Use deterministic UID/GID in Dockerfile #1555 (#1569)

Signed-off-by: tdruez <[email protected]>

Author: tdruez

CHANGELOG.rst

@@ -4,6 +4,13 @@ Changelog
 v35.4.0 (unreleased)
 --------------------
 
+- Use deterministic UID/GID in Dockerfile.
+  A temporary ``chown`` service is now started in the ``docker-compose`` stack
+  to fix the permissions. This process is only fully run once.
+  You may manually run this process using the following:
+  ``$ chown -R 1000:1000 /var/scancodeio/``
+  https://github.com/aboutcode-org/scancode.io/issues/1555
+
 - Resolve and load dependencies from SPDX SBOMs.
   https://github.com/aboutcode-org/scancode.io/issues/1145
 

Dockerfile

@@ -26,17 +26,23 @@ LABEL org.opencontainers.image.source="https://github.com/aboutcode-org/scancode
 LABEL org.opencontainers.image.description="ScanCode.io"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 
-ENV APP_NAME scancodeio
-ENV APP_USER app
-ENV APP_DIR /opt/$APP_NAME
-ENV VENV_LOCATION /opt/$APP_NAME/.venv
+# Set default values for APP_UID and APP_GID at build-time
+ARG APP_UID=1000
+ARG APP_GID=1000
+
+ENV APP_NAME=scancodeio
+ENV APP_USER=app
+ENV APP_UID=${APP_UID}
+ENV APP_GID=${APP_GID}
+ENV APP_DIR=/opt/$APP_NAME
+ENV VENV_LOCATION=/opt/$APP_NAME/.venv
 
 # Force Python unbuffered stdout and stderr (they are flushed to terminal immediately)
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 # Do not write Python .pyc files
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
 # Add the app dir in the Python path for entry points availability
-ENV PYTHONPATH $PYTHONPATH:$APP_DIR
+ENV PYTHONPATH=$PYTHONPATH:$APP_DIR
 
 # OS requirements as per
 # https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html
@@ -64,27 +70,24 @@ RUN apt-get update \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# Create the APP_USER group and user
-RUN addgroup --system $APP_USER \
- && adduser --system --group --home=$APP_DIR $APP_USER \
- && chown $APP_USER:$APP_USER $APP_DIR
-
-# Create the /var/APP_NAME directory with proper permission for APP_USER
-RUN mkdir -p /var/$APP_NAME \
+# Create the APP_USER group, user, and directory with specific UID and GID
+RUN groupadd --gid $APP_GID --system $APP_USER \
+ && useradd --uid $APP_UID --gid $APP_GID --home-dir $APP_DIR --system --create-home $APP_USER \
+ && chown $APP_USER:$APP_USER $APP_DIR \
+ && mkdir -p /var/$APP_NAME \
  && chown $APP_USER:$APP_USER /var/$APP_NAME
 
 # Setup the work directory and the user as APP_USER for the remaining stages
 WORKDIR $APP_DIR
 USER $APP_USER
 
+# Create static/ and workspace/ directories
+RUN mkdir -p /var/$APP_NAME/static/ /var/$APP_NAME/workspace/
+
 # Create the virtualenv
 RUN python -m venv $VENV_LOCATION
 # Enable the virtualenv, similar effect as "source activate"
-ENV PATH $VENV_LOCATION/bin:$PATH
-
-# Create static/ and workspace/ directories
-RUN mkdir -p /var/$APP_NAME/static/ \
- && mkdir -p /var/$APP_NAME/workspace/
+ENV PATH=$VENV_LOCATION/bin:$PATH
 
 # Install the dependencies before the codebase COPY for proper Docker layer caching
 COPY --chown=$APP_USER:$APP_USER pyproject.toml $APP_DIR/

docker-compose.yml

@@ -8,6 +8,11 @@ services:
       - db_data:/var/lib/postgresql/data/
     shm_size: "1gb"
     restart: always
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
 
   redis:
     image: docker.io/library/redis:latest
@@ -18,12 +23,45 @@ services:
       - redis_data:/data
     restart: always
 
+  # This service is responsible for ensuring the correct ownership of files
+  # in the shared volumes used by the application (static and workspace).
+  # It ensures that all files inside the `/var/scancodeio/` directory are owned
+  # by the user and group with the UID and GID defined in the environment variables
+  # APP_UID and APP_GID, which default to 1000 if not set.
+  #
+  # The service runs only once (due to "restart: no") and performs a `chown` operation
+  # to change the ownership of the static and workspace directories, ensuring proper
+  # file access rights for the running application containers.
+  #
+  # Volumes mounted:
+  # - static: Ensures the ownership of static files in the /var/scancodeio/static directory
+  # - media: Ensures the ownership of media files in the /var/scancodeio/workspace directory
+  #
+  # Notes: This service can be removed in future ScanCode.io release.
+  chown:
+    image: docker.io/library/alpine:latest
+    restart: "no"
+    command: sh -c "
+      if [ ! -f /var/scancodeio/workspace/.chown_done ]; then
+        chown -R ${APP_UID:-1000}:${APP_GID:-1000} /var/scancodeio/ &&
+        touch /var/scancodeio/workspace/.chown_done;
+        echo 'Chown applied!';
+      else
+        echo 'Chown already applied, skipping...';
+      fi"
+    env_file:
+      - docker.env
+    volumes:
+      - static:/var/scancodeio/static/
+      - workspace:/var/scancodeio/workspace/
+
   web:
     build: .
-    command: wait-for-it --strict --timeout=60 db:5432 -- sh -c "
+    command: sh -c "
         ./manage.py migrate &&
         ./manage.py collectstatic --no-input --verbosity 0 --clear &&
-        gunicorn scancodeio.wsgi:application --bind :8000 --timeout 600 --workers 8 ${GUNICORN_RELOAD_FLAG:-}"
+        gunicorn scancodeio.wsgi:application --bind :8000 --timeout 600 \
+          --workers 8 ${GUNICORN_RELOAD_FLAG:-}"
     env_file:
       - docker.env
     expose:
@@ -34,12 +72,17 @@ services:
       - workspace:/var/scancodeio/workspace/
       - static:/var/scancodeio/static/
     depends_on:
-      - db
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_started
+      chown:
+        condition: service_completed_successfully
 
   worker:
     build: .
     # Ensure that potential db migrations run first by waiting until "web" is up
-    command: wait-for-it --strict --timeout=120 web:8000 -- sh -c "
+    command: wait-for-it --strict --timeout=600 web:8000 -- sh -c "
         ./manage.py rqworker --worker-class scancodeio.worker.ScanCodeIOWorker
                              --queue-class scancodeio.worker.ScanCodeIOQueue
                              --verbosity 1"
@@ -53,6 +96,7 @@ services:
       - redis
       - db
       - web
+      - chown
 
   nginx:
     image: docker.io/library/nginx:alpine