FIX: Ensure USER has permissions for chmod in Dockerfile #26
Conversation
|
Tests are needed in general (c.f. Issue #15), but if people would like this in sooner to fix things then a simple local test is $ docker build -f Dockerfile -t scientific-python/upload-nightly-action:debug .
$ docker run --rm -ti --env INPUT_ANACONDA_NIGHTLY_UPLOAD_TOKEN="fail" --env INPUT_ARTIFACTS_PATH="." scientific-python/upload-nightly-action:debugwhich will run all the way through until it correctly errors on upload-nightly-action/entrypoint.sh Lines 46 to 49 in e09d83f for not being able to upload. |
| RUN chmod +x /entrypoint.sh | ||
|
|
||
| ENTRYPOINT ["/entrypoint.sh"] | ||
| ENTRYPOINT [ "/usr/local/bin/_entrypoint.sh" ] |
There was a problem hiding this comment.
I read your PR description, but am still fuzzy on what is happening in these two lines. Maybe a comment would help?
There was a problem hiding this comment.
Sure! I'll do that this evening when I get time.
There was a problem hiding this comment.
I think the confusion is calling ours entrypoint as well; it really is the command we execute AFTER entrypoint, so we can just give it a logical name that describes what it does?
But, this is already way better, so we could merge this, perhaps with a note to explain the distinction between ENTRYPOINT and CMD.
I.e. we use entrypoint to set env variables, and the cmd does whatever action we wish to execute.
* For security reasons the default user in mambaorg/micromamba:1.4.9-bullseye-slim is non-root with uid 1000 (mambauser) but this requires the user permissions to be escalated to one with chmod powers. The simplest way to do this is to chown to mambauser on COPY. * To ensure that the micromamba environment is setup correctly on entry fallback to the mambaorg/micromamba's base image ENTRYPOINT and set this action's /entrypoint.sh as CMD. - c.f. https://github.com/mamba-org/micromamba-docker/blob/604ebafb09543a3d852e437886f1c782f0367911/_entrypoint.sh
f885592 to
aa84d10
Compare
Dockerfile
Outdated
| # The mambaorg/micromamba base image's entrypoint is | ||
| # /usr/local/bin/_entrypoint.sh which ensures the shell environment is | ||
| # correctly set for micromamba to be accessible by the given user. | ||
| # c.f. https://github.com/mamba-org/micromamba-docker/blob/604ebafb09543a3d852e437886f1c782f0367911/_entrypoint.sh | ||
| # Instead of replicating this, continue to use it as the ENTRYPOINT | ||
| # and then pass the action's entrypoint as CMD. |
There was a problem hiding this comment.
@stefanv Let me know if this is helpful or still opaque. I'm happy to revise this!
| RUN chmod +x /entrypoint.sh | ||
|
|
||
| ENTRYPOINT ["/entrypoint.sh"] | ||
| ENTRYPOINT [ "/usr/local/bin/_entrypoint.sh" ] |
There was a problem hiding this comment.
I think the confusion is calling ours entrypoint as well; it really is the command we execute AFTER entrypoint, so we can just give it a logical name that describes what it does?
But, this is already way better, so we could merge this, perhaps with a note to explain the distinction between ENTRYPOINT and CMD.
I.e. we use entrypoint to set env variables, and the cmd does whatever action we wish to execute.
* As the action is relying on the mambaorg/micromamba container's entrypoint to setup the shell environment correctly let this be clearly the ENTRYPOINT and rename the action's entrypoint script to cmd.sh as it is being passed as CMD.
|
Thanks, @matthewfeickert! |
Resolves #25
For security reasons the default user in
mambaorg/micromamba:1.4.9-bullseye-slimis non-root with uid 1000 (mambauser) but this requires the user permissions to be escalated to one withchmodpowers. The simplest way to do this is tochowntomambauseronCOPY.To ensure that the
micromambaenvironment is setup correctly on entry fallback to themambaorg/micromamba'sENTRYPOINTand set the/entrypoint.shasCMD.