From 1cf44ef854281dafa44069e5f858f45f85a44439 Mon Sep 17 00:00:00 2001 From: Xingyao Wang Date: Sat, 17 Aug 2024 05:43:56 +0800 Subject: [PATCH] fix app docker again! (#3427) --- containers/app/Dockerfile | 7 ++++++- containers/app/entrypoint.sh | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/containers/app/Dockerfile b/containers/app/Dockerfile index 490bf5b2b2eb..7e8f6ea6eecb 100644 --- a/containers/app/Dockerfile +++ b/containers/app/Dockerfile @@ -56,7 +56,7 @@ RUN useradd -l -m -u $OPENDEVIN_USER_ID -s /bin/bash opendevin && \ usermod -aG app opendevin && \ usermod -aG sudo opendevin && \ echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers -RUN chown -R opendevin:app /app && chmod -R 2770 /app +RUN chown -R opendevin:app /app && chmod -R 770 /app RUN sudo chown -R opendevin:app $WORKSPACE_BASE && sudo chmod -R 770 $WORKSPACE_BASE USER opendevin @@ -75,7 +75,12 @@ COPY --chown=opendevin:app --chmod=770 ./poetry.lock ./poetry.lock COPY --chown=opendevin:app --chmod=770 ./README.md ./README.md COPY --chown=opendevin:app --chmod=770 ./MANIFEST.in ./MANIFEST.in +# This is run as "opendevin" user, and will create __pycache__ with opendevin:opendevin ownership RUN python opendevin/core/download.py # No-op to download assets +# Add this line to set group ownership of all files/directories not already in "app" group +# opendevin:opendevin -> opendevin:app +RUN find /app \! -group app -exec chgrp app {} + + RUN chown -R opendevin:app /app/logs && chmod -R 770 /app/logs # This gets created by the download.py script COPY --chown=opendevin:app --chmod=770 --from=frontend-builder /app/dist ./frontend/dist diff --git a/containers/app/entrypoint.sh b/containers/app/entrypoint.sh index 5fe8aedd3988..26db649f5bd0 100644 --- a/containers/app/entrypoint.sh +++ b/containers/app/entrypoint.sh @@ -59,7 +59,6 @@ else fi usermod -aG $DOCKER_SOCKET_GID enduser - usermod -aG opendevin enduser echo "Running as enduser" su enduser /bin/bash -c "$*" fi