diff --git a/deploy/docker/base.dockerfile b/deploy/docker/base.dockerfile index ea1050d733..33a452eb67 100644 --- a/deploy/docker/base.dockerfile +++ b/deploy/docker/base.dockerfile @@ -21,6 +21,8 @@ RUN set -o xtrace \ supervisor curl nfs-common gnupg \ gettext \ ca-certificates \ + libnss-wrapper \ + git \ # Install MongoDB v6, Redis, PostgreSQL v14 && curl -fsSL https://www.mongodb.org/static/pgp/server-6.0.asc | gpg --dearmor -o /usr/share/keyrings/mongodb-server-6.0.gpg \ && echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-6.0.list \ @@ -28,7 +30,16 @@ RUN set -o xtrace \ && curl --silent --show-error --location https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ && apt update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes mongodb-org redis postgresql-14 \ - && apt-get clean + && find /etc/redis -type d -exec chmod o+rx {} + -o -type f -exec chmod o+r {} + \ + && apt-get clean \ + && rm -rf \ + /root/.cache \ + /root/.npm \ + /usr/local/share/doc \ + /usr/share/doc \ + /usr/share/man \ + /var/lib/apt/lists/* \ + /tmp/* ENV PATH="/usr/lib/postgresql/14/bin:${PATH}" @@ -65,23 +76,20 @@ RUN set -o xtrace \ && mkdir -p /opt/caddy \ && version="$(curl --write-out '%{redirect_url}' 'https://github.com/caddyserver/caddy/releases/latest' | sed 's,.*/v,,')" \ && curl --location "https://github.com/caddyserver/caddy/releases/download/v$version/caddy_${version}_linux_$(uname -m | sed 's/x86_64/amd64/; s/aarch64/arm64/').tar.gz" \ - | tar -xz -C /opt/caddy - -RUN mv /opt/caddy/caddy /opt/caddy/caddy_vanilla + | tar -xz -C /opt/caddy && \ + mv /opt/caddy/caddy /opt/caddy/caddy_vanilla COPY --from=caddybuilder /usr/bin/caddy /opt/caddy/caddy -# Clean up -RUN rm -rf \ - /root/.cache \ - /root/.npm \ - /usr/local/share/doc \ - /usr/share/doc \ - /usr/share/man \ - /var/lib/apt/lists/* \ - /tmp/* - VOLUME [ "/appsmith-stacks" ] ENV TMP="/tmp/appsmith" ENV WWW_PATH="$TMP/www" + +# libnss_wrapper.so is written to an architecture-specific directory, so we symlink to it in a common location to make it easier to activate +ENV NSS_WRAPPER_SYMLINK=/usr/local/lib/libnss_wrapper.so +RUN NSS_WRAPPER_LIB=$(find /usr/lib -name libnss_wrapper.so -type f 2>/dev/null | head -n1) && \ + ln -sf "$NSS_WRAPPER_LIB" $NSS_WRAPPER_SYMLINK +# these env vars need to be set for NSS Wrapper to work but don't matter until LD_PRELOAD is set which is optionally done at runtime +ENV NSS_WRAPPER_PASSWD="${TMP}/passwd" +ENV NSS_WRAPPER_GROUP="${TMP}/group" diff --git a/deploy/docker/fs/opt/appsmith/entrypoint.sh b/deploy/docker/fs/opt/appsmith/entrypoint.sh index 77ab4cd5de..8b41b8a06d 100644 --- a/deploy/docker/fs/opt/appsmith/entrypoint.sh +++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh @@ -5,8 +5,6 @@ source pg-utils.sh set -e -tlog "Running as: $(id)" - stacks_path=/appsmith-stacks export APPSMITH_PG_DATABASE="appsmith" @@ -15,6 +13,23 @@ export MONGODB_TMP_KEY_PATH="$TMP/mongodb-key" # export for use in supervisor p mkdir -pv "$SUPERVISORD_CONF_TARGET" "$WWW_PATH" +if [ "$(id -u)" != "0" ]; then + # if user is non-root setup nss_wrapper + # If this is a container restart, the files may already exist and we want them to remain read-only + if [[ ! -f /tmp/appsmith/passwd ]]; then + echo "appsmith:x:$(id -u):$(id -g):Appsmith:/opt/appsmith:/bin/bash" > /tmp/appsmith/passwd + chmod 444 /tmp/appsmith/passwd + fi + if [[ ! -f /tmp/appsmith/group ]]; then + echo "appsmith:x:$(id -g):" > /tmp/appsmith/group + chmod 444 /tmp/appsmith/group + fi + # NSS_WRAPPER_PASSWD, NSS_WRAPPER_GROUP, and NSS_WRAPPER_SYMLINK are set in Dockerfile + export LD_PRELOAD="$NSS_WRAPPER_SYMLINK" +fi + +tlog "Running as: $(id)" + setup_proxy_variables() { export NO_PROXY="${NO_PROXY-localhost,127.0.0.1}" @@ -429,6 +444,11 @@ check_redis_compatible_page_size() { init_postgres() { # Initialize embedded postgres by default; set APPSMITH_ENABLE_EMBEDDED_DB to 0, to use existing cloud postgres mockdb instance if [[ ${APPSMITH_ENABLE_EMBEDDED_DB: -1} != 0 ]]; then + if [[ "$(id -u)" != "0" ]]; then + tlog "== When running as a non-root user embedded PostgreSQL cannot be used. Please use an external PostgreSQL instance instead." >&2 + exit 1 + fi + tlog "Checking initialized local postgres" POSTGRES_DB_PATH="$stacks_path/data/postgres/main"