mirror of
https://github.com/ipfs/kubo.git
synced 2025-06-26 23:53:19 +08:00
docker: Automatically fix permissions
This patch is delaying the point where permissions are dropped into the `start_ipfs` script. This way, instead of exiting on permission issues, we can fix them on our own inside the script, then drop privileges and continue doing ipfs specific stuff with the correct user. I've removed the `chmod 0777` step from the readme since it's not needed anymore. License: MIT Signed-off-by: kpcyrd <git@rxv.cc>
This commit is contained in:
kpcyrd
29
Dockerfile
29
Dockerfile
@ -13,10 +13,6 @@ EXPOSE 4002/udp
|
||||
EXPOSE 5001
|
||||
EXPOSE 8080
|
||||
|
||||
# Volume for mounting an IPFS fs-repo
|
||||
# This is moved to the bottom for technical reasons.
|
||||
#VOLUME $IPFS_PATH
|
||||
|
||||
# IPFS API to use for fetching gx packages.
|
||||
# This can be a gateway too, since its read-only API provides all gx needs.
|
||||
# - e.g. /ip4/172.17.0.1/tcp/8080 if the Docker host
|
||||
@ -33,14 +29,17 @@ ENV GOPATH /go
|
||||
ENV PATH /go/bin:$PATH
|
||||
ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs
|
||||
|
||||
# Expose the fs-repo as a volume.
|
||||
# start_ipfs initializes an fs-repo if none is mounted
|
||||
VOLUME $IPFS_PATH
|
||||
|
||||
# Get the go-ipfs sourcecode
|
||||
COPY . $SRC_PATH
|
||||
|
||||
RUN apk add --update musl-dev gcc go git bash wget ca-certificates \
|
||||
# Setup user and fs-repo directory
|
||||
&& mkdir -p $IPFS_PATH \
|
||||
RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
|
||||
&& apk add --no-cache tini su-exec bash wget ca-certificates \
|
||||
# Setup user
|
||||
&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
|
||||
&& chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \
|
||||
# Install gx
|
||||
&& go get -u github.com/whyrusleeping/gx \
|
||||
&& go get -u github.com/whyrusleeping/gx-go \
|
||||
@ -58,22 +57,12 @@ RUN apk add --update musl-dev gcc go git bash wget ca-certificates \
|
||||
&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
|
||||
&& chmod 755 /usr/local/bin/start_ipfs \
|
||||
# Remove all build-time dependencies
|
||||
&& apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
|
||||
|
||||
# Call uid 1000 "ipfs"
|
||||
USER ipfs
|
||||
|
||||
# Expose the fs-repo as a volume.
|
||||
# We're doing this down here (and not at the top),
|
||||
# so that the overlay directory is owned by the ipfs user.
|
||||
# start_ipfs initializes an ephemeral fs-repo if none is mounted,
|
||||
# which is why uid=1000 needs write permissions there.
|
||||
VOLUME $IPFS_PATH
|
||||
&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
|
||||
|
||||
# This just makes sure that:
|
||||
# 1. There's an fs-repo, and initializes one if there isn't.
|
||||
# 2. The API and Gateway are accessible from outside the container.
|
||||
ENTRYPOINT ["/usr/local/bin/start_ipfs"]
|
||||
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
|
||||
|
||||
# Execute the daemon subcommand by default
|
||||
CMD ["daemon", "--migrate=true"]
|
||||
|
||||
@ -19,6 +19,8 @@ ENV GOPATH /go
|
||||
ENV PATH /go/bin:$PATH
|
||||
ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs
|
||||
|
||||
VOLUME $IPFS_PATH
|
||||
|
||||
# This is an optimization which avoids rebuilding
|
||||
# of the gx dependencies every time anything changes.
|
||||
# gx will only be invoked if the dependencies have changed.
|
||||
@ -28,10 +30,9 @@ ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs
|
||||
# and trigger a re-run of all following commands.
|
||||
COPY ./package.json $SRC_PATH/package.json
|
||||
|
||||
RUN apk add --update musl-dev gcc go git bash wget ca-certificates \
|
||||
&& mkdir -p $IPFS_PATH \
|
||||
RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
|
||||
&& apk add --no-cache tini su-exec bash wget ca-certificates \
|
||||
&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
|
||||
&& chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \
|
||||
&& go get -u github.com/whyrusleeping/gx \
|
||||
&& go get -u github.com/whyrusleeping/gx-go \
|
||||
&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \
|
||||
@ -48,9 +49,7 @@ RUN cd $SRC_PATH \
|
||||
&& cp ipfs /usr/local/bin/ipfs \
|
||||
&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
|
||||
&& chmod 755 /usr/local/bin/start_ipfs \
|
||||
&& apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
|
||||
&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
|
||||
|
||||
USER ipfs
|
||||
VOLUME $IPFS_PATH
|
||||
ENTRYPOINT ["/usr/local/bin/start_ipfs"]
|
||||
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
|
||||
CMD ["daemon", "--migrate=true"]
|
||||
|
||||
@ -237,11 +237,6 @@ IPFS files that will persist when you restart the container.
|
||||
export ipfs_staging=</absolute/path/to/somewhere/>
|
||||
export ipfs_data=</absolute/path/to/somewhere_else/>
|
||||
|
||||
Make sure docker can access these folders:
|
||||
|
||||
sudo chmod -R 777 /absolute/path/to/somewhere/
|
||||
sudo chmod -R 777 /absolute/path/to/somewhere_else/
|
||||
|
||||
Start a container running ipfs and expose ports 4001, 5001 and 8080:
|
||||
|
||||
docker run -d --name ipfs_host -v $ipfs_staging:/export -v $ipfs_data:/data/ipfs -p 8080:8080 -p 4001:4001 -p 5001:5001 ipfs/go-ipfs:latest
|
||||
|
||||
@ -1,14 +1,16 @@
|
||||
#!/bin/sh
|
||||
|
||||
user=$(whoami)
|
||||
set -e
|
||||
user=ipfs
|
||||
repo="$IPFS_PATH"
|
||||
|
||||
# Test whether the mounted directory is writable for us
|
||||
if [ ! -w "$repo" 2>/dev/null ]; then
|
||||
echo "error: $repo is not writable for user $user (uid=$(id -u $user))"
|
||||
exit 1
|
||||
if [ `id -u` -eq 0 ]; then
|
||||
# ensure folder is writable
|
||||
su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo"
|
||||
# restart script with new privileges
|
||||
exec su-exec "$user" "$0" "$@"
|
||||
fi
|
||||
|
||||
# 2nd invocation with regular user
|
||||
ipfs version
|
||||
|
||||
if [ -e "$repo/config" ]; then
|
||||
|
||||
Reference in New Issue
Block a user