fix: change group.

.pre-commit-config.yaml

@@ -15,7 +15,7 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: cb3c2be894b151dff143b1baf6acbd55f2b7faed  # frozen: 0.30.0
+    rev: 62833a79b57fcd1bc372b136911a0edca60c3dcb  # frozen: 0.31.0
     hooks:
       - id: check-github-workflows
 

Dockerfile

@@ -46,16 +46,22 @@ RUN apk update --quiet && \
         jq \
         tini \
         wget && \
+    apk add --quiet --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing \
+        gosu && \
     rm /var/cache/apk/* && \
     rm -rf /etc/periodic /etc/crontabs/root && \
-    mkdir -p ${HOME_DIR}/jobs
+    adduser -S docker -D && \
+    mkdir -p ${HOME_DIR}/jobs && \
+    chown -R docker:root ${HOME_DIR}
+
+USER docker
 
 COPY --from=builder /usr/bin/rq/rq /usr/local/bin
-COPY entrypoint.sh /
+COPY entrypoint.sh /opt
 
-ENTRYPOINT ["/sbin/tini", "--", "/entrypoint.sh"]
+ENTRYPOINT ["/usr/bin/gosu", "docker", "/sbin/tini", "--", "/opt/entrypoint.sh"]
 
 HEALTHCHECK --interval=5s --timeout=3s \
     CMD ps aux | grep '[c]rond' || exit 1
 
-CMD ["crond", "-f", "-d", "6", "-c", "/etc/crontabs"]
+CMD ["crond", "-f", "-d", "7", "-c", "/etc/crontabs"]

entrypoint.sh

@@ -2,7 +2,6 @@
 
 set -e
 
-DOCKER_SOCK=/var/run/docker.sock
 CRONTAB_FILE=/etc/crontabs/docker
 
 if [ -z "${HOME_DIR}" ] && [ -n "${TEST_MODE}" ]; then
@@ -35,27 +34,6 @@ normalize_config() {
     jq -S -r '."~~shared-settings" as $shared | del(."~~shared-settings") | to_entries | map_values(.value + { name: .key } + $shared)' <<< "${JSON_CONFIG}" > "${HOME_DIR}"/config.working.json
 }
 
-ensure_docker_socket_accessible() {
-    if ! grep -q "^docker:" /etc/group; then
-        # Ensure 'docker' user has permissions for docker socket (without changing permissions).
-        DOCKER_GID=$(stat -c '%g' ${DOCKER_SOCK})
-        if [ "${DOCKER_GID}" != "0" ]; then
-            if ! grep -qE "^[^:]+:[^:]+:${DOCKER_GID}:" /etc/group; then
-                # No group with such gid exists - create group 'docker'.
-                addgroup -g "${DOCKER_GID}" docker
-                adduser docker docker
-            else
-                # Group with such gid exists - add user 'docker' to this group.
-                DOCKER_GROUP_NAME=$(getent group "${DOCKER_GID}" | awk -F':' '{{ print $1 }}')
-                adduser docker "${DOCKER_GROUP_NAME}"
-            fi
-        else
-            # Docker socket belongs to 'root' group - add user 'docker' to this group.
-            adduser docker root
-        fi
-    fi
-}
-
 slugify() {
     echo "${@}" | iconv -t ascii | sed -r s/[~^]+//g | sed -r s/[^a-zA-Z0-9]+/-/g | sed -r s/^-+\|-+$//g | tr '[:upper:]' '[:lower:]'
 }
@@ -256,8 +234,5 @@ start_app() {
     exec "${@}"
 }
 
-if [ -z "${TEST_MODE}" ]; then
-    ensure_docker_socket_accessible
-fi
 printf "✨ starting crontab container ✨\n"
 start_app "${@}"