From 8c4964db2dec8ff06a5abb3a13a030d2693fe8dc Mon Sep 17 00:00:00 2001
From: Uku Taht <uku.taht@gmail.com>
Date: Wed, 14 Oct 2020 15:59:19 +0300
Subject: [PATCH] Revert "Update container image to run as non root (#352)"

This reverts commit 59acd4c76d6ce77e00d3af46d4aea20c1d33586e.
---
 .gitlab/build-scripts/docker-entrypoint.sh |  9 +++++++--
 Dockerfile                                 | 17 ++++++++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/.gitlab/build-scripts/docker-entrypoint.sh b/.gitlab/build-scripts/docker-entrypoint.sh
index 6f6a3f7b733f..b44a0135d02e 100755
--- a/.gitlab/build-scripts/docker-entrypoint.sh
+++ b/.gitlab/build-scripts/docker-entrypoint.sh
@@ -1,11 +1,16 @@
 #!/bin/bash
 set -e
 
+chmod a+x /app/*.sh
+
 if [[ "$1" = 'run' ]]; then
-      /app/bin/plausible start
+      exec gosu plausibleuser /app/bin/plausible start
 
 elif [[ "$1" = 'db' ]]; then
-      /app/"$2".sh
+      exec gosu plausibleuser /app/"$2".sh
+ else
+      exec "$@"
+
 fi
 
 exec "$@"
diff --git a/Dockerfile b/Dockerfile
index e82d7f2a15de..1536560d1b7e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,6 +6,7 @@ FROM elixir:1.10.3 as buildcontainer
 
 # preparation
 ARG APP_VER=0.0.1
+ENV GOSU_VERSION 1.11
 ENV MIX_ENV=prod
 ENV NODE_ENV=production
 ENV APP_VERSION=$APP_VER
@@ -22,6 +23,20 @@ RUN apt-get update  && \
 RUN apt-get install -y --no-install-recommends ca-certificates wget \
     && apt-get install -y --install-recommends gnupg2 dirmngr
 
+# grab gosu for easy step-down from root
+RUN set -x \
+    && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
+    && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
+    && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
+    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
+    && command -v gpgconf && gpgconf --kill all || : \
+    && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \
+    && chmod +x /usr/local/bin/gosu \
+    && gosu --version \
+    && gosu nobody true
+
 COPY mix.exs ./
 COPY mix.lock ./
 RUN mix local.hex --force && \
@@ -67,9 +82,9 @@ COPY .gitlab/build-scripts/docker-entrypoint.sh /entrypoint.sh
 RUN chmod a+x /entrypoint.sh && \
     useradd -d /app -u 1000 -s /bin/bash -m plausibleuser
 
+COPY --from=buildcontainer /usr/local/bin/gosu /usr/local/bin/gosu
 COPY --from=buildcontainer /app/_build/prod/rel/plausible /app
 RUN chown -R plausibleuser:plausibleuser /app
-USER plausibleuser
 WORKDIR /app
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["run"]