Improve Dockerfile to Handle Permissions and Enhance Build Compatibility

[DonRichards]

Problem: The current Dockerfile in the repository has encountered several minor warnings related to compatibility with different host environments and is running pip installs as root. This isn't "good practice". Additionally, there are challenges related to BuildKit and ensuring consistent user and group ID handling between the host and the Docker container. And remove the need to use DOCKER_BUILDKIT=0 in most situations.

Solution: To resolve these issues, the following enhancements should be made to the Dockerfile:

1. User and Group ID Handling: Introduce build arguments USER_ID and GROUP_ID to ensure that the Docker container runs with the same user and group IDs as the host system. This will prevent permission issues when the container interacts with mounted directories.

2. Permission Management: Add a step in the Dockerfile to create a group with the specified GROUP_ID and ensure proper ownership and permissions are set for the /workbench directory within the container.

3. Environment Variable Update: Modify the Dockerfile to include the .local/bin directory in the PATH, ensuring that scripts installed via pip are accessible during runtime.

4. DOCKER_BUILDKIT=0 Consideration: Provide documentation on why and when to disable BuildKit by setting DOCKER_BUILDKIT=0, to ensure compatibility and address any issues that might arise from using the legacy build system. This will be a PR to the docs repo.

Steps to Reproduce:

1. Build the Docker Image:

   docker build -t workbench-docker .

2. Run the Docker Container:

   docker run -it --rm --network="host" -v .:/workbench --name test-container workbench-docker bash -lc "./workbench --config /workbench/config.yml --check"

3. Observe:

   • Watch the build process for errors or alerts
   • Issues with accessing mounted directories.

Expected Behavior:

• The build process should not contain errors or deprecation warnings.
• The container should run without permission issues.
• Logs should be written correctly to the specified directory.
• The container should interact seamlessly with all mounted directories.

Additional Context:

This improvement will enhance the usability and flexibility of the Islandora Workbench when running in Docker, particularly for users who need to work with files in various directories on their host systems. I'm submitting a PR in a moment.

[mjordan]

@DonRichards excellent issue, thanks. I'll test the PR and docs this weekend.

[noahwsmith]

Running this as indicated on my M2 Mac with the latest Docker For Mac, I get

Noah-M2-MBP-2:islandora_workbench noah$ docker build --build-arg USER_ID=$(id -u) --build-arg GROUP_ID=$(id -g) -t workbench-docker .
[+] Building 0.4s (10/11)                                                                                                                             docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                                                                                  0.0s
 => => transferring dockerfile: 2.21kB                                                                                                                                0.0s
 => [internal] load metadata for docker.io/library/python:3.10.6                                                                                                      0.3s
 => [internal] load .dockerignore                                                                                                                                     0.0s
 => => transferring context: 2B                                                                                                                                       0.0s
 => [1/7] FROM docker.io/library/python:3.10.6@sha256:745efdfb7e4aac9a8422bd8c62d8bc35a693e8979a240d29677cb03e6aa91052                                                0.0s
 => [internal] load build context                                                                                                                                     0.0s
 => => transferring context: 19.81kB                                                                                                                                  0.0s
 => CACHED [2/7] RUN groupadd -g 20 dockeruser || true                                                                                                                0.0s
 => CACHED [3/7] RUN useradd -m -u 501 -g 20 -s /bin/bash dockeruser                                                                                                  0.0s
 => CACHED [4/7] WORKDIR /workbench                                                                                                                                   0.0s
 => CACHED [5/7] COPY . /workbench/                                                                                                                                   0.0s
 => ERROR [6/7] RUN chown -R dockeruser:dockeruser /workbench                                                                                                         0.1s
------
 > [6/7] RUN chown -R dockeruser:dockeruser /workbench:
0.072 chown: invalid group: ‘dockeruser:dockeruser’

However, if I change line 33 of the Dockerfile to RUN chown -R $USER_ID:$GROUP_ID /workbench it works and I think the outcome is the same as is working for other folks with the name. Want that patch in a new MR? Looks like the original one here has been merged...

[joshdentremont]

@noahwsmith I'm also seeing the chown failure on my Mac.

[mjordan]

I'd love to hear about some use cases for using the dockerfile. I think they would make an excellent addition to the Workbench docs.

[joshdentremont]

@mjordan I just put in a PR to the Islandora Documentation for how to use it to populate a site template site - https://github.com/Islandora/documentation/pull/2351

[mjordan]

Cool, thanks. I'll point to this from the new docs @DonRichards contributed to the workbench docs.