feat: get host uid:gid and use in docker

- Grab the uid:gid of the repo root in docker
- Use that for the node user we run as in the container
- Check owner of all volume mounts, if not OK, fix them
- this should avoid permission errors on linux
- provide bin/fix-volumes to fix owner issues ad hoc

Signed-off-by: Peter Lyons <pete@reactioncommerce.com>

.reaction/entrypoint.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Please Use Google Shell Style: https://google.github.io/styleguide/shell.xml
+
+# ---- Start unofficial bash strict mode boilerplate
+# http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -o errexit  # always exit on error
+set -o errtrace # trap errors in functions as well
+set -o pipefail # don't ignore exit codes when piping output
+set -o posix    # more strict failures in subshells
+# set -x          # enable debugging
+
+IFS=$'\n\t'
+# ---- End unofficial bash strict mode boilerplate
+
+cd "$(dirname "${BASH_SOURCE[0]}")/.."
+# change the node user's uid:gid to match the repo root directory's
+usermod --uid "$(stat -c "%u" .)" --non-unique node |& grep -v "no changes" || true
+./.reaction/fix-volumes.sh
+command=("./bin/start")
+if [[ $# -gt 0 ]]; then
+  command=($@)
+fi
+unset IFS
+exec su-exec node ${command[*]}

.reaction/fix-volumes.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Please Use Google Shell Style: https://google.github.io/styleguide/shell.xml
+
+# ---- Start unofficial bash strict mode boilerplate
+# http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -o errexit  # always exit on error
+set -o errtrace # trap errors in functions as well
+set -o pipefail # don't ignore exit codes when piping output
+set -o posix    # more strict failures in subshells
+# set -x          # enable debugging
+
+IFS=$'\n\t'
+# ---- End unofficial bash strict mode boilerplate
+
+cd "$(dirname "${BASH_SOURCE[0]}")/.."
+owner=$(stat -c "%u:%g" .)
+volumes=(
+  ../node_modules
+  ./node_modules
+  ./build
+  /home/node/.cache/yarn
+  /home/node/.cache/yarn-offline-mirror
+)
+for dir in ${volumes[*]}; do
+  mkdir -p "${dir}"
+  old_owner=$(stat -c "%u:%g" "${dir}")
+  if [[ "$1" != "--force" && "${old_owner}" == "${owner}" ]]; then
+    continue
+  fi
+  printf "Fixing volume ${dir} (before=${old_owner} after=${owner})…"
+  chown -R "${owner}" "${dir}"
+  chmod -R a+r,u+rw "${dir}"
+  echo "✓"
+done

Dockerfile

@@ -54,19 +54,25 @@ LABEL maintainer="Reaction Commerce <engineering@reactioncommerce.com>" \
       com.reactioncommerce.docker.git.sha1=$GIT_SHA1 \
       com.reactioncommerce.docker.license=$LICENSE
 
-RUN apk --no-cache add bash curl less vim
+# shadow and su-exec are used by bin/start-root (shadow provides usermod)
+# hadolint ignore=DL3018
+RUN apk --no-cache add bash curl less shadow su-exec vim
 SHELL ["/bin/bash", "-o", "pipefail", "-o", "errexit", "-u", "-c"]
 
 # Because Docker Compose uses a volume for node_modules and volumes are owned
 # by root by default, we have to initially create node_modules here with correct owner.
 # Without this Yarn cannot write packages into node_modules later, when running in a container.
-RUN mkdir -p "/usr/local/src/node_modules"; chown node "/usr/local/src"; chown node "/usr/local/src/node_modules"
-RUN mkdir -p "/usr/local/src/reaction-app/node_modules"; chown node "/usr/local/src/reaction-app"; chown node "/usr/local/src/reaction-app/node_modules"
-
-# Same for Yarn cache folder. Without this Yarn will warn that it's going to use
-# a fallback cache dir instead because the one in config is not writable.
-RUN mkdir -p "/home/node/.cache/yarn"; chown node "/home/node/.cache/yarn"
-RUN mkdir -p "/home/node/.cache/yarn-offline-mirror"; chown node "/home/node/.cache/yarn-offline-mirror"
+RUN volumes=( \
+  /usr/local/src \
+  /usr/local/src/node_modules \
+  /usr/local/src/reaction-app \
+  /usr/local/src/reaction-app/node_modules \
+  /home/node/.cache/yarn \
+  /home/node/.cache/yarn-offline-mirror) ; \
+  for dir in ${volumes[*]}; do \
+    mkdir -p "${dir}"; \
+    chown node "${dir}"; \
+  done
 
 WORKDIR $APP_SOURCE_DIR/..
 COPY --chown=node package.json yarn.lock $APP_SOURCE_DIR/../
@@ -113,4 +119,6 @@ RUN if [ "$BUILD_ENV" = "production" ]; then \
     yarn build; \
   fi;
 
-CMD ["yarn", "start"]
+# hadolint ignore=DL3002
+USER root
+ENTRYPOINT ["./.reaction/entrypoint.sh"]

bin/fix-volumes

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Please Use Google Shell Style: https://google.github.io/styleguide/shell.xml
+
+# ---- Start unofficial bash strict mode boilerplate
+# http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -o errexit  # always exit on error
+set -o errtrace # trap errors in functions as well
+set -o pipefail # don't ignore exit codes when piping output
+set -o posix    # more strict failures in subshells
+# set -x          # enable debugging
+
+IFS=$'\n\t'
+# ---- End unofficial bash strict mode boilerplate
+cd "$(dirname "${BASH_SOURCE[0]}")/.."
+docker-compose run --entrypoint=./.reaction/fix-volumes.sh web --force

docker-compose.yml

@@ -10,12 +10,10 @@ networks:
 
 services:
   web:
-    user: root
     build:
       context: .
       args:
         BUILD_ENV: "development"
-    command: "/usr/local/src/reaction-app/bin/start"
     env_file:
       - ./.env
     environment: