Merge pull request #220 from pelias/docker_permissions

orangejulius · web-flow · commit 0ac8003572a0 · 2020-10-14T06:32:15.000-07:00
deprecate manually assigning DOCKER_USER
diff --git a/README.md b/README.md
@@ -40,6 +40,12 @@ You will need to have a [modern version of `docker`](https://docs.docker.com/eng
 
 This project supports Linux and Mac OSX operatings systems. Windows is currently [not supported](https://github.com/pelias/docker/issues/124).
 
+### Permissions
+
+In order to ensure security, Pelias docker containers, and the `pelias` helper script, will not run as a root user!
+
+Be sure you are running as a non-root user and that this user can execute `docker` commands. See the Docker documentation article [Manage Docker as a non-root user](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user) to do this.
+
 ## Requirements for Linux
 - Install `util-linux` using your distribution's package manager
   - Alpine Linux: `sudo apk add util-linux`
@@ -95,12 +101,6 @@ mkdir ./data
 sed -i '/DATA_DIR/d' .env
 echo 'DATA_DIR=./data' >> .env
 
-# configure docker to write files as your local user
-# see: https://github.com/pelias/docker#variable-docker_user
-# note: use 'gsed' instead of 'sed' on a Mac
-sed -i '/DOCKER_USER/d' .env
-echo "DOCKER_USER=$(id -u)" >> .env
-
 # run build
 pelias compose pull
 pelias elastic start
@@ -183,7 +183,6 @@ Then use your text editor to modify the `.env` file to reflect your new path, it
 ```bash
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias
-DOCKER_USER=1000
 ```
 
 You can then list the environment variables to ensure they have been correctly set:
@@ -200,9 +199,7 @@ Note: changing the `COMPOSE_PROJECT_NAME` variable is not advisable unless you k
 
 ### Variable: DOCKER_USER
 
-All processes in Pelias containers are run as non-root users. By default, the UID of the processes will be `1000`, which is the first user ID on _most_ Linux systems and is likely to be a good option. However, if restricting file permissions in your data directory to a different user or group is important, this can be overridden by setting the `DOCKER_USER` variable.
-
-This variable can take just a UID or a UID:GID combination such as `1000:1000`. See the [docker-compose](https://docs.docker.com/compose/compose-file/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir) and [docker run](https://docs.docker.com/engine/reference/run/#user) documentation on controlling Docker container users for more information.
+This variable is no longer used, and will be ignored. If you still have it in your `.env` file, you can safely remove it.
 
 ## CLI commands
 
diff --git a/lib/env.sh b/lib/env.sh
@@ -4,8 +4,26 @@ set -e;
 # disable verbose logging
 ENV_DISPLAY_WARNINGS=false
 
+# ensure docker runs containers as the current user (even when running with sudo)
+# note: SUDO_USER is not portable to all systems but its the best we've got.
+function set_docker_user(){
+  CURRENT_USER=$(id -u ${SUDO_USER-${USER}}):$(id -g ${SUDO_USER-${USER}})
+  if [ ! -z "${DOCKER_USER}" ] && [ "${DOCKER_USER}" != "${CURRENT_USER}" ]; then
+    2>&1 printf "WARNING: The DOCKER_USER env var is deprecated, using %s.\n" ${CURRENT_USER}
+    2>&1 echo "Remove the DOCKER_USER line from your .env file to silence this message."
+  fi
+  export DOCKER_USER="${CURRENT_USER}";
+}
+
 # ensure the user environment is correctly set up
 function env_check(){
+  if [ "${DOCKER_USER}" = "0:0" ]; then
+    echo "You are running as root"
+    echo "This is insecure and not supported by Pelias."
+    echo "Please try again as a non-root user."
+    exit 1
+  fi
+
   if [ -z "${DATA_DIR}" ]; then
     echo "You must set the DATA_DIR env var to a valid directory on your local machine."
     echo
@@ -49,5 +67,7 @@ function env_load_stream(){
 #   fi
 # fi
 
+set_docker_user
+
 # ensure the user env is correctly set up
 env_check
diff --git a/projects/australia/.env b/projects/australia/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/australia
-DOCKER_USER=1000
diff --git a/projects/belgium/.env b/projects/belgium/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
-DOCKER_USER=1000
 DATA_DIR=/tmp/pelias/belgium
diff --git a/projects/brazil/.env b/projects/brazil/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/brazil
-DOCKER_USER=1000
diff --git a/projects/france/.env b/projects/france/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/france
-DOCKER_USER=1000
diff --git a/projects/jamaica/.env b/projects/jamaica/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/jamaica
-DOCKER_USER=1000
diff --git a/projects/los-angeles-metro/.env b/projects/los-angeles-metro/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/los-angeles-metro
-DOCKER_USER=1000
diff --git a/projects/netherlands/.env b/projects/netherlands/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
-DOCKER_USER=1000
 DATA_DIR=/tmp/pelias/netherlands
diff --git a/projects/new-york-city/.env b/projects/new-york-city/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/new-york-city
-DOCKER_USER=1000
diff --git a/projects/north-america/.env b/projects/north-america/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/north-america
-DOCKER_USER=1000
diff --git a/projects/planet/.env b/projects/planet/.env
@@ -1,4 +1,3 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/data
-DOCKER_USER=1000
 ENABLE_GEONAMES=true
diff --git a/projects/portland-metro/.env b/projects/portland-metro/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/portland-metro
-DOCKER_USER=1000
diff --git a/projects/san-jose-metro/.env b/projects/san-jose-metro/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/san-jose-metro
-DOCKER_USER=1000
diff --git a/projects/singapore/.env b/projects/singapore/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/singapore
-DOCKER_USER=1000
diff --git a/projects/south-africa/.env b/projects/south-africa/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias_za
 DATA_DIR=/tmp/pelias/pelias_za
-DOCKER_USER=1000
diff --git a/projects/south-america/.env b/projects/south-america/.env
@@ -1,3 +1,2 @@
 COMPOSE_PROJECT_NAME=pelias
-DATA_DIR=/data
-DOCKER_USER=1000
+DATA_DIR=/tmp/pelias/south-america
diff --git a/projects/texas/.env b/projects/texas/.env
@@ -1,4 +1,3 @@
 COMPOSE_PROJECT_NAME=pelias
 DATA_DIR=/tmp/pelias/texas
-DOCKER_USER=1000
 OPENADDRESSES_PARALLELISM=2

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`COMPOSE_PROJECT_NAME=pelias`
`2`	`2`	`DATA_DIR=/tmp/pelias/australia`
`3`		`-DOCKER_USER=1000`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`COMPOSE_PROJECT_NAME=pelias`
`2`	`2`	`DATA_DIR=/tmp/pelias/brazil`
`3`		`-DOCKER_USER=1000`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`COMPOSE_PROJECT_NAME=pelias`
`2`	`2`	`DATA_DIR=/tmp/pelias/france`
`3`		`-DOCKER_USER=1000`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`COMPOSE_PROJECT_NAME=pelias`
`2`	`2`	`DATA_DIR=/tmp/pelias/jamaica`
`3`		`-DOCKER_USER=1000`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`COMPOSE_PROJECT_NAME=pelias`
`2`	`2`	`DATA_DIR=/tmp/pelias/los-angeles-metro`
`3`		`-DOCKER_USER=1000`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`COMPOSE_PROJECT_NAME=pelias`
`2`	`2`	`DATA_DIR=/tmp/pelias/new-york-city`
`3`		`-DOCKER_USER=1000`