dragonflydb-dragonfly/tools/docker/entrypoint.sh

#!/bin/sh

# This is important in order to provide enough locked memory to dragonfly
# when running on kernels < 5.12.
# This line should reside before `set -e` so it could fail silently
# in case the container runs in non-privileged mode.
ulimit -l 65000 2> /dev/null

set -e

# first arg is `-some-option`
if [ "${1#-}" != "$1" ]; then
    # override arguments by prepending "dragonfly --logtostderr" to them.
    set -- dragonfly --logtostderr "$@"
fi

# allow the docker container to be started with `--user`
if [ "$1" = 'dragonfly' -a "$(id -u)" = '0' ]; then
    # find all the files in the WORKDIR including the dir itself that do not
    # have dfly user on them and chmod them to dfly.
    find . \! -user dfly -exec chown dfly '{}' +
    # runs this script under user dfly
    exec setpriv --reuid=dfly --regid=dfly --clear-groups -- "$0" "$@"
fi

um="$(umask)"
if [ "$um" = '0022' ]; then
    umask 0077  # restrict access permissions only to the owner
fi

exec "$@"
Add Dockerfile for prod container. Reorganize source tree to be docker-build friendly. 2022-02-25 08:03:42 +00:00			`#!/bin/sh`

feat(docker): try increasing a memlock limit in the container (#114) feat(docker): try increasing a memlock limit in DF container. This should solve the awkward command overrides in K8S scripts. Fixes #57. 2022-06-07 11:33:55 +00:00			`# This is important in order to provide enough locked memory to dragonfly`
			`# when running on kernels < 5.12.`
			# This line should reside before `set -e` so it could fail silently
			`# in case the container runs in non-privileged mode.`
			`ulimit -l 65000 2> /dev/null`

Add Dockerfile for prod container. Reorganize source tree to be docker-build friendly. 2022-02-25 08:03:42 +00:00			`set -e`

Improve docker entry point script. Change default port to 6379. Log data directory path. 2022-04-08 05:54:53 +00:00			# first arg is `-some-option`
Add Dockerfile for prod container. Reorganize source tree to be docker-build friendly. 2022-02-25 08:03:42 +00:00			`if [ "${1#-}" != "$1" ]; then`
Improve docker entry point script. Change default port to 6379. Log data directory path. 2022-04-08 05:54:53 +00:00			`# override arguments by prepending "dragonfly --logtostderr" to them.`
fix: named volume permissions in docker (#3518) Fixes #2917 The problem is described in this "working as intended" issue https://github.com/moby/moby/issues/3124 So the advised approach of using "USER dfly" directive does not really work because it requires that the host will also define 'dfly' user with the same id. It's unrealistic expectation. Therefore, we revert the fix done in #1775 and follow valkey approach: https://github.com/valkey-io/valkey-container/blob/mainline/docker-entrypoint.sh#L12 1. we run the entrypoint in the container as root which later spawns the dragonfly process 2. if we run as root: a. we chmod files under /data to dfly. b. use setpriv to exec ourselves as dfly. 3. if we do not run as root we execute the docker command. So even though the process starts as root, the server runs as dfly and only the bootstrap part has elevated permissions is used to fix the volume access. While we are at it, we also switched to setpriv following the change of https://github.com/valkey-io/valkey-container/pull/24/files Signed-off-by: Roman Gershman <roman@dragonflydb.io> 2024-08-22 08:33:29 +00:00			`set -- dragonfly --logtostderr "$@"`
Add Dockerfile for prod container. Reorganize source tree to be docker-build friendly. 2022-02-25 08:03:42 +00:00			`fi`

			# allow the docker container to be started with `--user`
			`if [ "$1" = 'dragonfly' -a "$(id -u)" = '0' ]; then`
fix: named volume permissions in docker (#3518) Fixes #2917 The problem is described in this "working as intended" issue https://github.com/moby/moby/issues/3124 So the advised approach of using "USER dfly" directive does not really work because it requires that the host will also define 'dfly' user with the same id. It's unrealistic expectation. Therefore, we revert the fix done in #1775 and follow valkey approach: https://github.com/valkey-io/valkey-container/blob/mainline/docker-entrypoint.sh#L12 1. we run the entrypoint in the container as root which later spawns the dragonfly process 2. if we run as root: a. we chmod files under /data to dfly. b. use setpriv to exec ourselves as dfly. 3. if we do not run as root we execute the docker command. So even though the process starts as root, the server runs as dfly and only the bootstrap part has elevated permissions is used to fix the volume access. While we are at it, we also switched to setpriv following the change of https://github.com/valkey-io/valkey-container/pull/24/files Signed-off-by: Roman Gershman <roman@dragonflydb.io> 2024-08-22 08:33:29 +00:00			`# find all the files in the WORKDIR including the dir itself that do not`
			`# have dfly user on them and chmod them to dfly.`
			`find . \! -user dfly -exec chown dfly '{}' +`
			`# runs this script under user dfly`
			`exec setpriv --reuid=dfly --regid=dfly --clear-groups -- "$0" "$@"`
			`fi`

			`um="$(umask)"`
			`if [ "$um" = '0022' ]; then`
			`umask 0077 # restrict access permissions only to the owner`
Add Dockerfile for prod container. Reorganize source tree to be docker-build friendly. 2022-02-25 08:03:42 +00:00			`fi`

			`exec "$@"`