chore: drop root in container
This commit is contained in:
parent
594c09b0a7
commit
3f83e2c792
@ -15,7 +15,7 @@ FROM docker.io/library/debian:bookworm-slim
|
||||
|
||||
WORKDIR /app
|
||||
RUN apt-get update && apt-get upgrade -y \
|
||||
&& apt-get install -y ca-certificates libnl-route-3-200 libprotobuf32 tini \
|
||||
&& apt-get install -y ca-certificates gosu libnl-route-3-200 libprotobuf32 tini \
|
||||
&& apt-get clean && rm -rf /var/lib/apt/lists
|
||||
|
||||
# rootfs
|
||||
|
@ -12,7 +12,7 @@ RUN find /app -type f -name "*.map" -delete
|
||||
FROM docker.io/library/alpine
|
||||
|
||||
WORKDIR /app
|
||||
RUN apk --no-cache add tzdata ca-certificates bash
|
||||
RUN apk --no-cache add tzdata ca-certificates bash su-exec
|
||||
|
||||
COPY --from=base /builder/config.docker.yaml /app
|
||||
COPY --from=base /builder/docker-entrypoint.sh /app
|
||||
|
@ -1,6 +1,6 @@
|
||||
services:
|
||||
server:
|
||||
image: git.0x7f.app/woj/woj-server:1.3.1-dev
|
||||
image: quay.io/ldcraft/woj-server:1.3.1-dev
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: [ "CMD", "wget", "-q", "-O", "/dev/null", "http://127.0.0.1:8000/health" ]
|
||||
@ -27,7 +27,7 @@ services:
|
||||
- "8000:8000"
|
||||
|
||||
runner:
|
||||
image: git.0x7f.app/woj/woj-runner:1.3.1-dev
|
||||
image: quay.io/ldcraft/woj-runner:1.3.1-dev
|
||||
restart: unless-stopped
|
||||
command: runner
|
||||
privileged: true
|
||||
|
@ -136,11 +136,37 @@ setup_cgroups() {
|
||||
sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/nsjail/cgroup.controllers > /sys/fs/cgroup/nsjail/cgroup.subtree_control
|
||||
}
|
||||
|
||||
if [ -n "$SETUP_CGROUP" ]; then
|
||||
setup_cgroups
|
||||
fi
|
||||
setup_user_runner() {
|
||||
# runner use debian as base image
|
||||
groupadd -g 1000 woj
|
||||
useradd -g 1000 -u 1000 woj
|
||||
# runner data
|
||||
chown -R woj:woj /app/resource/runner/problem || true
|
||||
chown -R woj:woj /app/resource/runner/tmp || true
|
||||
chown -R woj:woj /app/resource/runner/user || true
|
||||
# cgroups
|
||||
chown -R woj:root /sys/fs/cgroup/nsjail
|
||||
}
|
||||
|
||||
setup_user_server() {
|
||||
# server use alpine as base image
|
||||
addgroup -g 1000 -S woj
|
||||
adduser -u 1000 -S -G woj woj
|
||||
}
|
||||
|
||||
setup_user() {
|
||||
if [ -n "$RUNNER_IMAGE" ]; then
|
||||
setup_user_runner
|
||||
else
|
||||
setup_user_server
|
||||
fi
|
||||
}
|
||||
|
||||
if [ -n "$RUNNER_IMAGE" ]; then setup_cgroups; fi
|
||||
generate_config
|
||||
setup_user
|
||||
|
||||
log_info "starting woj"
|
||||
exec /app/woj "$@"
|
||||
if [ -n "$RUNNER_IMAGE" ]; then EXEC=gosu; else EXEC=su-exec; fi
|
||||
exec $EXEC /app/woj "$@"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user