From 3cd5976a7a6d5d00fe78c4c5d4125fd109b331ca Mon Sep 17 00:00:00 2001 From: Paul Eggleton Date: Thu, 9 May 2019 12:03:36 +1200 Subject: [PATCH] Set permissions for all volumes We weren't setting ownership for the recently introduced logvolume and srcvolume volumes (though keep srcvolume optional as I often modify docker-compose.yml to mount it from a local directory). At the same time convert the call to shell=False to keep bandit happy. Signed-off-by: Paul Eggleton --- dockersetup.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/dockersetup.py b/dockersetup.py index c5bbc57..fe73af4 100755 --- a/dockersetup.py +++ b/dockersetup.py @@ -647,11 +647,17 @@ if not updatemode: os.remove(sqlscriptfile) ## Set the volume permissions using debian:stretch since we recently fetched it - return_code = subprocess.call("docker run --rm -v layerindexweb_layersmeta:/opt/workdir debian:stretch chown 500 /opt/workdir && \ - docker run --rm -v layerindexweb_layersstatic:/usr/share/nginx/html debian:stretch chown 500 /usr/share/nginx/html", shell=True) - if return_code != 0: - print("Setting volume permissions failed") - sys.exit(1) + volumes = ['layersmeta', 'layersstatic', 'logvolume'] + with open('docker-compose.yml', 'r') as f: + for line in f: + if line.lstrip().startswith('- srcvolume:'): + volumes.append('srcvolume') + break + for volume in volumes: + return_code = subprocess.call(['docker', 'run', '--rm', '-v', 'layerindexweb_%s:/opt/mount' % volume, 'debian:stretch', 'chown', '500', '/opt/mount'], shell=False) + if return_code != 0: + print("Setting volume permissions for volume %s failed" % volume) + sys.exit(1) ## Generate static assets. Run this command again to regenerate at any time (when static assets in the code are updated) return_code = subprocess.call("docker-compose run --rm -e STATIC_ROOT=/usr/share/nginx/html -v layerindexweb_layersstatic:/usr/share/nginx/html layersapp /opt/layerindex/manage.py collectstatic --noinput", shell = True)