entrypoint-aws-batch: Allow overwriting of existing files during ZIP archive extraction

This allows Nextstrain CLI's --augur, --auspice, etc. overlays to start
working with AWS Batch when previously they did not, by bundling them up
with appropriate ../ path parts into the workdir ZIP archive.

See "entrypoint-aws-batch: Keep ../ path parts in ZIP archive members
during extraction" (e05ddfb) for the rationale of why this is not
particularly unsafe.

Author: tsibley

Dockerfile

@@ -399,9 +399,17 @@ COPY --from=builder-build-platform /usr/lib/node_modules/ /usr/lib/node_modules/
 # correctly discovered by node.
 RUN ln -sv /usr/lib/node_modules/auspice/auspice.js /usr/local/bin/auspice
 
+# Setup a non-root user for optional use
+RUN useradd nextstrain \
+    --system \
+    --user-group \
+    --shell /bin/bash \
+    --home-dir /nextstrain \
+    --no-log-init
+
 # Add Nextstrain components
-COPY --from=builder-build-platform  /nextstrain /nextstrain
-COPY --from=builder-target-platform /nextstrain /nextstrain
+COPY --from=builder-build-platform  --chown=nextstrain:nextstrain /nextstrain /nextstrain
+COPY --from=builder-target-platform --chown=nextstrain:nextstrain /nextstrain /nextstrain
 
 # Add our entrypoints and helpers
 COPY entrypoint entrypoint-aws-batch drop-privs create-envd delete-envd /sbin/
@@ -411,14 +419,6 @@ RUN chmod a+rx /sbin/entrypoint* /sbin/drop-privs /sbin/{create,delete}-envd
 RUN chmod a+rwXt /nextstrain
 ENV HOME=/nextstrain
 
-# Setup a non-root user for optional use
-RUN useradd nextstrain \
-    --system \
-    --user-group \
-    --shell /bin/bash \
-    --home-dir /nextstrain \
-    --no-log-init
-
 # No nesting of runtimes, please.  Use the ambient runtime inside this runtime.
 ENV NEXTSTRAIN_HOME=/nextstrain
 RUN nextstrain check-setup --set-default ambient \

entrypoint-aws-batch

@@ -8,7 +8,7 @@ set -x
 case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
     s3://*.zip)
         aws s3 cp --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
-        unzip -: "$PWD.zip"
+        unzip -: -o "$PWD.zip"
         ;;
     s3://*)
         # Note that this doesn't preserve file permissions/modes.