Remove separate build user and run as root.

nubs · nubs · commit 25df7b6252d8 · 2016-03-26T23:28:13.000-05:00
Instead of bringing in the difficulty of a build user that needs to be setup on the host, instead user namespaces can be used to provide a similar level of security for the host system. This should make this image easier to work with, especially for custom additions and running on non-Linux development machines. Group setup is still necessary for volume mounting permissions to work under many setups, but it's configurable by the user instead of hard-coded by this docker image. This should also hopefully improve the experience when trying to run this image on an OSX or Windows host, especially using the newly in beta project released by Docker: https://blog.docker.com/2016/03/docker-for-mac-windows-beta/.
diff --git a/Dockerfile b/Dockerfile
@@ -17,21 +17,12 @@ RUN pacman-key --refresh-keys && \
 # warnings.
 COPY timezone.ini /etc/php/conf.d/
 
-# Create a separate user for composer to run as.  Root access shouldn't
-# typically be necessary.  We specify the uid so that it is unique.
-RUN useradd --uid 55446 --create-home --comment "Composer Build User" build
-
-RUN mkdir /code && chown build:build /code
+RUN mkdir /code
 WORKDIR /code
 
-USER build
-ENV HOME /home/build
+ENV HOME /root
 ENV COMPOSER_HOME $HOME/.composer
 
-# Set the umask to 002 so that the group has write access inside and outside the
-# container.
-COPY umask.sh $HOME/
-
 # Setup and install composer into the composer global location.  The
 # certificate is installed manually to get around open_basedir restrictions.
 RUN mkdir -p $COMPOSER_HOME/vendor/bin
@@ -42,5 +33,4 @@ RUN curl -sSL https://getcomposer.org/installer | php -- --install-dir=$COMPOSER
 # system PATH.
 ENV PATH vendor/bin:$COMPOSER_HOME/vendor/bin:$PATH
 
-ENTRYPOINT ["/home/build/umask.sh"]
 CMD ["composer", "install"]
diff --git a/README.md b/README.md
@@ -5,9 +5,6 @@ This is a base image for building [PHP][PHP] [composer] packages.
 This docker image builds on top of Arch Linux's base/archlinux image for the
 purpose of building PHP composer packages.  It provides several key features:
 
-* A non-root user (`build`) for executing the image build.  This is important
-  for security purposes and to ensure that the package doesn't require root
-  permissions to be built.
 * Access to the build location will be in the volume located at `/code`.  This
   directory will be the default working directory.
 * Composer bin directories are automatically included in `PATH`.  Both a
@@ -38,21 +35,31 @@ docker run -i -t --rm -v /tmp/my-code:/code nubs/composer-build composer update
 ```
 
 ## Permissions
-This image uses a build user to run composer.  This means that your file
-permissions must allow this user to write to certain folders like `vendor`.
-The easiest way to do this is to create a group and give that group write
-access to the necessary folders.
+This image runs as root (PID 0), but for security purposes it is recommended to
+use Docker's [user namespace functionality][docker-user-namespaces] to map that
+to a non-privileged user on your host system.
+
+If you use volume mounting of your project (e.g., to run `composer install`
+inside the container but want to modify the host `vendor` directory), then you
+may run into permission issues.
+
+Without Docker's user namespaces, the container will create files/directories
+with root ownership on your host which may cause issues when trying to access
+them as a non-root user.
+
+When using Docker's user namespaces, the container will be running under a
+different user.  You may have to adjust permissions on the directory to allow
+the user to create/modify files.  For example, giving an `/etc/setuid` and
+`/etc/subgid` that contains `dockremap:165536:65536` and a docker daemon
+running using this default mapping: `docker daemon --userns-remap=default`,
+you would need to run the following to give the container access to run
+`composer install` and yourself access to do so on the host:
 
 ```bash
-groupadd --gid 55446 composer-build
+groupadd --gid 165536 subgid-root
 chmod -R g+w vendor
-chgrp -R composer-build vendor
-```
-
-You may also want to give your user access to files created by the build user.
-
-```bash
-usermod -a -G 55446 "$(whoami)"
+chgrp -R subgid-root node_modules
+usermod -a -G subgid-root "$(whoami)"
 ```
 
 ### Dockerfile build
@@ -66,11 +73,7 @@ process alone could look like this:
 ```dockerfile
 FROM nubs/composer-build
 
-USER root
-
 RUN pacman --sync --noconfirm --noprogressbar --quiet xdebug
-
-USER build
 ```
 
 You can then build this docker image and run it against your `composer.json`
@@ -89,4 +92,5 @@ the full license text.
 
 [PHP]: http://php.net/ "PHP: Hypertext Preprocessor"
 [composer]: https://getcomposer.org/
+[docker-use-namespaces]: https://docs.docker.com/engine/reference/commandline/daemon/#daemon-user-namespace-options
 [LICENSE]: https://github.com/nubs/docker-composer-build/blob/master/LICENSE
diff --git a/umask.sh b/umask.sh
