diff --git a/Dockerfile.in b/Dockerfile.in index d227e2735..07401adda 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -12,6 +12,38 @@ # See the License for the specific language governing permissions and # limitations under the License. +# HOW TO USE THIS CONTAINER: +# +# For most users, the simplest way to use this container is to mount a volume +# on /git. The only commandline argument (or env var) that is really required +# is `--repo` ($GIT_SYNC_REPO). Everything else is optional (run this with +# `--man` for details). +# +# This container will run as UID:GID 65533:65533 by default, and unless you +# change that, you do not need to think about permissions much. If you run +# into permissions problems, this might help: +# +# - User does not mount a volume +# => should work, but limited utility +# +# - User mounts a new docker volume on /git +# => should work +# +# - User mounts an existing docker volume on /git +# => if the volume already exists with compatible permissions it should work +# => if the volume already exists with different permissions you can either +# set the container UID or GID(s) or you can chown the volume +# +# - User mounts an existing dir on /git +# => set container UID or GID(s) to be able to access that dir +# +# - User sets a different UID and git-sync GID +# => should work +# +# - User sets a different GID +# => either add the git-sync GID or else set --root, mount a volume, +# and manage volume permissions to access that volume + FROM {ARG_FROM} RUN apt-get update \ @@ -24,14 +56,33 @@ RUN apt-get update \ openssh-client \ && rm -rf /var/lib/apt/lists/* -# By default we will run as this user... +# Add the default UID to /etc/passwd so SSH is satisfied. RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd -# ...but the user might choose a different UID and pass --add-user -# which needs to be able to write to /etc/passwd. +# A user might choose a different UID and set the --add-user flag, which needs +# to be able to write to /etc/passwd. RUN chmod 0666 /etc/passwd -ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} +# Add the default GID to /etc/group for completeness. +RUN echo "git-sync:x:65533:git-sync" >> /etc/group -WORKDIR /tmp +# Make a directory that can be used to mount volumes. Git-sync itself does not +# default the --root ($GIT_SYNC_ROOT) flag, but we can set a default here, +# which makes the container image easier to use. Setting the mode to include +# group-write allows users to run this image as a different user, as long as +# they use our git-sync group. If the user needs a different group or sets +# $GIT_SYNC_ROOT or --root, their values will override this, and we assume they +# are handling permissions themselves. +ENV GIT_SYNC_ROOT=/git +RUN mkdir -m 02775 /git && chown 65533:65533 /git + +# Run as non-root by default. There's simply no reason to run as root. USER 65533:65533 + +# Setting HOME ensures that whatever UID this ultimately runs as can write to +# files like ~/.gitconfig. +ENV HOME=/tmp +WORKDIR /tmp + +# Just dump the binary in the root. +ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} ENTRYPOINT ["/{ARG_BIN}"]