Archiver: Add user to runtime docker image

phwissmann · phwissmann · commit 2bce4d7a41a1 · 2025-02-24T17:52:22.000+01:00
diff --git a/.env.prod b/.env.prod
@@ -17,9 +17,15 @@ IDP_CLIENT_ID=archiver-service-api
 # Image used for backend service
 OPENEM_BACKEND_IMAGE_NAME=ghcr.io/swissopenem/archiver-service-api
 OPENEM_IMAGE_TAG="latest"
+# Root folder where Docker volume of LTS share is mounted, i.e. root folder of the LTS share
+LTS_ROOT_FOLDER = /tmp/LTS
+# User and group id for LTS: these are the ids used to write files to the LTS. Only this user can read the files again
+LTS_USER_ID=999
+LTS_GROUP_ID=999
 # Backend server api root path
 API_ROOT_PATH=/archiver/api/v1
 
+
 #### Minio
 MINIO_REGION="eu-west-1"
 MINIO_RETRIEVAL_BUCKET="retrieval"
@@ -45,8 +51,7 @@ PREFECT_JOB_TEMPLATE=prefect-jobtemplate-prod.json
 PREFECT_ARCHIVAL_WORKPOOL_NAME=archival-docker-workpool
 # Workpool name for retrieval jobs
 PREFECT_RETRIEVAL_WORKPOOL_NAME=retrieval-docker-workpool
-# Root folder where Docker volume of LTS share is mounted, i.e. root folder of the LTS share
-LTS_ROOT_FOLDER = /tmp/LTS
+
 
 SCICAT_ENDPOINT=https://scopem-openem.ethz.ch/scicat/backend
 
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
@@ -151,7 +151,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: ./backend/archiver
-          file: .backend/archiver/prefect/runtime.Dockerfile
+          file: ./backend/archiver/prefect/runtime.Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
diff --git a/archiver-service.docker-compose.yml b/archiver-service.docker-compose.yml
@@ -155,14 +155,15 @@ services:
       args:
         LTS_ROOT_FOLDER: ${LTS_ROOT_FOLDER}
         PREFECT_VERSION: ${PREFECT_VERSION}
+        UID: 123
+        GID: 123
     container_name: prefect-flows-deployment
     networks:
       - scopemarchiver_network
     environment:
       ### Prefect specific values
       - PREFECT_LOGGING_LEVEL=${PREFECT_LOGGING_LEVEL}
       - PREFECT_API_URL=http://prefect-server:4200/api
-      - EXTRA_PIP_PACKAGES=prefect-docker==0.6.1
       ### Deployment values for interpolation in prefect.yaml
       - PREFECT_VERSION=${PREFECT_VERSION}
       - PREFECT_WORKER_LTS_VOLUME_NAME=scopemarchiver_${PREFECT_WORKER_LTS_VOLUME_NAME}
diff --git a/backend/prefect/runtime.Dockerfile b/backend/prefect/runtime.Dockerfile
@@ -16,6 +16,9 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 
 COPY ./ /app/backend/archiver/
 
+# docker executor needs prefect-docker
+RUN uv add prefect-docker==0.6.1
+
 FROM prefecthq/prefect:${PREFECT_VERSION} AS test_runner
 RUN mkdir -p /app/backend/archiver
 
@@ -27,6 +30,7 @@ RUN uv add pytest
 
 RUN uv run pytest tests --junitxml=junit/test-results.xml --cov=. --cov-report=xml --cov-report=html
 
+
 FROM prefecthq/prefect:${PREFECT_VERSION} AS runtime
 COPY --from=builder --chown=app:app /app/backend/archiver /app/backend/archiver
 
@@ -40,5 +44,13 @@ RUN systemctl --system enable rpcbind.service
 ARG LTS_ROOT_FOLDER=/tmp/LTS
 RUN mkdir ${LTS_ROOT_FOLDER}
 
+ARG UID=999
+ARG GID=999
+RUN chown -R ${UID}:${GID} /app
+
+ARG USER=app
+RUN useradd -rm -d /home/${USER} -s /bin/bash  -u ${UID} ${USER}
+USER ${USER}
+
 ENV PATH="/app/backend/archiver/.venv/bin:$PATH"
 CMD ["/bin/bash"]
