From cb73f5daa095f65d708877da531c9cb470a0b27b Mon Sep 17 00:00:00 2001 From: Thijs Schreijer Date: Tue, 13 Sep 2022 08:45:30 +0200 Subject: [PATCH 1/2] fix(mount) update permissions to ensure access Modify the 'kong' user to match the ownership of the mounted plugin folder Kong will not start because of permission errors if it cannot write to the /kong-plugin/servroot folder (which resides on the mount). Since those permissions are controlled by the host, we update the 'kong' user inside the container to match the UID and GID. --- assets/Dockerfile | 2 +- assets/pongo_entrypoint.sh | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/assets/Dockerfile b/assets/Dockerfile index 2359f032..a10c5f4e 100644 --- a/assets/Dockerfile +++ b/assets/Dockerfile @@ -32,7 +32,7 @@ USER root # But that means hardcoding and that doesn't play well with the nature of Pongo # that should be independent of Kong versions. RUN apk update \ - && apk add zip unzip make g++ py-pip jq git bsd-compat-headers m4 openssl-dev curl wget python3-dev \ + && apk add zip unzip make g++ py-pip jq git bsd-compat-headers m4 openssl-dev curl wget python3-dev shadow \ && curl -k -s -S -L https://github.com/fullstorydev/grpcurl/releases/download/v1.7.0/grpcurl_1.7.0_linux_x86_64.tar.gz | tar xz -C /kong/bin \ && pip install httpie \ ; cd /kong \ diff --git a/assets/pongo_entrypoint.sh b/assets/pongo_entrypoint.sh index ec4d7cef..e50f3441 100755 --- a/assets/pongo_entrypoint.sh +++ b/assets/pongo_entrypoint.sh @@ -101,6 +101,31 @@ if [ -z "$KONG_TEST_LUA_SSL_TRUSTED_CERTIFICATE" ]; then fi +# Modify the 'kong' user to match the ownership of the mounted plugin folder +# Kong will not start because of permission errors if it cannot write to the +# /kong-plugin/servroot folder (which resides on the mount). +# Since those permissions are controlled by the host, we update the 'kong' user +# inside the container to match the UID and GID. +if [ -d /kong-plugin ]; then + KONG_UID=$(id -u kong) + KONG_GID=$(id -g kong) + MOUNT_UID=$(stat -c "%u" /kong-plugin) + MOUNT_GID=$(stat -c "%g" /kong-plugin) + if [ ! "$KONG_GID" = "$MOUNT_GID" ]; then + # change KONG_GID to the ID of the folder owner group + groupmod -g "$MOUNT_GID" kong > /dev/null 2>&1 + fi + + if [ ! "$KONG_UID" = "$MOUNT_UID" ]; then + # change KONG_UID to the ID of the folder owner + usermod -u "$MOUNT_UID" -g "$MOUNT_GID" kong > /dev/null 2>&1 + fi + unset KONG_UID + unset KONG_GID + unset MOUNT_UID + unset MOUNT_GID +fi + # perform any custom setup if specified if [ -f /kong-plugin/.pongo/pongo-setup.sh ]; then From e7a12bc8a996dc21a5fd51f85c4db794424770b9 Mon Sep 17 00:00:00 2001 From: Thijs Schreijer Date: Tue, 13 Sep 2022 12:29:16 +0200 Subject: [PATCH 2/2] add the --non-unique flag, don't hide potential (error) output --- assets/pongo_entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/pongo_entrypoint.sh b/assets/pongo_entrypoint.sh index e50f3441..6a978db6 100755 --- a/assets/pongo_entrypoint.sh +++ b/assets/pongo_entrypoint.sh @@ -113,12 +113,12 @@ if [ -d /kong-plugin ]; then MOUNT_GID=$(stat -c "%g" /kong-plugin) if [ ! "$KONG_GID" = "$MOUNT_GID" ]; then # change KONG_GID to the ID of the folder owner group - groupmod -g "$MOUNT_GID" kong > /dev/null 2>&1 + groupmod -g "$MOUNT_GID" --non-unique kong fi if [ ! "$KONG_UID" = "$MOUNT_UID" ]; then # change KONG_UID to the ID of the folder owner - usermod -u "$MOUNT_UID" -g "$MOUNT_GID" kong > /dev/null 2>&1 + usermod -u "$MOUNT_UID" -g "$MOUNT_GID" --non-unique kong fi unset KONG_UID unset KONG_GID