SPDT
/
sapl
mirror of https://github.com/interlegis/sapl.git
5
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Fix read-only mount on k8s
continuous-integration/drone/push Build is passing
Details

pull/3801/head
Edward Ribeiro 1 month ago
parent
10691ac6f6
commit
e5a8a851bd
3 changed files with 21 additions and 12 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      docker/Dockerfile
  2. 10
      docker/docker-compose.yaml
  3. 21
      docker/startup_scripts/start.sh

2
docker/Dockerfile
View File

@ -62,7 +62,7 @@ RUN set -eux; \
# Usuários/grupos (idempotente) # Usuários/grupos (idempotente)
RUN useradd --system --no-create-home --shell /usr/sbin/nologin sapl || true \ RUN useradd --system --no-create-home --shell /usr/sbin/nologin sapl || true \
&& groupadd -r nginx || true \ && groupadd -g 101 -r nginx || true \
&& usermod -aG nginx www-data || true \ && usermod -aG nginx www-data || true \
&& usermod -aG nginx sapl || true && usermod -aG nginx sapl || true

10
docker/docker-compose.yaml
View File

@ -33,11 +33,11 @@ services:
networks: networks:
- sapl-net - sapl-net
sapl: sapl:
image: interlegis/sapl:3.1.164-RC2 # image: eribeiro/sapl:debug-k8s
# build: build:
# context: ../ context: ../
# dockerfile: ./docker/Dockerfile dockerfile: ./docker/Dockerfile
# container_name: sapl container_name: sapl
labels: labels:
NAME: "sapl" NAME: "sapl"
restart: always restart: always

21
docker/startup_scripts/start.sh
View File

@ -2,12 +2,24 @@
set -Eeuo pipefail set -Eeuo pipefail
IFS=$'\n\t' IFS=$'\n\t'
APP_DIR="/var/interlegis/sapl"
DATA_DIR="/var/interlegis/sapl/data" DATA_DIR="/var/interlegis/sapl/data"
APP_DIR="/var/interlegis/sapl/sapl" MEDIA_DIR="/var/interlegis/sapl/media"
RUN_DIR="/var/interlegis/sapl/run"
GUNICORN_DIR="/run/gunicorn"
ENV_FILE="$APP_DIR/.env" ENV_FILE="$APP_DIR/.env"
SECRET_FILE="$DATA_DIR/secret.key" SECRET_FILE="$DATA_DIR/secret.key"
mkdir -p "$DATA_DIR" "$APP_DIR" chown -R root:nginx "$RUN_DIR" || true
chown -R root:nginx "$MEDIA_DIR" || true
chown -R root:nginx "$GUNICORN_DIR" || true
chmod -R g+rwX "$RUN_DIR" || true
chmod -R g+rwX "$MEDIA_DIR" || true
chmod -R g+rwX "$GUNICORN_DIR" || true
# setgid bit on our writable trees (not data/)
find "$RUN_DIR" "$MEDIA_DIR" -type d -exec chmod g+s {} + 2>/dev/null || true
log() { printf '[%s] %s\n' "$(date -Is)" "$*"; } log() { printf '[%s] %s\n' "$(date -Is)" "$*"; }
err() { printf '[%s] ERROR: %s\n' "$(date -Is)" "$*" >&2; } err() { printf '[%s] ERROR: %s\n' "$(date -Is)" "$*" >&2; }
@ -76,7 +88,6 @@ create_secret() {
SECRET_KEY="$(python3 genkey.py)" SECRET_KEY="$(python3 genkey.py)"
umask 177 umask 177
printf '%s\n' "$SECRET_KEY" > "$SECRET_FILE" printf '%s\n' "$SECRET_KEY" > "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
fi fi
export SECRET_KEY export SECRET_KEY
} }
@ -225,9 +236,7 @@ fix_logging_and_socket_perms() {
# dirs # dirs
mkdir -p "$APP_DIR/run" mkdir -p "$APP_DIR/run"
chown -R root:nginx "$APP_DIR" chmod 2775 "$APP_DIR/run"
chmod 2775 "$APP_DIR" "$APP_DIR/run"
chmod -R g+rwX "$APP_DIR"
# new files/sockets → 660 # new files/sockets → 660
umask 0007 umask 0007

Write Preview
Loading…
Cancel
Save