dev: Run web and nodejs containers as host UID:GID

In development mode we run Docker containers built using Blubber (<https://wikitech.wikimedia.org/wiki/Blubber>) as non-root users. We use docker-compose to mount the host computer's git clone of the Toolhub project over the container's /srv/app directory as a volume. At runtime we expect processes inside the container to modify the mounted volume and for those modifications to match the UID:GID of the user on the host who launched the docker-compose stack. When the host is running macOS and Docker Desktop this all "just works" due to some magic in the volume driver used by Docker Desktop. Docker for Linux does not have an obvious analogous solution, so we had to figure out a work around. * When generating the user's initial .env file, add LOCAL_UID and LOCAL_GID values based on the effective UID/GID of the user on the host system. * Set the runtime user of our web and nodejs containers to "${LOCAL_UID}:${LOCAL_GID}" using the `user` attribute of a docker-compose service. * Create a $HOME directory owned by the runtime $LOCAL_UID user in the nodejs container before attempting to execute any `npm ...` commands so that npm will be able to create and manage a $HOME/.npm config and cache directory. * Profit!! Bug: T295318 Change-Id: I5f66cbde2d894672a996045d1ee5067ff06027ea
wikimedia · Nov 10, 2021 · bf7e295 · bf7e295
1 parent 5e0fdc8
commit bf7e295
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/bin/make_env.sh b/bin/make_env.sh
@@ -22,4 +22,6 @@ WIKIMEDIA_OAUTH2_SECRET=d6fa3dc12e064166a9b36ddf8ae37ceb61161e69
 ES_HOSTS=search:9200
 DJANGO_SUPERUSER_PASSWORD=$(mkpass)
 FIREFOX_DEVTOOL_HACK=false
+LOCAL_UID=$(id -u)
+LOCAL_GID=$(id -g)
 _EOF
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -6,7 +6,8 @@ services:
       context: .
       dockerfile: .pipeline/local-python.Dockerfile
     image: "toolhub:dev-python"
-    user: somebody
+    # T295318: run container as local user to allow Linux mount writes
+    user: "${LOCAL_UID}:${LOCAL_GID}"
     working_dir: /srv/app
     command: >
       /srv/dockerize/bin/dockerize -wait tcp://db:3306
@@ -69,12 +70,17 @@ services:
       context: .
       dockerfile: .pipeline/dev-nodejs.Dockerfile
     image: "toolhub:dev-nodejs"
-    user: somebody
+    # T295318: run container as local user to allow Linux mount writes
+    user: "${LOCAL_UID}:${LOCAL_GID}"
     working_dir: /srv/app
     command:
+      # T295318: make a $HOME as $LOCAL_UID user so that npm has a place
+      # to cache files with the ownership it expects.
       - bash
       - -c
       - >-
+        mkdir -p /tmp/runtime-home &&
+        export HOME=/tmp/runtime-home &&
         npm install &&
         npm run serve:vue
     volumes: