fix: give permissions to non-root docker user

2026-01-02 05:13:08 +00:00 · 2025-12-19 18:29:31 +03:00 · 2025-12-19 18:29:31 +03:00 · 6997a8da54
commit 6997a8da54
parent 621b7c0bfa
2 changed files with 42 additions and 6 deletions
--- a/sequencer_runner/Dockerfile
+++ b/sequencer_runner/Dockerfile
@ -9,8 +9,6 @@ RUN apt-get update && apt-get install -y \
    clang \
    && rm -rf /var/lib/apt/lists/*

-# RUN find / -regex ".*libcrypto.so.3.*"
-
 WORKDIR /sequencer_runner

 # Planner stage - generates dependency recipe
@ -36,18 +34,22 @@ RUN strip /sequencer_runner/target/release/sequencer_runner
 # Runtime stage - minimal image
 FROM debian:trixie-slim

+# Install runtime dependencies
+RUN apt-get update \
+ && apt-get install -y gosu jq \
+ && rm -rf /var/lib/apt/lists/*
+
 # Create non-root user for security
 RUN useradd -m -u 1000 -s /bin/bash sequencer_user && \
    mkdir -p /sequencer_runner /etc/sequencer_runner && \
    chown -R sequencer_user:sequencer_user /sequencer_runner /etc/sequencer_runner

-WORKDIR /sequencer_runner
-
 # Copy binary from builder
 COPY --from=builder --chown=sequencer_user:sequencer_user /sequencer_runner/target/release/sequencer_runner /usr/local/bin/sequencer_runner

-# Switch to non-root user
-USER sequencer_user
+# Copy entrypoint script
+COPY sequencer_runner/docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh

 # Volume for configuration directory
 VOLUME ["/etc/sequencer_runner"]
@ -69,4 +71,9 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
 # Run the application
 ENV RUST_LOG=info

+USER root
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+WORKDIR /sequencer_runner
 CMD ["sequencer_runner", "/etc/sequencer_runner"]
--- a/sequencer_runner/docker-entrypoint.sh
+++ b/sequencer_runner/docker-entrypoint.sh
@ -0,0 +1,29 @@
+#!/bin/sh
+
+# This is an entrypoint script for the sequencer_runner Docker container,
+# it's not meant to be executed outside of the container.
+
+set -e
+
+CONFIG="/etc/sequencer_runner/sequencer_config.json"
+
+# Check config file exists
+if [ ! -f "$CONFIG" ]; then
+  echo "Config file not found: $CONFIG" >&2
+  exit 1
+fi
+
+# Parse home dir
+HOME_DIR=$(jq -r '.home' "$CONFIG")
+
+if [ -z "$HOME_DIR" ] || [ "$HOME_DIR" = "null" ]; then
+  echo "'home' key missing in config" >&2
+  exit 1
+fi
+
+# Give permissions to the data directory and switch to non-root user
+if [ "$(id -u)" = "0" ]; then
+  mkdir -p "$HOME_DIR"
+  chown -R sequencer_user:sequencer_user "$HOME_DIR"
+  exec gosu sequencer_user "$@"
+fi