forked from sbt/sbt-native-packager
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement dockerPermissionStrategy (sbt#1190)
* Validate Docker packaging * implement dockerPermissionStrategy Fixes sbt#1189 This implements a non-root Docker container that's safer by default and compatible with Red Hat OpenShift. Current `ADD --chown=daemon:daemon opt /opt` nominally implements non-root image, but by giving ownership of the working directory to the `daemon` user, it reduces the safety. Instead we should use `chmod` to default to read-only access unless the build user opts into writable working directory. The challenge is calling `chmod` without incurring the fs layer overhead (sbt#883). [Multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/) can be used to pre-stage the files with desired file permissions. This adds new `dockerPermissionStrategy` setting which decides how file permissions are set for the working directory inside the Docker image generated by sbt-native-packager. The strategies are: - `DockerPermissionStrategy.MultiStage` (default): uses multi-stage Docker build to call chmod ahead of time. - `DockerPermissionStrategy.None`: does not attempt to change the file permissions, and use the host machine's file mode bits. - `DockerPermissionStrategy.Run`: calls `RUN` in the Dockerfile. This has regression on the resulting Docker image file size. - `DockerPermissionStrategy.CopyChown`: calls `COPY --chown` in the Dockerfile. Provided as a backward compatibility. For `MultiStage` and `Run` strategies, `dockerChmodType` is used in addition to call `chmod` during Docker build. - `DockerChmodType.UserGroupReadExecute` (default): chmod -R u=rX,g=rX - `DockerChmodType.UserGroupWriteExecute`: chmod -R u=rwX,g=rwX - `DockerChmodType.SyncGroupToUser`: chmod -R g=u - `DockerChmodType.Custom`: Custom argument provided by the user. Some application will require writing files to the working directory. In that case the setting should be changed as follows: ```scala import com.typesafe.sbt.packager.docker.DockerChmodType dockerChmodType := DockerChmodType.UserGroupWriteExecute ``` During `docker:stage`, Docker package validation is called to check if the selected strategy is compatible with the deteted Docker version. This fixes the current repeatability issue reported as sbt#1187. If the incompatibility is detected, the user is advised to either upgrade their Docker, pick another strategy, or override the `dockerVersion` setting. `daemonGroup` is set to `root` instead of copying the value from the `daemonUser` setting. This matches the semantics of `USER` as well as OpenShift, which uses gid=0. * improve the names in file-permission scritped test * add comment on globalSettings
- Loading branch information
Showing
23 changed files
with
408 additions
and
34 deletions.
There are no files selected for viewing
75 changes: 75 additions & 0 deletions
75
src/main/scala/com/typesafe/sbt/packager/docker/DockerPermissionStrategy.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
package com.typesafe.sbt.packager.docker | ||
|
||
/** | ||
* This represents a strategy to change the file permissions. | ||
*/ | ||
sealed trait DockerPermissionStrategy | ||
object DockerPermissionStrategy { | ||
|
||
/** | ||
* `None` does not attempt to change the file permissions. | ||
* This will inherit the host machine's group bits. | ||
*/ | ||
case object None extends DockerPermissionStrategy | ||
|
||
/** | ||
* `Run` calls `RUN` in the `Dockerfile`. | ||
* This could double the size of the resulting Docker image | ||
* because of the extra layer it creates. | ||
*/ | ||
case object Run extends DockerPermissionStrategy | ||
|
||
/** | ||
* `MultiStage` uses multi-stage Docker build to change | ||
* the file permissions. | ||
* https://docs.docker.com/develop/develop-images/multistage-build/ | ||
*/ | ||
case object MultiStage extends DockerPermissionStrategy | ||
|
||
/** | ||
* `CopyChown` calls `COPY --chown` in the `Dockerfile`. | ||
* This option is provided for backward compatibility. | ||
* This will inherit the host machine's file mode. | ||
* Note that this option is not compatible with OpenShift which ignores | ||
* USER command and uses an arbitrary user to run the container. | ||
*/ | ||
case object CopyChown extends DockerPermissionStrategy | ||
} | ||
|
||
/** | ||
* This represents a type of file permission changes to run on the working directory. | ||
* Note that group file mode bits must be effective to be OpenShift compatible. | ||
*/ | ||
sealed trait DockerChmodType { | ||
def argument: String | ||
} | ||
object DockerChmodType { | ||
|
||
/** | ||
* Gives read permission to users and groups. | ||
* Gives execute permission to users and groups, if +x flag is on for any. | ||
*/ | ||
case object UserGroupReadExecute extends DockerChmodType { | ||
def argument: String = "u=rX,g=rX" | ||
} | ||
|
||
/** | ||
* Gives read and write permissions to users and groups. | ||
* Gives execute permission to users and groups, if +x flag is on for any. | ||
*/ | ||
case object UserGroupWriteExecute extends DockerChmodType { | ||
def argument: String = "u=rwX,g=rwX" | ||
} | ||
|
||
/** | ||
* Copies user file mode bits to group file mode bits. | ||
*/ | ||
case object SyncGroupToUser extends DockerChmodType { | ||
def argument: String = "g=u" | ||
} | ||
|
||
/** | ||
* Use custom argument. | ||
*/ | ||
case class Custom(argument: String) extends DockerChmodType | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.