badlop
commented
2 years ago Hi! interesting finding. But looking carefully, it may not be a mistake, but on purpose:
The files copied in 2. from builder are the typical files that an installer would install: binaries, translations, scripts, headers... files that are not expected to be modified. Directories where nothing will be added at all. For that reason, the Dockerfile implicitly says "I don't bother about ownership, let's keep root as owner, and let ejabberd have only read access to them".
The paths created in 1. are for files that ejabberd will generate in this instance (configuration, database spool, logs, upload). [1]
In this Docker image, directories from 1. and 2. are kept in a path named /home/ejabberd, that led you to conclude that ejabberd should be owner of them all. But we saw that this is not strictly necessary... in fact those docker images work correctly since several years ago :)
Another clue to understand this is in the old binary installers, and the new installers available since ejabberd 22.05, and in the new container image available in GitHub Packages: all those install methods have:
- /opt/ejabberd: which is equivalent to your point 1: files and dirs to be modified, ejabberd is owner and has write access
- /opt/ejabberd-22.05: which is equivalent to your point 2: binaries and other non-modificable files, ejabberd does not need ownership, just needs read access.
[1] By the way, ejabberd never modifies the configuration files, so maybe that path and files could be root-owned, and only read permission to ejabberd user...
floriangasc
Hi, first, thank's for your work.
I found strange behavior/intention:
COPY --from=builder /ejabberd/runtime .. Because.is$HOMEandCOPYhas not--chown ejabberd:ejabberd, all directories copy from builder container into final container are in root (and not in ejabberd user).There are any reason for that ? if not and if you want, i will make a P.R (for replace line 93 by
COPY --chown ejabberd:ejabberd --from=builder /ejabberd/runtime .).Thank's in advance