Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Docker packaging should not su-exec or chmod if already running as UID/GID #5970

Merged
merged 6 commits into from
Sep 3, 2019
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5970.docker
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Avoid changing UID/GID if they are already correct.
82 changes: 48 additions & 34 deletions docker/start.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ def generate_config_from_template(config_dir, config_path, environ, ownership):
config_path (str): where to put the main config file
environ (dict): environment dictionary
ownership (str): "<user>:<group>" string which will be used to set
michaelkaye marked this conversation as resolved.
Show resolved Hide resolved
ownership of the generated configs
ownership of the generated configs. If None, ownership will not change.
"""
for v in ("SYNAPSE_SERVER_NAME", "SYNAPSE_REPORT_STATS"):
if v not in environ:
Expand Down Expand Up @@ -105,32 +105,32 @@ def generate_config_from_template(config_dir, config_path, environ, ownership):
log("Generating log config file " + log_config_file)
convert("/conf/log.config", log_config_file, environ)

subprocess.check_output(["chown", "-R", ownership, "/data"])

# Hopefully we already have a signing key, but generate one if not.
subprocess.check_output(
[
"su-exec",
ownership,
"python",
"-m",
"synapse.app.homeserver",
"--config-path",
config_path,
# tell synapse to put generated keys in /data rather than /compiled
"--keys-directory",
config_dir,
"--generate-keys",
]
)
args = [
"python",
"-m",
"synapse.app.homeserver",
"--config-path",
config_path,
# tell synapse to put generated keys in /data rather than /compiled
"--keys-directory",
config_dir,
"--generate-keys",
]

if ownership is not None:
michaelkaye marked this conversation as resolved.
Show resolved Hide resolved
subprocess.check_output(["chown", "-R", ownership, "/data"])
args = ["su-exec", ownership] + args

subprocess.check_output(args)


def run_generate_config(environ, ownership):
"""Run synapse with a --generate-config param to generate a template config file

Args:
environ (dict): env var dict
ownership (str): "userid:groupid" arg for chmod
ownership (str): "userid:groupid" arg for chmod. If None, ownership will not change.
michaelkaye marked this conversation as resolved.
Show resolved Hide resolved

Never returns.
"""
Expand All @@ -149,9 +149,6 @@ def run_generate_config(environ, ownership):
log("Creating log config %s" % (log_config_file,))
convert("/conf/log.config", log_config_file, environ)

# make sure that synapse has perms to write to the data dir.
subprocess.check_output(["chown", ownership, data_dir])

args = [
"python",
"-m",
Expand All @@ -170,12 +167,33 @@ def run_generate_config(environ, ownership):
"--open-private-ports",
]
# log("running %s" % (args, ))
os.execv("/usr/local/bin/python", args)

if ownership is not None:
michaelkaye marked this conversation as resolved.
Show resolved Hide resolved
args = ["su-exec", ownership] + args
os.execv("/sbin/su-exec", args)

# make sure that synapse has perms to write to the data dir.
subprocess.check_output(["chown", ownership, data_dir])
else:
os.execv("/usr/local/bin/python", args)


def main(args, environ):
mode = args[1] if len(args) > 1 else None
ownership = "{}:{}".format(environ.get("UID", 991), environ.get("GID", 991))
desired_uid = int(environ.get("UID", "991"))
desired_gid = int(environ.get("GID", "991"))
if (desired_uid == os.getuid()) and (desired_gid == os.getgid()):
ownership = None
else:
ownership = "{}:{}".format(desired_uid, desired_gid)

log(
"Container running as UserID %s:%s, ENV (or defaults) requests %s:%s"
% (os.getuid(), os.getgid(), desired_uid, desired_gid)
)

if ownership is None:
log("Will not perform chmod/su-exec as UserID already matches request")

# In generate mode, generate a configuration and missing keys, then exit
if mode == "generate":
Expand Down Expand Up @@ -227,16 +245,12 @@ def main(args, environ):

log("Starting synapse with config file " + config_path)

args = [
"su-exec",
ownership,
"python",
"-m",
"synapse.app.homeserver",
"--config-path",
config_path,
]
os.execv("/sbin/su-exec", args)
args = ["python", "-m", "synapse.app.homeserver", "--config-path", config_path]
if ownership is not None:
args = ["su-exec", ownership] + args
os.execv("/sbin/su-exec", args)
else:
os.execv("/usr/local/bin/python", args)


if __name__ == "__main__":
Expand Down