restore gosu suid bit when supervisor container stops

* webdevops/Dockerfile#387

Author: kaluzki

src/opt/docker/bin/config.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+
+shopt -s nullglob
+
+###
+ # Check if current user is root
+ #
+ ##
+function rootCheck() {
+    # Root check
+    if [ "$(/usr/bin/whoami)" != "root" ]; then
+        echo "[ERROR] $* must be run as root"
+        exit 1
+    fi
+}
+
+###
+ # Create /docker.stdout and /docker.stderr
+ #
+ ##
+function createDockerStdoutStderr() {
+    # link stdout from docker
+    if [[ -n "$LOG_STDOUT" ]]; then
+        echo "Log stdout redirected to $LOG_STDOUT"
+    else
+        LOG_STDOUT="/proc/$$/fd/1"
+    fi
+
+    if [[ -n "$LOG_STDERR" ]]; then
+        echo "Log stderr redirected to $LOG_STDERR"
+    else
+        LOG_STDERR="/proc/$$/fd/2"
+    fi
+
+    ln -f -s "$LOG_STDOUT" /docker.stdout
+    ln -f -s "$LOG_STDERR" /docker.stderr
+}
+###
+ # Include script directory text inside a file
+ #
+ # $1 -> path
+ #
+ ##
+function includeScriptDir() {
+    if [[ -d "$1" ]]; then
+        for FILE in "$1"/*.sh; do
+            echo "-> Executing ${FILE}"
+            # run custom scripts, only once
+            . "$FILE"
+        done
+    fi
+}
+
+###
+ # Show deprecation notice
+ #
+ ##
+function deprecationNotice() {
+    echo ""
+    echo "###############################################################################"
+    echo "###      THIS CALL IS DEPRECATED AND WILL BE REMOVED IN THE FUTURE"
+    echo "###"
+    echo "### $*"
+    echo "###"
+    echo "###############################################################################"
+    echo ""
+}
+
+###
+ # Run "entrypoint" scripts
+ #
+ ##
+function runEntrypoints() {
+    # try to find entrypoint task script
+    ENTRYPOINT_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
+    if [ ! -f "$ENTRYPOINT_SCRIPT" ]; then
+        # use default
+        ENTRYPOINT_SCRIPT="/opt/docker/bin/entrypoint.d/default.sh"
+    fi
+
+    if [ ! -f "$ENTRYPOINT_SCRIPT" ]; then
+        exit 1
+    fi
+
+    . "$ENTRYPOINT_SCRIPT"
+}
+
+###
+ # Run "entrypoint" provisioning
+ #
+ ##
+function runProvisionEntrypoint() {
+    includeScriptDir "/opt/docker/provision/entrypoint.d"
+    includeScriptDir "/entrypoint.d"
+}
+
+###
+ # https://stackoverflow.com/questions/41451159/how-to-execute-a-script-when-i-terminate-a-docker-container
+ # https://hynek.me/articles/docker-signals/
+ #
+ ##
+function runTeardownEntrypoint() {
+    echo "Container stopped, performing teardown..."
+    includeScriptDir "/opt/docker/provision/entrypoint.d/teardown"
+    includeScriptDir "/entrypoint.d/teardown"
+}
+
+###
+ # List environment variables (based on prefix)
+ #
+ ##
+function envListVars() {
+    if [[ $# -eq 1 ]]; then
+        env | grep "^${1}" | cut -d= -f1
+    else
+        env | cut -d= -f1
+    fi
+}
+
+###
+ # Get environment variable (even with dots in name)
+ #
+ ##
+function envGetValue() {
+    awk "BEGIN {print ENVIRON[\"$1\"]}"
+}

src/opt/docker/bin/entrypoint.d/cli.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+#############################################
+## Run CLI_SCRIPT from environment variable
+#############################################
+
+if [ -n "${CLI_SCRIPT}" ]; then
+    if [ -n "${CONTAINER_UID}" ]; then
+        # Run as EFFECTIVE_USER
+        shift
+        exec gosu "${CONTAINER_UID}" "${CLI_SCRIPT}" "$@"
+    else
+        # Run as root
+        exec "${CLI_SCRIPT}" "$@"
+    fi
+else
+    echo "[ERROR] No CLI_SCRIPT in in docker environment defined"
+    exit 1
+fi

src/opt/docker/bin/entrypoint.sh

@@ -1,47 +1,35 @@
 #!/usr/bin/env bash
 
 if [[ -z "$CONTAINER_UID" ]]; then
-    export CONTAINER_UID=$APPLICATION_UID
+    export CONTAINER_UID=1000
 fi
 
-set -o pipefail  # trace ERR through pipes
-set -o errtrace  # trace ERR through 'time command' and other functions
-set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
-set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o pipefail # trace ERR through pipes
+set -o errtrace # trace ERR through 'time command' and other functions
+set -o nounset  ## set -u : exit the script if you try to use an uninitialised variable
+set -o errexit  ## set -e : exit the script if any statement returns a non-true return value
 
 # auto elevate privileges (if container is not started as root)
 if [[ "$UID" -ne 0 ]]; then
     export CONTAINER_UID="$UID"
     exec gosu root "$0" "$@"
 fi
 
-# remove suid bit on gosu
-# chmod -s /sbin/gosu
-
-trap 'echo sigterm ; exit' SIGTERM
-trap 'echo sigkill ; exit' SIGKILL
-
-# sanitize input and set task
-TASK="$(echo $1| sed 's/[^-_a-zA-Z0-9]*//g')"
-
-source /opt/docker/bin/config.sh
-
+. /opt/docker/bin/config.sh
 createDockerStdoutStderr
 
-if [[ "$UID" -eq 0 ]]; then
-    # Only run provision if user is root
-
-    if [ "$TASK" == "supervisord" -o "$TASK" == "noop" ]; then
-        # Visible provisioning
-        runProvisionEntrypoint
-    else
-        # Hidden provisioning
-        runProvisionEntrypoint  > /dev/null
-    fi
+# sanitize input and set task
+TASK="$(echo $1 | sed 's/[^-_a-zA-Z0-9]*//g')"
+
+if [ "$TASK" == "supervisord" ] || [ "$TASK" == "noop" ]; then
+    # visible provisioning
+    runProvisionEntrypoint
+    trap 'runTeardownEntrypoint' SIGTERM
+    runEntrypoints "$@" &
+    wait $!
+    runTeardownEntrypoint
+else
+    # hidden provisioning
+    runProvisionEntrypoint > /dev/null
+    runEntrypoints "$@"
 fi
-
-#############################
-## COMMAND
-#############################
-
-runEntrypoints "$@"

src/opt/docker/provision/entrypoint.d/05-gosu.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+# remove suid bit
+chmod -s /sbin/gosu

src/opt/docker/provision/entrypoint.d/teardown/05-gosu.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+# add suid bit
+chmod +s /sbin/gosu