.8
 LABEL authors="Anubhav Mishra, Luke Kysow"
 
-# create atlantis user
+# We use gosu to step down from root and run as the atlantis user so we need
+# to create that user and group.
+# We add the atlantis user to the root group and make its home directory
+# owned by root so that OpenShift users can use /home/atlantis as their
+# data dir because OpenShift runs containers as a random uid that's part of
+# the root group.
 RUN addgroup atlantis && \
-    adduser -S -G atlantis atlantis
+    adduser -S -G atlantis atlantis && \
+    adduser atlantis root && \
+    chown atlantis:root /home/atlantis/ && \
+    chmod g=u /home/atlantis/
 
-ENV ATLANTIS_HOME_DIR=/home/atlantis
-
-# install atlantis dependencies
+# Install dumb-init and gosu.
 ENV DUMB_INIT_VERSION=1.2.0
 ENV GOSU_VERSION=1.10
 RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap openssl && \
@@ -35,6 +41,6 @@ RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap
         apk del gnupg openssl && \
         rm -rf /root/.gnupg && rm -rf /var/cache/apk/*
 
-# set up nsswitch.conf for Go's "netgo" implementation
+# Set up nsswitch.conf for Go's "netgo" implementation
 # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
 RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf

docker-entrypoint.sh

@@ -9,15 +9,29 @@ if [ "${1:0:1}" = '-' ]; then
     set -- atlantis "$@"
 fi
 
-# Look for atlantis subcommands.
-if atlantis --help "$1" 2>&1 | grep -q "atlantis $1"; then
-    # We can't use the return code to check for the existence of a subcommand, so
-    # we have to use grep to look for a pattern in the help output.
+# If the user is running an atlantis subcommand (ex. server) then we want to prepend
+# atlantis as the first arg to exec. To detect if they're running a subcommand
+# we take the potential subcommand and run it through atlantis help {subcommand}.
+# If the output contains "atlantis subcommand" then we know it's a subcommand
+# since the help output contains that string. For anything else (ex. sh)
+# it won't contain that string.
+# NOTE: We use grep instead of the exit code since help always returns 0.
+if atlantis help "$1" 2>&1 | grep -q "atlantis $1"; then
     set -- atlantis "$@"
 fi
 
-# If we are running atlantis, make sure it executes as the proper user.
-if [ "$1" = 'atlantis' ]; then
+# In OpenShift, containers are run with a random uid. We need to detect this
+# and create an entry in /etc/passwd because terraform needs this for cloning.
+if ! whoami &> /dev/null; then
+    if [[ -w /etc/passwd ]]; then
+      echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+    fi
+fi
+
+# If we're running as root and we're trying to execute atlantis then we use
+# gosu to step down from root and run as the atlantis user.
+# In OpenShift, containers are run as a random users so we don't need to use gosu.
+if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then
     # If requested, set the capability to bind to privileged ports before
     # we drop to the non-root user. Note that this doesn't work with all
     # storage drivers (it won't work with AUFS).
@@ -28,4 +42,4 @@ if [ "$1" = 'atlantis' ]; then
     set -- gosu atlantis "$@"
 fi
 
-exec "$@"
+exec "$@"