Merge pull request #32 from zazukoians/permissions-change

Change permissions
zazukoians · Dec 10, 2024 · 42d368d · 42d368d
2 parents d8ccf81 + e1512c7
commit 42d368d
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 53 deletions.
diff --git a/.changeset/clean-drinks-drop.md b/.changeset/clean-drinks-drop.md
@@ -0,0 +1,8 @@
+---
+"qlever": minor
+---
+
+Permissions were updated to make sure that the server and the UI can run without any issue with any user ID.
+The persistent data is now stored in the `/data` directory.
+Make sure to update your deployments/stacks to use the new path.
+The default user is now `nobody` (UID: 65534).
diff --git a/README.md b/README.md
@@ -51,7 +51,7 @@ Our custom container image for the server allows you to tweak the default behavi
 - `SHOULD_DOWNLOAD`: If set to `true`, the server will download the data. If the input file already exists, then the value would be set to `false` automatically. Default is `true`.
 - `FORCE_DOWNLOAD`: If set to `true`, the server will force the download of the data, even if `SHOULD_DOWNLOAD` is set to `false`. Default is `false`.
 
-If you want to persist the data, you can mount a volume to the `/home/qlever/data` directory.
+If you want to persist the data, you can mount a volume to the `/data` directory.
 
 The custom image for the UI also offers some environment variables to customize the behavior:
 

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -9,7 +9,7 @@ services:
     build:
       context: ./docker/
       dockerfile: ./server.Dockerfile
-    user: 1000:1000
+    user: 65534:65534
     stop_grace_period: 0s
     ports:
       - "7001:7001"
@@ -23,6 +23,7 @@ services:
     build:
       context: ./docker/
       dockerfile: ./ui.Dockerfile
+    user: 65534:65534
     stop_grace_period: 0s
     ports:
       - "7002:7002"
@@ -41,7 +42,7 @@ services:
     build:
       context: ./docker/
       dockerfile: ./server.Dockerfile
-    user: 1000:1000
+    user: 65534:65534
     stop_grace_period: 0s
     ports:
       - "7001:7001"
@@ -50,7 +51,7 @@ services:
     env_file:
       - local.env
     volumes:
-      - ./docker/server/data.nt:/home/qlever/data/data.nt
+      - ./docker/server/data.nt:/data/data.nt:ro
 
   ui-local:
     profiles:
@@ -59,6 +60,7 @@ services:
     build:
       context: ./docker/
       dockerfile: ./ui.Dockerfile
+    user: 65534:65534
     stop_grace_period: 0s
     ports:
       - "7002:7002"

diff --git a/docker/common/generate-qleverfile.sh b/docker/common/generate-qleverfile.sh
@@ -13,7 +13,7 @@ if [ "${QLEVER_GENERATE_CONFIG_FILE}" != "true" ]; then
   exit 0
 fi
 
-QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/home/qlever/data/Qleverfile}"
+QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/data/Qleverfile}"
 dirname "${QLEVER_FILE_PATH}" | xargs mkdir -p
 
 # Set default values for some configuration fields (could be overridden by other environment variables)

diff --git a/docker/server.Dockerfile b/docker/server.Dockerfile
@@ -1,37 +1,36 @@
-# Check latest version here: https://pypi.org/project/qlever/
-ARG QLEVER_VERSION="0.5.12"
-
-FROM index.docker.io/adfreiburg/qlever:latest@sha256:1be63d62e45db723ee3c0164aed450ee2e5f5ab06146267717f560ac40689c0d
-
-ARG QLEVER_VERSION
+FROM index.docker.io/adfreiburg/qlever:latest@sha256:55d17079e3dc093266a1def6393d0ae7662f16120ffe9594f34013f0b14f3979
 
+# Upgrade depdendencies and do some cleanup
 USER root
-
-# Install python3 and pip3, in order to install qlever
-RUN apt-get update \
-  && apt-get install -y \
-  python3 \
-  python3-pip \
-  && rm -rf /var/lib/apt/lists/*
-RUN pip3 install "qlever==${QLEVER_VERSION}"
-
-# Just make sure that the user qlever has a home directory, so that we can enable autocompletion
-RUN mkdir -p /home/qlever/data && chown -R qlever:qlever /home/qlever
-RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /home/qlever/.bashrc
-ENV QLEVER_ARGCOMPLETE_ENABLED=1
+RUN export SUDO_FORCE_REMOVE=yes \
+  && apt-get update \
+  && apt-get upgrade -y \
+  && apt-get purge -y --auto-remove sudo \
+  && rm -rf /var/lib/apt/lists/* \
+  && apt-get clean \
+  && unset SUDO_FORCE_REMOVE \
+  && rm -f /etc/profile.d/qlever.sh /qlever/.bashrc /qlever/docker-entrypoint.sh
+
+# Just make sure that the user that will be running the container will have the necessary permissions
+RUN mkdir -p /qlever /data \
+  && chmod -R a+rw /data \
+  && chmod -R a+rw /qlever
+RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /qlever/.bashrc
+ENV QLEVER_ARGCOMPLETE_ENABLED="1"
+ENV QLEVER_IS_RUNNING_IN_CONTAINER="1"
 
 # Include some useful scripts
-RUN mkdir -p /home/qlever/scripts
-COPY ./common/generate-qleverfile.sh /home/qlever/scripts/
-COPY ./server/entrypoint.sh /home/qlever/scripts/
-RUN chmod +x /home/qlever/scripts/*.sh
+RUN mkdir -p /qlever/scripts
+COPY ./common/generate-qleverfile.sh /qlever/scripts/
+COPY ./server/entrypoint.sh /qlever/scripts/
+RUN chmod +x /qlever/scripts/*.sh
 
-# Switch back to the qlever user
-USER qlever
+# Use the nobody user by default
+USER 65534
 
-WORKDIR /home/qlever
+WORKDIR /qlever
 
 EXPOSE 7001
 
 ENTRYPOINT [ "" ]
-CMD [ "/home/qlever/scripts/entrypoint.sh" ]
+CMD [ "/qlever/scripts/entrypoint.sh" ]
diff --git a/docker/server/entrypoint.sh b/docker/server/entrypoint.sh
@@ -15,12 +15,12 @@ echo "INFO: Indexing : should index = ${SHOULD_INDEX} ; force indexing = ${FORCE
 echo "INFO: Data download : should download = ${SHOULD_DOWNLOAD} ; force download = ${FORCE_DOWNLOAD}"
 
 # Generate Qleverfile
-/home/qlever/scripts/generate-qleverfile.sh
+/qlever/scripts/generate-qleverfile.sh
 
 # Go to the data directory
-cd /home/qlever/data
+cd /data
 
-QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/home/qlever/data/Qleverfile}"
+QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/data/Qleverfile}"
 
 # Check if the Qleverfile exists
 if [ ! -f "${QLEVER_FILE_PATH}" ]; then

diff --git a/docker/ui.Dockerfile b/docker/ui.Dockerfile
@@ -15,31 +15,33 @@ RUN apk add --no-cache \
   gcc python3-dev musl-dev linux-headers
 RUN pip3 install "qlever==${QLEVER_VERSION}"
 
-# Just make sure that the user qlever has a home directory, so that we can enable autocompletion
-RUN adduser -u 1000 -g 1000 -D qlever
-RUN mkdir -p /home/qlever/data && chown -R qlever:qlever /home/qlever
-RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /home/qlever/.bashrc
-ENV QLEVER_ARGCOMPLETE_ENABLED=1
+# Just make sure that the user that will be running the container will have the necessary permissions
+RUN mkdir -p /qlever /data \
+  && chmod -R a+rw /data \
+  && chmod -R a+rw /qlever
+RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /qlever/.bashrc
+ENV QLEVER_ARGCOMPLETE_ENABLED="1"
+ENV QLEVER_IS_RUNNING_IN_CONTAINER="1"
 
-# Make sure that qlever user owns the db directory
-RUN chown -R qlever:qlever /app/db
+# Make sure that current user owns the db directory
+RUN chmod -R a+rw /app/db
 
 # Include some useful scripts
-RUN mkdir -p /home/qlever/scripts
-COPY ./common/generate-qleverfile.sh /home/qlever/scripts/
-COPY ./ui/entrypoint.sh /home/qlever/scripts/
-RUN chmod +x /home/qlever/scripts/*.sh
+RUN mkdir -p /qlever/scripts
+COPY ./common/generate-qleverfile.sh /qlever/scripts/
+COPY ./ui/entrypoint.sh /qlever/scripts/
+RUN chmod +x /qlever/scripts/*.sh
 COPY ./ui/docker.sh /usr/bin/docker
 RUN chmod +x /usr/bin/docker
 
-# Switch back to the qlever user
-USER qlever
+# Use the nobody user by default
+USER 65534
 
-WORKDIR /home/qlever
+WORKDIR /qlever
 
 COPY ./ui/update.py /app/backend/management/commands/update.py
 
 EXPOSE 7002
 
 ENTRYPOINT [ "" ]
-CMD [ "/home/qlever/scripts/entrypoint.sh" ]
+CMD [ "/qlever/scripts/entrypoint.sh" ]
diff --git a/docker/ui/entrypoint.sh b/docker/ui/entrypoint.sh
@@ -5,12 +5,12 @@ MAP_VIEW_BASE_URL="${MAP_VIEW_BASE_URL:-}"
 set -eu
 
 # Generate Qleverfile
-/home/qlever/scripts/generate-qleverfile.sh
+/qlever/scripts/generate-qleverfile.sh
 
 # Go to the data directory
-cd /home/qlever/data
+cd /data
 
-QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/home/qlever/data/Qleverfile}"
+QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/data/Qleverfile}"
 
 # Check if the Qleverfile exists
 if [ ! -f "${QLEVER_FILE_PATH}" ]; then