From 07675aa477e8f9adbbe3198ec9c631f2d7898cff Mon Sep 17 00:00:00 2001
From: Will Holley <willholley@gmail.com>
Date: Wed, 14 Aug 2019 09:49:36 +0100
Subject: [PATCH] address review comments

---
 2.3.1/Dockerfile | 56 ++++++++++++++++++++++++++----------------------
 1 file changed, 30 insertions(+), 26 deletions(-)

diff --git a/2.3.1/Dockerfile b/2.3.1/Dockerfile
index d653d11..f746837 100644
--- a/2.3.1/Dockerfile
+++ b/2.3.1/Dockerfile
@@ -33,17 +33,17 @@ RUN set -ex; \
 ENV GOSU_VERSION 1.11
 ENV TINI_VERSION 0.18.0
 RUN set -ex; \
-	\
-	apt-get update; \
-	apt-get install -y --no-install-recommends wget; \
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	\
+        \
+        apt-get update; \
+        apt-get install -y --no-install-recommends wget; \
+        rm -rf /var/lib/apt/lists/*; \
+        \
+        dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+        \
 # install gosu
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	export GNUPGHOME="$(mktemp -d)"; \
+        wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-$dpkgArch"; \
+        wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+        export GNUPGHOME="$(mktemp -d)"; \
         echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \
         for server in $(shuf -e pgpkeys.mit.edu \
             ha.pool.sks-keyservers.net \
@@ -51,15 +51,15 @@ RUN set -ex; \
             pgp.mit.edu) ; do \
         gpg --batch --keyserver $server --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
         done; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	chmod +x /usr/local/bin/gosu; \
-	gosu nobody true; \
+        gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+        rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+        chmod +x /usr/local/bin/gosu; \
+        gosu nobody true; \
     \
 # install tini
-	wget -O /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch"; \
-	wget -O /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch.asc"; \
-	export GNUPGHOME="$(mktemp -d)"; \
+        wget -O /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch"; \
+        wget -O /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$dpkgArch.asc"; \
+        export GNUPGHOME="$(mktemp -d)"; \
         echo "disable-ipv6" >> ${GNUPGHOME}/dirmngr.conf; \
         for server in $(shuf -e pgpkeys.mit.edu \
             ha.pool.sks-keyservers.net \
@@ -67,11 +67,11 @@ RUN set -ex; \
             pgp.mit.edu) ; do \
         gpg --batch --keyserver $server --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && break || : ; \
         done; \
-	gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/tini.asc; \
-	chmod +x /usr/local/bin/tini; \
+        gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini; \
+        rm -rf "$GNUPGHOME" /usr/local/bin/tini.asc; \
+        chmod +x /usr/local/bin/tini; \
         apt-get purge -y --auto-remove wget; \
-	tini --version
+        tini --version
 
 # http://docs.couchdb.org/en/latest/install/unix.html#installing-the-apache-couchdb-packages
 ENV GPG_COUCH_KEY \
@@ -121,12 +121,16 @@ COPY docker-entrypoint.sh /usr/local/bin
 RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat
 ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
 
+
+RUN set -xe; \
+# Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh
+        find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \
 # Setup directories and permissions for config. Technically these could be 555 and 444 respectively
-# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.
-RUN find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \
-    find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \
-    # only local.d needs to be writable for the docker_entrypoint.sh
-    chmod -f 0777 /opt/couchdb/etc/local.d
+# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh.
+        find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \
+        find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \
+# only local.d needs to be writable for the docker_entrypoint.sh
+        chmod -f 0777 /opt/couchdb/etc/local.d
 
 VOLUME /opt/couchdb/data