Allow running as arbitrary uid

 * Adds guards around entrypoints commands that require root
 * Broaden permissions within the container filesystem to allow
   access by non-couchdb users.
 * Added an example to the documentation which specifies `--user`.

2.3.1/Dockerfile

@@ -121,8 +121,13 @@ COPY docker-entrypoint.sh /usr/local/bin
 RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat
 ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
 
-# Setup directories and permissions
-RUN find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +
+# Setup directories and permissions for config. Technically these could be 555 and 444 respectively
+# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.
+RUN find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \
+    find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \
+    # only local.d needs to be writable for the docker_entrypoint.sh
+    chmod -f 0777 /opt/couchdb/etc/local.d
+
 VOLUME /opt/couchdb/data
 
 # 5984: Main CouchDB endpoint

2.3.1/docker-entrypoint.sh

@@ -25,36 +25,44 @@ if [ "$1" = 'couchdb' ]; then
 fi
 
 if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
-	# Check that we own everything in /opt/couchdb and fix if necessary. We also
-	# add the `-f` flag in all the following invocations because there may be
-	# cases where some of these ownership and permissions issues are non-fatal
-	# (e.g. a config file owned by root with o+r is actually fine), and we don't
-	# to be too aggressive about crashing here ...
-	find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +
+	# this is where runtime configuration changes will be written.
+	# we need to explicitly touch it here in case /opt/couchdb/etc has
+	# been mounted as an external volume, in which case it won't exist.
+	# If running as the couchdb user (i.e. container starts as root),
+	# write permissions will be granted below.
+	touch /opt/couchdb/etc/local.d/docker.ini
+
+	# if user is root, assume running under the couchdb user (default)
+	# and ensure it is able to access files and directories that may be mounted externally
+	if [ "$(id -u)" = '0' ]; then
+		# Check that we own everything in /opt/couchdb and fix if necessary. We also
+		# add the `-f` flag in all the following invocations because there may be
+		# cases where some of these ownership and permissions issues are non-fatal
+		# (e.g. a config file owned by root with o+r is actually fine), and we don't
+		# to be too aggressive about crashing here ...
+		find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +
 
-	# Ensure that data files have the correct permissions. We were previously
-	# preventing any access to these files outside of couchdb:couchdb, but it
-	# turns out that CouchDB itself does not set such restrictive permissions
-	# when it creates the files. The approach taken here ensures that the
-	# contents of the datadir have the same permissions as they had when they
-	# were initially created. This should minimize any startup delay.
-	find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
-	find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+		# Ensure that data files have the correct permissions. We were previously
+		# preventing any access to these files outside of couchdb:couchdb, but it
+		# turns out that CouchDB itself does not set such restrictive permissions
+		# when it creates the files. The approach taken here ensures that the
+		# contents of the datadir have the same permissions as they had when they
+		# were initially created. This should minimize any startup delay.
+		find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
+		find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
 
-	# Do the same thing for configuration files and directories. Technically
-	# CouchDB only needs read access to the configuration files as all online
-	# changes will be applied to the "docker.ini" file below, but we set 644
-	# for the sake of consistency.
-	find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
-	find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+		# Do the same thing for configuration files and directories. Technically
+		# CouchDB only needs read access to the configuration files as all online
+		# changes will be applied to the "docker.ini" file below, but we set 644
+		# for the sake of consistency.
+		find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
+		find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+	fi
 
 	if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then
 		echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args
 	fi
 
-	# Ensure that CouchDB will write custom settings in this file
-	touch /opt/couchdb/etc/local.d/docker.ini
-
 	if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
 		# Create admin only if not already present
 		if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
@@ -69,7 +77,9 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		fi
 	fi
 
-	chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true
+	if [ "$(id -u)" = '0' ]; then
+		chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true
+	fi
 
 	# if we don't find an [admins] section followed by a non-comment, display a warning
         if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini; then
@@ -88,8 +98,9 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 		EOWARN
 	fi
 
-
-	exec gosu couchdb "$@"
+	if [ "$(id -u)" = '0' ]; then
+		exec gosu couchdb "$@"
+	fi
 fi
 
 exec "$@"

README.md

@@ -170,6 +170,15 @@ file = /opt/couchdb/log/couch.log
 
 It is recommended to then mount this path to a directory on the host, as CouchDB logging can be quite voluminous.
 
+## Running under a custom UID
+
+By default, CouchDB will run as the `couchdb` user with UID 5984. Running under a different UID is supported, so long as any volume mounts have appropriate read/write permissions. For example, assuming user `myuser` has write access to `/home/couchdb/data`, the following command will run CouchDB as that user:
+
+```
+docker run --name my-couchdb --user myuser -v /home/couchdb/data:/opt/couchdb/data %%IMAGE%%:tag
+```
+
+
 -----
 
 # Development images