From e1512c7b0c821f539b4ce548f4c55eedf3ab3d21 Mon Sep 17 00:00:00 2001 From: Ludovic Muller Date: Tue, 10 Dec 2024 11:49:38 +0100 Subject: [PATCH] change permissions --- .changeset/clean-drinks-drop.md | 8 +++++ README.md | 2 +- docker-compose.yaml | 8 +++-- docker/common/generate-qleverfile.sh | 2 +- docker/server.Dockerfile | 53 ++++++++++++++-------------- docker/server/entrypoint.sh | 6 ++-- docker/ui.Dockerfile | 32 +++++++++-------- docker/ui/entrypoint.sh | 6 ++-- 8 files changed, 64 insertions(+), 53 deletions(-) create mode 100644 .changeset/clean-drinks-drop.md diff --git a/.changeset/clean-drinks-drop.md b/.changeset/clean-drinks-drop.md new file mode 100644 index 0000000..9c6e0e9 --- /dev/null +++ b/.changeset/clean-drinks-drop.md @@ -0,0 +1,8 @@ +--- +"qlever": minor +--- + +Permissions were updated to make sure that the server and the UI can run without any issue with any user ID. +The persistent data is now stored in the `/data` directory. +Make sure to update your deployments/stacks to use the new path. +The default user is now `nobody` (UID: 65534). diff --git a/README.md b/README.md index 0e57056..3c6996b 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ Our custom container image for the server allows you to tweak the default behavi - `SHOULD_DOWNLOAD`: If set to `true`, the server will download the data. If the input file already exists, then the value would be set to `false` automatically. Default is `true`. - `FORCE_DOWNLOAD`: If set to `true`, the server will force the download of the data, even if `SHOULD_DOWNLOAD` is set to `false`. Default is `false`. -If you want to persist the data, you can mount a volume to the `/home/qlever/data` directory. +If you want to persist the data, you can mount a volume to the `/data` directory. The custom image for the UI also offers some environment variables to customize the behavior: diff --git a/docker-compose.yaml b/docker-compose.yaml index d24575d..08ca297 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -9,7 +9,7 @@ services: build: context: ./docker/ dockerfile: ./server.Dockerfile - user: 1000:1000 + user: 65534:65534 stop_grace_period: 0s ports: - "7001:7001" @@ -23,6 +23,7 @@ services: build: context: ./docker/ dockerfile: ./ui.Dockerfile + user: 65534:65534 stop_grace_period: 0s ports: - "7002:7002" @@ -41,7 +42,7 @@ services: build: context: ./docker/ dockerfile: ./server.Dockerfile - user: 1000:1000 + user: 65534:65534 stop_grace_period: 0s ports: - "7001:7001" @@ -50,7 +51,7 @@ services: env_file: - local.env volumes: - - ./docker/server/data.nt:/home/qlever/data/data.nt + - ./docker/server/data.nt:/data/data.nt:ro ui-local: profiles: @@ -59,6 +60,7 @@ services: build: context: ./docker/ dockerfile: ./ui.Dockerfile + user: 65534:65534 stop_grace_period: 0s ports: - "7002:7002" diff --git a/docker/common/generate-qleverfile.sh b/docker/common/generate-qleverfile.sh index e2301bd..cb550cf 100755 --- a/docker/common/generate-qleverfile.sh +++ b/docker/common/generate-qleverfile.sh @@ -13,7 +13,7 @@ if [ "${QLEVER_GENERATE_CONFIG_FILE}" != "true" ]; then exit 0 fi -QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/home/qlever/data/Qleverfile}" +QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/data/Qleverfile}" dirname "${QLEVER_FILE_PATH}" | xargs mkdir -p # Set default values for some configuration fields (could be overridden by other environment variables) diff --git a/docker/server.Dockerfile b/docker/server.Dockerfile index 2d703bc..46ebf8d 100644 --- a/docker/server.Dockerfile +++ b/docker/server.Dockerfile @@ -1,37 +1,36 @@ -# Check latest version here: https://pypi.org/project/qlever/ -ARG QLEVER_VERSION="0.5.12" - -FROM index.docker.io/adfreiburg/qlever:latest@sha256:1be63d62e45db723ee3c0164aed450ee2e5f5ab06146267717f560ac40689c0d - -ARG QLEVER_VERSION +FROM index.docker.io/adfreiburg/qlever:latest@sha256:55d17079e3dc093266a1def6393d0ae7662f16120ffe9594f34013f0b14f3979 +# Upgrade depdendencies and do some cleanup USER root - -# Install python3 and pip3, in order to install qlever -RUN apt-get update \ - && apt-get install -y \ - python3 \ - python3-pip \ - && rm -rf /var/lib/apt/lists/* -RUN pip3 install "qlever==${QLEVER_VERSION}" - -# Just make sure that the user qlever has a home directory, so that we can enable autocompletion -RUN mkdir -p /home/qlever/data && chown -R qlever:qlever /home/qlever -RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /home/qlever/.bashrc -ENV QLEVER_ARGCOMPLETE_ENABLED=1 +RUN export SUDO_FORCE_REMOVE=yes \ + && apt-get update \ + && apt-get upgrade -y \ + && apt-get purge -y --auto-remove sudo \ + && rm -rf /var/lib/apt/lists/* \ + && apt-get clean \ + && unset SUDO_FORCE_REMOVE \ + && rm -f /etc/profile.d/qlever.sh /qlever/.bashrc /qlever/docker-entrypoint.sh + +# Just make sure that the user that will be running the container will have the necessary permissions +RUN mkdir -p /qlever /data \ + && chmod -R a+rw /data \ + && chmod -R a+rw /qlever +RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /qlever/.bashrc +ENV QLEVER_ARGCOMPLETE_ENABLED="1" +ENV QLEVER_IS_RUNNING_IN_CONTAINER="1" # Include some useful scripts -RUN mkdir -p /home/qlever/scripts -COPY ./common/generate-qleverfile.sh /home/qlever/scripts/ -COPY ./server/entrypoint.sh /home/qlever/scripts/ -RUN chmod +x /home/qlever/scripts/*.sh +RUN mkdir -p /qlever/scripts +COPY ./common/generate-qleverfile.sh /qlever/scripts/ +COPY ./server/entrypoint.sh /qlever/scripts/ +RUN chmod +x /qlever/scripts/*.sh -# Switch back to the qlever user -USER qlever +# Use the nobody user by default +USER 65534 -WORKDIR /home/qlever +WORKDIR /qlever EXPOSE 7001 ENTRYPOINT [ "" ] -CMD [ "/home/qlever/scripts/entrypoint.sh" ] +CMD [ "/qlever/scripts/entrypoint.sh" ] diff --git a/docker/server/entrypoint.sh b/docker/server/entrypoint.sh index e6b4b9a..d472e9e 100755 --- a/docker/server/entrypoint.sh +++ b/docker/server/entrypoint.sh @@ -15,12 +15,12 @@ echo "INFO: Indexing : should index = ${SHOULD_INDEX} ; force indexing = ${FORCE echo "INFO: Data download : should download = ${SHOULD_DOWNLOAD} ; force download = ${FORCE_DOWNLOAD}" # Generate Qleverfile -/home/qlever/scripts/generate-qleverfile.sh +/qlever/scripts/generate-qleverfile.sh # Go to the data directory -cd /home/qlever/data +cd /data -QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/home/qlever/data/Qleverfile}" +QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/data/Qleverfile}" # Check if the Qleverfile exists if [ ! -f "${QLEVER_FILE_PATH}" ]; then diff --git a/docker/ui.Dockerfile b/docker/ui.Dockerfile index b5b70df..012701a 100644 --- a/docker/ui.Dockerfile +++ b/docker/ui.Dockerfile @@ -15,31 +15,33 @@ RUN apk add --no-cache \ gcc python3-dev musl-dev linux-headers RUN pip3 install "qlever==${QLEVER_VERSION}" -# Just make sure that the user qlever has a home directory, so that we can enable autocompletion -RUN adduser -u 1000 -g 1000 -D qlever -RUN mkdir -p /home/qlever/data && chown -R qlever:qlever /home/qlever -RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /home/qlever/.bashrc -ENV QLEVER_ARGCOMPLETE_ENABLED=1 +# Just make sure that the user that will be running the container will have the necessary permissions +RUN mkdir -p /qlever /data \ + && chmod -R a+rw /data \ + && chmod -R a+rw /qlever +RUN echo 'eval "$(register-python-argcomplete qlever)"' >> /qlever/.bashrc +ENV QLEVER_ARGCOMPLETE_ENABLED="1" +ENV QLEVER_IS_RUNNING_IN_CONTAINER="1" -# Make sure that qlever user owns the db directory -RUN chown -R qlever:qlever /app/db +# Make sure that current user owns the db directory +RUN chmod -R a+rw /app/db # Include some useful scripts -RUN mkdir -p /home/qlever/scripts -COPY ./common/generate-qleverfile.sh /home/qlever/scripts/ -COPY ./ui/entrypoint.sh /home/qlever/scripts/ -RUN chmod +x /home/qlever/scripts/*.sh +RUN mkdir -p /qlever/scripts +COPY ./common/generate-qleverfile.sh /qlever/scripts/ +COPY ./ui/entrypoint.sh /qlever/scripts/ +RUN chmod +x /qlever/scripts/*.sh COPY ./ui/docker.sh /usr/bin/docker RUN chmod +x /usr/bin/docker -# Switch back to the qlever user -USER qlever +# Use the nobody user by default +USER 65534 -WORKDIR /home/qlever +WORKDIR /qlever COPY ./ui/update.py /app/backend/management/commands/update.py EXPOSE 7002 ENTRYPOINT [ "" ] -CMD [ "/home/qlever/scripts/entrypoint.sh" ] +CMD [ "/qlever/scripts/entrypoint.sh" ] diff --git a/docker/ui/entrypoint.sh b/docker/ui/entrypoint.sh index 19d712a..6e9abcf 100755 --- a/docker/ui/entrypoint.sh +++ b/docker/ui/entrypoint.sh @@ -5,12 +5,12 @@ MAP_VIEW_BASE_URL="${MAP_VIEW_BASE_URL:-}" set -eu # Generate Qleverfile -/home/qlever/scripts/generate-qleverfile.sh +/qlever/scripts/generate-qleverfile.sh # Go to the data directory -cd /home/qlever/data +cd /data -QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/home/qlever/data/Qleverfile}" +QLEVER_FILE_PATH="${QLEVER_FILE_PATH:-/data/Qleverfile}" # Check if the Qleverfile exists if [ ! -f "${QLEVER_FILE_PATH}" ]; then