logos-blockchain/lssa
1
0
Fork 0
mirror of https://github.com/logos-blockchain/lssa.git synced 2026-01-02 05:13:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: give permissions to non-root docker user

Browse Source
This commit is contained in:
Daniil Polyakov 2025-12-19 18:29:31 +03:00
parent 621b7c0bfa
commit 6997a8da54
2 changed files with 42 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sequencer_runner/Dockerfile
View File

@ -9,8 +9,6 @@ RUN apt-get update && apt-get install -y \
clang \ clang \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# RUN find / -regex ".*libcrypto.so.3.*"
WORKDIR /sequencer_runner WORKDIR /sequencer_runner
# Planner stage - generates dependency recipe # Planner stage - generates dependency recipe
@ -36,18 +34,22 @@ RUN strip /sequencer_runner/target/release/sequencer_runner
# Runtime stage - minimal image # Runtime stage - minimal image
FROM debian:trixie-slim FROM debian:trixie-slim
# Install runtime dependencies
RUN apt-get update \
&& apt-get install -y gosu jq \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user for security # Create non-root user for security
RUN useradd -m -u 1000 -s /bin/bash sequencer_user && \ RUN useradd -m -u 1000 -s /bin/bash sequencer_user && \
mkdir -p /sequencer_runner /etc/sequencer_runner && \ mkdir -p /sequencer_runner /etc/sequencer_runner && \
chown -R sequencer_user:sequencer_user /sequencer_runner /etc/sequencer_runner chown -R sequencer_user:sequencer_user /sequencer_runner /etc/sequencer_runner
WORKDIR /sequencer_runner
# Copy binary from builder # Copy binary from builder
COPY --from=builder --chown=sequencer_user:sequencer_user /sequencer_runner/target/release/sequencer_runner /usr/local/bin/sequencer_runner COPY --from=builder --chown=sequencer_user:sequencer_user /sequencer_runner/target/release/sequencer_runner /usr/local/bin/sequencer_runner
# Switch to non-root user # Copy entrypoint script
USER sequencer_user COPY sequencer_runner/docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh
# Volume for configuration directory # Volume for configuration directory
VOLUME ["/etc/sequencer_runner"] VOLUME ["/etc/sequencer_runner"]
@ -69,4 +71,9 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
# Run the application # Run the application
ENV RUST_LOG=info ENV RUST_LOG=info
USER root
ENTRYPOINT ["/docker-entrypoint.sh"]
WORKDIR /sequencer_runner
CMD ["sequencer_runner", "/etc/sequencer_runner"] CMD ["sequencer_runner", "/etc/sequencer_runner"]

29
sequencer_runner/docker-entrypoint.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# This is an entrypoint script for the sequencer_runner Docker container,
# it's not meant to be executed outside of the container.
set -e
CONFIG="/etc/sequencer_runner/sequencer_config.json"
# Check config file exists
if [ ! -f "$CONFIG" ]; then
echo "Config file not found: $CONFIG" >&2
exit 1
fi
# Parse home dir
HOME_DIR=$(jq -r '.home' "$CONFIG")
if [ -z "$HOME_DIR" ] || [ "$HOME_DIR" = "null" ]; then
echo "'home' key missing in config" >&2
exit 1
fi
# Give permissions to the data directory and switch to non-root user
if [ "$(id -u)" = "0" ]; then
mkdir -p "$HOME_DIR"
chown -R sequencer_user:sequencer_user "$HOME_DIR"
exec gosu sequencer_user "$@"
fi