feat(docker): review ownership and permission

[iromli]

Problems

Current images adjust ownership and permission for several directories and files for non-root user. The issue is some of the commands are using chown, for example:

RUN chown -R 1000:1000 /opt/jans/jetty

Unfortunately, due to docker build limitation, the chown command will create extra layer and add the size as huge as the chown-ed directory/file size.

Build using chown command

For illustration, inspecting image layers using docker images will show the SIZE:

» docker images | grep casa
REPOSITORY                               TAG           IMAGE ID       CREATED          SIZE
gluufederation/casa                      5.0.0_dev     2c34c75df662   9 days ago      600MB

By using docker history command, we know that adjusting ownership and permission via chown increased the size of the image (approx. 130MB), as seen below:

» docker history gluufederation/casa:5.0.0_dev                                                                                                        
IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT                                                                                                
<missing>      9 days ago    RUN |7 JETTY_VERSION=11.0.8 JETTY_HOME=/opt/…   130MB     buildkit.dockerfile.v0        

Build without using chown command

Temporarily commenting out chown command produces smaller image size:

» docker images | grep casa
REPOSITORY                               TAG           IMAGE ID       CREATED          SIZE
gluufederation/casa                      5.0.0_dev     0cba09ff0291   9 days ago      470MB

Now the history shows small size while adjusting permission:

» docker history janssenproject/casa:5.0.0_dev                                                                                                  
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT                                                      
<missing>      9 days ago    RUN |7 JETTY_VERSION=11.0.8 JETTY_HOME=/opt/…   4.66kB    buildkit.dockerfile.v0                             

Goals

• Review the usage of chown or similar command that changes ownership and permission of directories and files
• If chown is inevitable, only adjust specific directories and files (i.e. chown /opt/jans/jetty/casa/logs instead of /opt/jans/jetty/casa; the latter contain webapps/casa.war which is a huge file)
• Re-test to avoid regression

[iromli]

@moabu While testing the implementation on janssenproject/casa:5.0.0_dev image, i found out that to unlock admin feature, the .administrable file must be placed inside jetty/casa directory. Unfortunately running chown -R jetty/casa or chmod -R g=u jetty/casa will still increase the image (approx. 113MB) due to extra layer created by docker build.

@jgomer2001 is it possible to override the location of this .administrable file, i.e. $HOME/.administrable?

[jgomer2001]

sure! can you open an issue?

[moabu]

Yep customizing the location should help with that.

[jgomer2001]

@iromli you have to pass -Dadmin.lock=/path/to/file from now on

[iromli]

@jgomer2001 thanks, i will try it

[iromli]

@jgomer2001 custom admin lock file works! thanks