Closed floriangasc closed 2 years ago
Hi! interesting finding. But looking carefully, it may not be a mistake, but on purpose:
The files copied in 2. from builder are the typical files that an installer would install: binaries, translations, scripts, headers... files that are not expected to be modified. Directories where nothing will be added at all. For that reason, the Dockerfile implicitly says "I don't bother about ownership, let's keep root as owner, and let ejabberd have only read access to them".
The paths created in 1. are for files that ejabberd will generate in this instance (configuration, database spool, logs, upload). [1]
In this Docker image, directories from 1. and 2. are kept in a path named /home/ejabberd, that led you to conclude that ejabberd should be owner of them all. But we saw that this is not strictly necessary... in fact those docker images work correctly since several years ago :)
Another clue to understand this is in the old binary installers, and the new installers available since ejabberd 22.05, and in the new container image available in GitHub Packages: all those install methods have:
[1] By the way, ejabberd never modifies the configuration files, so maybe that path and files could be root-owned, and only read permission to ejabberd user...
Oh! I haven't see the problem with this perspective. Very good and clear explaination.
Thanks again for your work and your quick reply.
Hi, first, thank's for your work.
I found strange behavior/intention:
COPY --from=builder /ejabberd/runtime .
. Because.
is$HOME
andCOPY
has not--chown ejabberd:ejabberd
, all directories copy from builder container into final container are in root (and not in ejabberd user).There are any reason for that ? if not and if you want, i will make a P.R (for replace line 93 by
COPY --chown ejabberd:ejabberd --from=builder /ejabberd/runtime .
).Thank's in advance