Run the containers without root

.gitignore

@@ -102,3 +102,6 @@ data/photos/*.*
 
 # OS files
 .DS_Store
+
+# Editor swap
+*~

README.md

@@ -34,12 +34,14 @@ Create a new directory to run inside and download the example Docker Compose fil
 
     mkdir photonix
     cd photonix
-    curl https://raw.githubusercontent.com/photonixapp/photonix/master/docker/docker-compose.example.yml > docker-compose.yml
+    curl https://raw.githubusercontent.com/photonixapp/photonix/master/docker/docker-compose.prd.yml > docker-compose.yml
 
 Make volume directories for data stored outside the container.
 
     mkdir -p  data/photos
 
+We've by default picked uid and gid `2000` for the photonix container to run as. If that causes conflicts on your system or you'd like to change that to match ownership of your photos directory, change the `user` line in your docker-compose and ARG UID and ARG GID in your Dockerfile (and rebuild) file to suit.
+
 Bring up Docker Compose which will pull and run the required Docker images.
 
     docker-compose up

docker/Dockerfile.dev

@@ -1,10 +1,12 @@
 FROM python:3.8.12-slim-bullseye
 
+ARG UID=2000
+ARG GID=2000
+
 # Install system dependencies - note that some of these are only used on non-amd64 where Python packages have to be compiled from source
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         build-essential \
-        cron \
         curl \
         dcraw \
         file \
@@ -86,6 +88,11 @@ RUN chmod 0644 /etc/cron.d/*
 
 ENV PYTHONPATH /srv
 
+RUN groupadd -g $GID photonix
+RUN useradd -u $UID -g $GID photonix
+RUN chown -R photonix:photonix /srv /var/lib/nginx /var/log/nginx /var/run /run
+USER photonix
+
 CMD ./system/run.sh
 
 EXPOSE 80

docker/Dockerfile.prd

@@ -92,10 +92,11 @@ RUN rm -rf \
 
 
 FROM ${ARCH}python:3.8.12-slim-bullseye
+ARG UID=2000
+ARG GID=2000
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        cron \
         dcraw \
         file \
         libatlas3-base \
@@ -123,6 +124,7 @@ COPY --from=builder /usr/local/lib/python3.8/site-packages /usr/local/lib/python
 COPY --from=builder /usr/local/bin /usr/local/bin
 COPY --from=builder /srv/ui/build /srv/ui/build
 
+
 WORKDIR /srv
 
 # Copy over the code
@@ -136,15 +138,16 @@ COPY ui/public /srv/ui/public
 COPY system /srv/system
 COPY system/supervisord.conf /etc/supervisord.conf
 
-# Copy crontab
-COPY system/cron.d /etc/cron.d/
-RUN chmod 0644 /etc/cron.d/*
-
 ENV PYTHONPATH /srv
 ENV TF_CPP_MIN_LOG_LEVEL 3
 
 RUN DJANGO_SECRET_KEY=test python photonix/manage.py collectstatic --noinput --link
 
+RUN groupadd -g $GID photonix
+RUN useradd -u $UID -g $GID photonix
+RUN chown -R photonix:photonix /srv /var/lib/nginx /var/log/nginx /var/run /run
+USER photonix
+
 CMD ./system/run.sh
 
 EXPOSE 80

docker/docker-compose.dev.yml

@@ -1,7 +1,16 @@
 version: '3'
 
 services:
+  init:
+    image: busybox:latest
+    volumes:
+      - ./data:/data
+    environment:
+      USER: $USER
+    command: ["/bin/sh", "-c", "cd /data && mkdir -p db photos raw-photos-processed cache models && chown 70:70 db && chown 2000:2000 photos raw-photos-processed cache models"]
+
   postgres:
+    user: "70:70"
     container_name: photonix-postgres
     image: postgres:11.1-alpine
     ports:
@@ -11,14 +20,20 @@ services:
       POSTGRES_PASSWORD: password
     volumes:
       - ../data/db:/var/lib/postgresql/data
+    depends_on:
+      - init
 
   redis:
+    user: "999:999"
     container_name: photonix-redis
-    image: redis:6.2.2
+    image: redis:6.2-bullseye
     ports:
       - '6379:6379'
+    depends_on:
+      - init
 
   photonix:
+    user: "2000:2000"
     container_name: photonix
     # image: photonixapp/photonix:latest
     image: photonix-dev
@@ -62,3 +77,5 @@ services:
     links:
       - postgres
       - redis
+    depends_on:
+      - init

docker/docker-compose.example.yml

@@ -12,7 +12,7 @@ services:
 
   redis:
     container_name: photonix-redis
-    image: redis:6.2.2
+    image: redis:6.2-bullseye
 
   photonix:
     container_name: photonix

docker/docker-compose.prd.yml

@@ -2,23 +2,26 @@ version: '3'
 
 services:
   postgres:
+    user: "70:70"
     container_name: photonix-postgres
     image: postgres:11.1-alpine
-    ports:
-      - '5432:5432'
     environment:
       POSTGRES_DB: photonix
       POSTGRES_PASSWORD: password
     volumes:
       - ../data/db:/var/lib/postgresql/data
+    depends_on:
+      - init
 
   redis:
+    user: "999:999"
     container_name: photonix-redis
-    image: redis:6.2.2
-    ports:
-      - '6379:6379'
+    image: redis:6.2-bullseye
+    depends_on:
+      - init
 
   photonix:
+    user: "2000:2000"
     container_name: photonix
     # image: photonixapp/photonix:latest
     image: photonix
@@ -43,3 +46,5 @@ services:
     links:
       - postgres
       - redis
+    depends_on:
+      - init

docker/docker_manage.sh

@@ -1,2 +1,2 @@
 #!/bin/sh
-docker exec -ti `docker ps | grep photonix_photonix | awk '{print $1;}'` python photonix/manage.py "$@"
+docker exec -ti photonix python photonix/manage.py "$@"

system/nginx_prd.conf

@@ -1,4 +1,3 @@
-user  root;
 worker_processes    8;
 daemon off;
 

system/supervisord.conf

@@ -30,7 +30,7 @@ stderr_logfile_maxbytes=0
 stdout_logfile_maxbytes=0
 
 [program:cron]
-command = /bin/bash -c "declare -p | grep -Ev '^declare -[[:alpha:]]*r' > /run/supervisord.env && /usr/sbin/cron -f -L 15"
+command = /bin/bash -c "declare -p | grep -Ev '^declare -[[:alpha:]]*r' > /run/supervisord.env && . /run/supervisord.env; while [ 1 ]; do python /srv/photonix/manage.py retrain_face_similarity_index; sleep 300; done"
 stderr_logfile=/dev/stderr
 stdout_logfile=/dev/stdout
 stderr_logfile_maxbytes=0