Merge pull request #653 from thockin/dockerfile-volume-cleanup
Update Dockerfile docs and default for volumes
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
503b9dae45
|
|
@ -14,35 +14,29 @@
|
||||||
|
|
||||||
# HOW TO USE THIS CONTAINER:
|
# HOW TO USE THIS CONTAINER:
|
||||||
#
|
#
|
||||||
# For most users, the simplest way to use this container is to mount a volume
|
# The only commandline argument (or env var) that is really required is
|
||||||
# on /git. The only commandline argument (or env var) that is really required
|
# `--repo` ($GIT_SYNC_REPO). Everything else is optional (run this with
|
||||||
# is `--repo` ($GIT_SYNC_REPO). Everything else is optional (run this with
|
|
||||||
# `--man` for details).
|
# `--man` for details).
|
||||||
#
|
#
|
||||||
# This container will run as UID:GID 65533:65533 by default, and unless you
|
# This container will run as UID:GID 65533:65533 by default. For most users,
|
||||||
# change that, you do not need to think about permissions much. If you run
|
# the simplest ways to use this container are either:
|
||||||
# into permissions problems, this might help:
|
# a) use the default UID/GID and mount a volume on /git writeable by those
|
||||||
|
# b) set your own UID/GID and mount a volume on /git writeable by those
|
||||||
#
|
#
|
||||||
# - User does not mount a volume
|
# If you mount a volume anywhere else, you must set `--root` ($GIT_SYNC_ROOT).
|
||||||
# => should work, but limited utility
|
# If you do not mount a volume, this will run but you can't access the results
|
||||||
|
# (which might be useful for testing, but not much else).
|
||||||
#
|
#
|
||||||
# - User mounts a new docker volume on /git
|
# Newly created docker volumes (the very first `docker run -v`) are initialized
|
||||||
# => should work
|
# based on the in-image mountpoint's UID/GID?mode, so another solution for
|
||||||
|
# using this with docker is to set your own UID/GID and also add the default
|
||||||
|
# GID as a supplemental group (see `docker run --group-add`).
|
||||||
#
|
#
|
||||||
# - User mounts an existing docker volume on /git
|
# Kubernetes offers `Pod.spec.securityContext.fsGroup` to manage volume
|
||||||
# => if the volume already exists with compatible permissions it should work
|
# permissions.
|
||||||
# => if the volume already exists with different permissions you can either
|
|
||||||
# set the container UID or GID(s) or you can chown the volume
|
|
||||||
#
|
#
|
||||||
# - User mounts an existing dir on /git
|
# If you set any UID other than the default and want to use git over SSH, you
|
||||||
# => set container UID or GID(s) to be able to access that dir
|
# should set `--add-user` ($GIT_SYNC_ADD_USER).
|
||||||
#
|
|
||||||
# - User sets a different UID and git-sync GID
|
|
||||||
# => should work
|
|
||||||
#
|
|
||||||
# - User sets a different GID
|
|
||||||
# => either add the git-sync GID or else set --root, mount a volume,
|
|
||||||
# and manage volume permissions to access that volume
|
|
||||||
|
|
||||||
#############################################################################
|
#############################################################################
|
||||||
# First we prepare the image that we want, regardless of build layers.
|
# First we prepare the image that we want, regardless of build layers.
|
||||||
|
|
@ -66,20 +60,16 @@ RUN rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Add the default UID to /etc/passwd so SSH is satisfied.
|
# Add the default UID to /etc/passwd so SSH is satisfied.
|
||||||
RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
|
RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
|
||||||
# A user might choose a different UID and set the --add-user flag, which needs
|
# A user might choose a different UID and set the `--add-user` flag, which
|
||||||
# to be able to write to /etc/passwd.
|
# needs to be able to write to /etc/passwd.
|
||||||
RUN chmod 0666 /etc/passwd
|
RUN chmod 0666 /etc/passwd
|
||||||
|
|
||||||
# Add the default GID to /etc/group for completeness.
|
# Add the default GID to /etc/group for completeness.
|
||||||
RUN echo "git-sync:x:65533:git-sync" >> /etc/group
|
RUN echo "git-sync:x:65533:git-sync" >> /etc/group
|
||||||
|
|
||||||
# Make a directory that can be used to mount volumes. Git-sync itself does not
|
# Make a directory that can be used to mount volumes. Setting the mode to
|
||||||
# default the --root ($GIT_SYNC_ROOT) flag, but we can set a default here,
|
# include group-write allows users to run this image as a different user, as
|
||||||
# which makes the container image easier to use. Setting the mode to include
|
# long as they use our git-sync group.
|
||||||
# group-write allows users to run this image as a different user, as long as
|
|
||||||
# they use our git-sync group. If the user needs a different group or sets
|
|
||||||
# $GIT_SYNC_ROOT or --root, their values will override this, and we assume they
|
|
||||||
# are handling permissions themselves.
|
|
||||||
RUN mkdir -m 02775 /git && chown 65533:65533 /git
|
RUN mkdir -m 02775 /git && chown 65533:65533 /git
|
||||||
|
|
||||||
# When building, we can pass a hash of the licenses tree, which docker checks
|
# When building, we can pass a hash of the licenses tree, which docker checks
|
||||||
|
|
@ -111,6 +101,11 @@ ENV HOME=/tmp
|
||||||
WORKDIR /tmp
|
WORKDIR /tmp
|
||||||
|
|
||||||
# Default values for flags.
|
# Default values for flags.
|
||||||
ENV GIT_SYNC_ROOT=/tmp/git
|
# Git-sync itself does not default the `--root` ($GIT_SYNC_ROOT) flag, but we
|
||||||
|
# can set a default here, which makes the container image easier to use. The
|
||||||
|
# permissions were set for the default git-sync UID and GID. If the user needs
|
||||||
|
# a different group or sets `--root` ($GIT_SYNC_ROOT), their values will
|
||||||
|
# override this, and we assume they are handling permissions themselves.
|
||||||
|
ENV GIT_SYNC_ROOT=/git
|
||||||
|
|
||||||
ENTRYPOINT ["/{ARG_BIN}"]
|
ENTRYPOINT ["/{ARG_BIN}"]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue