From ce76f976b2b27d41b59bdcb533a4bccedb05cf57 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 13 Jan 2026 20:19:24 -0500 Subject: [PATCH 1/6] Revert "Remove UID hack (#519)" This reverts commit 76819b554fa581258b511abc363dc4d6baeb560b. --- base/Dockerfile | 6 ++++-- base/README.md | 10 ++++++++++ .../dependencies.d/development-environment | 0 .../dependencies.d/container-environment | 0 .../s6-rc.d/development-environment/type | 1 + .../s6-rc.d/development-environment/up | 2 ++ .../dependencies.d/development-environment | 0 .../scripts/development-environment.sh | 19 +++++++++++++++++++ 8 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 drupal/rootfs/etc/s6-overlay/s6-rc.d/confd-oneshot/dependencies.d/development-environment create mode 100644 drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/dependencies.d/container-environment create mode 100644 drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/type create mode 100755 drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/up create mode 100644 drupal/rootfs/etc/s6-overlay/s6-rc.d/ready/dependencies.d/development-environment create mode 100755 drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh diff --git a/base/Dockerfile b/base/Dockerfile index e94cfb14..c9b21c24 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -40,7 +40,7 @@ ARG \ MARIADB_CLIENT_VERSION=11.4.8-r0 \ # renovate: datasource=repology depName=alpine_3_22/mysql-client MYSQL_CLIENT_VERSION=11.4.8-r0 \ - # renovate: datasource=repology depName=alpine_3_22/netcat-openbsd + # renovate: datasource=repology depName=alpine_3_22/netcat-openbsd NETCAT_OPENBSD_VERSION=1.229.1-r0 \ # renovate: datasource=repology depName=alpine_3_22/openssl OPENSSL_VERSION=3.5.4-r0 \ @@ -161,7 +161,9 @@ ENV \ DB_ROOT_PASSWORD=password \ DB_ROOT_USER=root \ DB_USER=default \ - JWT_ADMIN_TOKEN=islandora + DEVELOPMENT_ENVIRONMENT=false \ + JWT_ADMIN_TOKEN=islandora \ + UID= COPY --link rootfs / diff --git a/base/README.md b/base/README.md index f3361db2..68c34327 100644 --- a/base/README.md +++ b/base/README.md @@ -122,6 +122,16 @@ and `DB_MYSQL_PORT` variables will be used when connecting to the backend. > `FCREPO_DB_NAME`. This is to allow for different settings on a per-service > basis when sharing the same confd backend. +### Development Settings + +When doing development with the containers it is sometimes useful to remap the +`uid` of users in the container to match that of the host user to prevent +permission denied errors when bind mounting files. + +| Environment Variable | Default | Description | +| :---------------------- | :------ | :-------------------------------------------------------------------------------------------------------------------------------- | +| DEVELOPMENT_ENVIRONMENT | false | Set to `true` if using the containers for development, runs start up scripts to remap `uid` of users inside of the container etc. | +| UID | | The `uid` of the host user | [Alpine Linux]: https://alpinelinux.org [bearer authentication]: https://tools.ietf.org/html/rfc6750 diff --git a/drupal/rootfs/etc/s6-overlay/s6-rc.d/confd-oneshot/dependencies.d/development-environment b/drupal/rootfs/etc/s6-overlay/s6-rc.d/confd-oneshot/dependencies.d/development-environment new file mode 100644 index 00000000..e69de29b diff --git a/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/dependencies.d/container-environment b/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/dependencies.d/container-environment new file mode 100644 index 00000000..e69de29b diff --git a/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/type b/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/type new file mode 100644 index 00000000..bdd22a18 --- /dev/null +++ b/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/type @@ -0,0 +1 @@ +oneshot diff --git a/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/up b/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/up new file mode 100755 index 00000000..3667cac5 --- /dev/null +++ b/drupal/rootfs/etc/s6-overlay/s6-rc.d/development-environment/up @@ -0,0 +1,2 @@ +# Change uid of nginx user to match host. +/etc/s6-overlay/scripts/development-environment.sh diff --git a/drupal/rootfs/etc/s6-overlay/s6-rc.d/ready/dependencies.d/development-environment b/drupal/rootfs/etc/s6-overlay/s6-rc.d/ready/dependencies.d/development-environment new file mode 100644 index 00000000..e69de29b diff --git a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh new file mode 100755 index 00000000..71965d8c --- /dev/null +++ b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh @@ -0,0 +1,19 @@ +#!/command/with-contenv bash +# shellcheck shell=bash +set -e + +# UID should only be set in the development environments. +if [[ "${DEVELOPMENT_ENVIRONMENT}" == "true" ]]; then + if [[ -n "${UID}" ]]; then + if ! getent passwd ${UID}; then + usermod -u ${UID} nginx + fi + if [[ "$(stat -c %u /var/www/drupal)" != "${UID}" ]]; then + chown -R nginx:nginx /var/www + fi + fi +fi + +# always ensure nginx has access to the socket +chown -R nginx:nginx /run/php-fpm83 + From 043b407c7b15c771321d6edd6a1d0a3cbbaf6215 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 13 Jan 2026 20:25:21 -0500 Subject: [PATCH 2/6] move existing user if UID collides --- .../scripts/development-environment.sh | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh index 71965d8c..fa966eea 100755 --- a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh +++ b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh @@ -3,15 +3,27 @@ set -e # UID should only be set in the development environments. -if [[ "${DEVELOPMENT_ENVIRONMENT}" == "true" ]]; then - if [[ -n "${UID}" ]]; then - if ! getent passwd ${UID}; then - usermod -u ${UID} nginx - fi - if [[ "$(stat -c %u /var/www/drupal)" != "${UID}" ]]; then - chown -R nginx:nginx /var/www - fi - fi +if [[ "${DEVELOPMENT_ENVIRONMENT}" != "true" ]]; then + exit 0 +fi +if [[ -z "${UID}" ]]; then + exit 0 +fi + +# Get the current user for this UID (if any) +EXISTING_USER=$(getent passwd ${UID} | cut -d: -f1) + +if [ -z "$EXISTING_USER" ]; then + # UID doesn't exist, safe to change nginx user + usermod -u ${UID} nginx +elif [ "$EXISTING_USER" != "nginx" ]; then + # UID exists but belongs to another user + usermod -u $((UID + 10000)) "$EXISTING_USER" + usermod -u ${UID} nginx +fi + +if [[ "$(stat -c %u /var/www/drupal)" != "${UID}" ]]; then + chown -R nginx:nginx /var/www/drupal fi # always ensure nginx has access to the socket From e8e1dd9028c3f7c48b1ca9ba2c57e652cd883886 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 13 Jan 2026 20:54:35 -0500 Subject: [PATCH 3/6] Improve user management in development environment script Updated usermod commands to handle existing users more safely and added error handling for getent. --- .../scripts/development-environment.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh index fa966eea..c1b35aa5 100755 --- a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh +++ b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh @@ -6,26 +6,29 @@ set -e if [[ "${DEVELOPMENT_ENVIRONMENT}" != "true" ]]; then exit 0 fi + if [[ -z "${UID}" ]]; then exit 0 fi -# Get the current user for this UID (if any) -EXISTING_USER=$(getent passwd ${UID} | cut -d: -f1) +# Get the current user for this UID (if any) - don't fail if not found +EXISTING_USER=$(getent passwd "${UID}" 2>/dev/null | cut -d: -f1 || true) if [ -z "$EXISTING_USER" ]; then # UID doesn't exist, safe to change nginx user - usermod -u ${UID} nginx + usermod -u "${UID}" nginx elif [ "$EXISTING_USER" != "nginx" ]; then # UID exists but belongs to another user - usermod -u $((UID + 10000)) "$EXISTING_USER" - usermod -u ${UID} nginx + # Move existing user out of the way + NEW_UID=$((UID + 10000)) + usermod -u "${NEW_UID}" "$EXISTING_USER" || true + usermod -u "${UID}" nginx fi +# Fix ownership if needed if [[ "$(stat -c %u /var/www/drupal)" != "${UID}" ]]; then chown -R nginx:nginx /var/www/drupal fi -# always ensure nginx has access to the socket +# Always ensure nginx has access to the socket chown -R nginx:nginx /run/php-fpm83 - From 363cbc1f4a1c26d64e6f5bcb35526bdddc70ab56 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 13 Jan 2026 21:03:18 -0500 Subject: [PATCH 4/6] Add UID sanitization in development environment script Sanitize UID input to ensure it contains only digits. --- .../rootfs/etc/s6-overlay/scripts/development-environment.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh index c1b35aa5..f5a56abb 100755 --- a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh +++ b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh @@ -11,6 +11,9 @@ if [[ -z "${UID}" ]]; then exit 0 fi +# ensure no new lines or other non-digits +UID=$(echo "${UID}" | tr -cd '0-9') + # Get the current user for this UID (if any) - don't fail if not found EXISTING_USER=$(getent passwd "${UID}" 2>/dev/null | cut -d: -f1 || true) From 79b515d6167585f8b435b93e7811a4be749e8e36 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 13 Jan 2026 21:04:20 -0500 Subject: [PATCH 5/6] Add check for UID being zero in script --- .../rootfs/etc/s6-overlay/scripts/development-environment.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh index f5a56abb..a5395ad9 100755 --- a/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh +++ b/drupal/rootfs/etc/s6-overlay/scripts/development-environment.sh @@ -14,6 +14,10 @@ fi # ensure no new lines or other non-digits UID=$(echo "${UID}" | tr -cd '0-9') +if [ "${UID}" = "0" ]; then + exit 0 +fi + # Get the current user for this UID (if any) - don't fail if not found EXISTING_USER=$(getent passwd "${UID}" 2>/dev/null | cut -d: -f1 || true) From 64c4f6c3f84bf636b63b57ffc447fd45cd7327ce Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 13 Jan 2026 21:39:02 -0500 Subject: [PATCH 6/6] Update base/Dockerfile --- base/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/Dockerfile b/base/Dockerfile index c9b21c24..84763dae 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -40,7 +40,7 @@ ARG \ MARIADB_CLIENT_VERSION=11.4.8-r0 \ # renovate: datasource=repology depName=alpine_3_22/mysql-client MYSQL_CLIENT_VERSION=11.4.8-r0 \ - # renovate: datasource=repology depName=alpine_3_22/netcat-openbsd + # renovate: datasource=repology depName=alpine_3_22/netcat-openbsd NETCAT_OPENBSD_VERSION=1.229.1-r0 \ # renovate: datasource=repology depName=alpine_3_22/openssl OPENSSL_VERSION=3.5.4-r0 \