docker: Automatically fix permissions

Dockerfile

@@ -13,10 +13,6 @@ EXPOSE 4002/udp
 EXPOSE 5001
 EXPOSE 8080
 
-# Volume for mounting an IPFS fs-repo
-# This is moved to the bottom for technical reasons.
-#VOLUME $IPFS_PATH
-
 # IPFS API to use for fetching gx packages.
 # This can be a gateway too, since its read-only API provides all gx needs.
 # - e.g. /ip4/172.17.0.1/tcp/8080 if the Docker host
@@ -33,14 +29,17 @@ ENV GOPATH     /go
 ENV PATH       /go/bin:$PATH
 ENV SRC_PATH   /go/src/github.com/ipfs/go-ipfs
 
+# Expose the fs-repo as a volume.
+# start_ipfs initializes an fs-repo if none is mounted
+VOLUME $IPFS_PATH
+
 # Get the go-ipfs sourcecode
 COPY . $SRC_PATH
 
-RUN apk add --update musl-dev gcc go git bash wget ca-certificates \
-	# Setup user and fs-repo directory
-	&& mkdir -p $IPFS_PATH \
+RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
+	&& apk add --no-cache tini su-exec bash wget ca-certificates \
+	# Setup user
 	&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
-	&& chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \
 	# Install gx
 	&& go get -u github.com/whyrusleeping/gx \
 	&& go get -u github.com/whyrusleeping/gx-go \
@@ -58,22 +57,12 @@ RUN apk add --update musl-dev gcc go git bash wget ca-certificates \
 	&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
 	&& chmod 755 /usr/local/bin/start_ipfs \
 	# Remove all build-time dependencies
-	&& apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
-
-# Call uid 1000 "ipfs"
-USER ipfs
-
-# Expose the fs-repo as a volume.
-# We're doing this down here (and not at the top),
-# so that the overlay directory is owned by the ipfs user.
-# start_ipfs initializes an ephemeral fs-repo if none is mounted,
-# which is why uid=1000 needs write permissions there.
-VOLUME $IPFS_PATH
+	&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
 
 # This just makes sure that:
 # 1. There's an fs-repo, and initializes one if there isn't.
 # 2. The API and Gateway are accessible from outside the container.
-ENTRYPOINT ["/usr/local/bin/start_ipfs"]
+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
 
 # Execute the daemon subcommand by default
 CMD ["daemon", "--migrate=true"]

Dockerfile.fast

@@ -19,6 +19,8 @@ ENV GOPATH     /go
 ENV PATH       /go/bin:$PATH
 ENV SRC_PATH   /go/src/github.com/ipfs/go-ipfs
 
+VOLUME $IPFS_PATH
+
 # This is an optimization which avoids rebuilding
 # of the gx dependencies every time anything changes.
 # gx will only be invoked if the dependencies have changed.
@@ -28,10 +30,9 @@ ENV SRC_PATH   /go/src/github.com/ipfs/go-ipfs
 # and trigger a re-run of all following commands.
 COPY ./package.json $SRC_PATH/package.json
 
-RUN apk add --update musl-dev gcc go git bash wget ca-certificates \
-	&& mkdir -p $IPFS_PATH \
+RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
+	&& apk add --no-cache tini su-exec bash wget ca-certificates \
 	&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
-	&& chown ipfs:ipfs $IPFS_PATH && chmod 755 $IPFS_PATH \
 	&& go get -u github.com/whyrusleeping/gx \
 	&& go get -u github.com/whyrusleeping/gx-go \
 	&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \
@@ -48,9 +49,7 @@ RUN cd $SRC_PATH \
 	&& cp ipfs /usr/local/bin/ipfs \
 	&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
 	&& chmod 755 /usr/local/bin/start_ipfs \
-	&& apk del --purge musl-dev gcc go git && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
+	&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
 
-USER ipfs
-VOLUME $IPFS_PATH
-ENTRYPOINT ["/usr/local/bin/start_ipfs"]
+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]
 CMD ["daemon", "--migrate=true"]

README.md

@@ -237,11 +237,6 @@ IPFS files that will persist when you restart the container.
     export ipfs_staging=</absolute/path/to/somewhere/>
     export ipfs_data=</absolute/path/to/somewhere_else/>
 
-Make sure docker can access these folders:
-
-    sudo chmod -R 777 /absolute/path/to/somewhere/
-    sudo chmod -R 777 /absolute/path/to/somewhere_else/
-
 Start a container running ipfs and expose ports 4001, 5001 and 8080:
 
     docker run -d --name ipfs_host -v $ipfs_staging:/export -v $ipfs_data:/data/ipfs -p 8080:8080 -p 4001:4001 -p 5001:5001 ipfs/go-ipfs:latest

bin/container_daemon

@@ -1,14 +1,16 @@
 #!/bin/sh
-
-user=$(whoami)
+set -e
+user=ipfs
 repo="$IPFS_PATH"
 
-# Test whether the mounted directory is writable for us
-if [ ! -w "$repo" 2>/dev/null ]; then
-  echo "error: $repo is not writable for user $user (uid=$(id -u $user))"
-  exit 1
+if [ `id -u` -eq 0 ]; then
+  # ensure folder is writable
+  su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo"
+  # restart script with new privileges
+  exec su-exec "$user" "$0" "$@"
 fi
 
+# 2nd invocation with regular user
 ipfs version
 
 if [ -e "$repo/config" ]; then