1 년 전 · 6244511cf8
--- a/contrib/docker/Dockerfile
+++ b/contrib/docker/Dockerfile
@@ -17,6 +17,8 @@ ARG PHP_EXTENSIONS_EXTRA=""
 
				 ARG PHP_EXTENSIONS="intl bcmath zip pcntl exif curl gd"
			
 
				 ARG PHP_VERSION="8.1"
			
 
				 ARG APT_PACKAGES_EXTRA=""
			
 
				+ARG RUNTIME_UID=33
			
 
				+ARG RUNTIME_GID=33
			
 
				 
			
 
				 # GPG key for nginx apt repository
			
 
				 ARG NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
			
@@ -56,6 +58,8 @@ FROM php:${PHP_VERSION}-${PHP_BASE_TYPE}-${PHP_DEBIAN_RELEASE} AS base
 
				 ARG PHP_VERSION
			
 
				 ARG PHP_DEBIAN_RELEASE
			
 
				 ARG APT_PACKAGES_EXTRA
			
 
				+ARG RUNTIME_UID
			
 
				+ARG RUNTIME_GID
			
 
				 
			
 
				 ARG TARGETPLATFORM
			
 
				 ARG BUILDKIT_SBOM_SCAN_STAGE=true
			
@@ -67,7 +71,7 @@ SHELL ["/bin/bash", "-c"]
 
				 
			
 
				 RUN set -ex \
			
 
				 	&& mkdir -pv /var/www/ \
			
 
				-	&& chown -R 33:33 /var/www
			
 
				+	&& chown -R ${RUNTIME_UID}:${RUNTIME_GID} /var/www
			
 
				 
			
 
				 WORKDIR /var/www/
			
 
				 
			
@@ -193,6 +197,8 @@ FROM base AS composer-and-src
 
				 
			
 
				 ARG PHP_VERSION
			
 
				 ARG PHP_DEBIAN_RELEASE
			
 
				+ARG RUNTIME_UID
			
 
				+ARG RUNTIME_GID
			
 
				 ARG TARGETPLATFORM
			
 
				 
			
 
				 # Make sure composer cache is targeting our cache mount later
			
@@ -207,11 +213,11 @@ ENV COMPOSER_NO_INTERACTION=1
 
				 # Copy composer from https://hub.docker.com/_/composer
			
 
				 COPY --link --from=composer-image /usr/bin/composer /usr/bin/composer
			
 
				 
			
 
				-#! Changing user to 33
			
 
				-USER 33:33
			
 
				+#! Changing user to runtime user
			
 
				+USER ${RUNTIME_UID}:${RUNTIME_GID}
			
 
				 
			
 
				 # Copy over only composer related files so docker layer cache isn't invalidated on PHP file changes
			
 
				-COPY --link --chown=33:33 composer.json composer.lock /var/www/
			
 
				+COPY --link --chown=${RUNTIME_UID}:${RUNTIME_GID} composer.json composer.lock /var/www/
			
 
				 
			
 
				 # Install composer dependencies
			
 
				 # NOTE: we skip the autoloader generation here since we don't have all files avaliable (yet)
			
@@ -220,7 +226,7 @@ RUN --mount=type=cache,id=pixelfed-composer-${PHP_VERSION}-${PHP_DEBIAN_RELEASE}
 
				 	&& composer install --prefer-dist --no-autoloader --ignore-platform-reqs
			
 
				 
			
 
				 # Copy all other files over
			
 
				-COPY --link --chown=33:33 . /var/www/
			
 
				+COPY --link --chown=${RUNTIME_UID}:${RUNTIME_GID} . /var/www/
			
 
				 
			
 
				 # Generate optimized autoloader now that we have all files around
			
 
				 RUN set -ex \
			
@@ -237,7 +243,7 @@ FROM base AS shared-runtime
 
				 
			
 
				 COPY --link --from=php-extensions /usr/local/lib/php/extensions /usr/local/lib/php/extensions
			
 
				 COPY --link --from=php-extensions /usr/local/etc/php /usr/local/etc/php
			
 
				-COPY --link --from=composer-and-src --chown=33:33 /var/www /var/www
			
 
				+COPY --link --from=composer-and-src --chown=${RUNTIME_UID}:${RUNTIME_GID} /var/www /var/www
			
 
				 COPY --link --from=forego-image /usr/local/bin/forego /usr/local/bin/forego
			
 
				 COPY --link contrib/docker/php.production.ini "$PHP_INI_DIR/php.ini"
			
 
				 
			
--- a/contrib/docker/shared/docker-entrypoint.d/10-storage.sh
+++ b/contrib/docker/shared/docker-entrypoint.d/10-storage.sh
@@ -4,10 +4,10 @@ set -o errexit -o nounset -o pipefail
 
				 source /lib.sh
			
 
				 
			
 
				 entrypoint_log "==> Create the storage tree if needed"
			
 
				-as_www_user cp --recursive storage.skel/* storage/
			
 
				+as_runtime_user cp --recursive storage.skel/* storage/
			
 
				 
			
 
				 entrypoint_log "==> Ensure storage is linked"
			
 
				-as_www_user php artisan storage:link
			
 
				+as_runtime_user php artisan storage:link
			
 
				 
			
 
				 entrypoint_log "==> Ensure permissions are correct"
			
 
				-chown --recursive www-data:www-data storage/ bootstrap/
			
 
				+chown --recursive ${RUNTIME_UID}:${RUNTIME_GID} storage/ bootstrap/
			
--- a/contrib/docker/shared/docker-entrypoint.d/20-horizon.sh
+++ b/contrib/docker/shared/docker-entrypoint.d/20-horizon.sh
@@ -3,4 +3,4 @@ set -o errexit -o nounset -o pipefail
 
				 
			
 
				 source /lib.sh
			
 
				 
			
 
				-as_www_user php artisan horizon:publish
			
 
				+as_runtime_user php artisan horizon:publish
			
--- a/contrib/docker/shared/docker-entrypoint.d/30-cache.sh
+++ b/contrib/docker/shared/docker-entrypoint.d/30-cache.sh
@@ -3,11 +3,11 @@ set -o errexit -o nounset -o pipefail
 
				 
			
 
				 source /lib.sh
			
 
				 
			
 
				-entrypoint_log "==> config:cache"
			
 
				-as_www_user php artisan config:cache
			
 
				-
			
 
				 entrypoint_log "==> route:cache"
			
 
				-as_www_user php artisan route:cache
			
 
				+as_runtime_user php artisan route:cache
			
 
				 
			
 
				 entrypoint_log "==> view:cache"
			
 
				-as_www_user php artisan view:cache
			
 
				+as_runtime_user php artisan view:cache
			
 
				+
			
 
				+entrypoint_log "==> config:cache"
			
 
				+as_runtime_user php artisan config:cache
			
--- a/contrib/docker/shared/lib.sh
+++ b/contrib/docker/shared/lib.sh
@@ -8,6 +8,6 @@ function entrypoint_log() {
 
				     fi
			
 
				 }
			
 
				 
			
 
				-function as_www_user() {
			
 
				-	su --preserve-environment www-data --shell /bin/bash --command "${*}"
			
 
				+function as_runtime_user() {
			
 
				+    su --preserve-environment ${RUNTIME_UID} --shell /bin/bash --command "${*}"
			
 
				 }