Merge pull request cweagans#11 from davide/master

Run unison as a non-root user (specifying the UID and GUID to own the files)

Dockerfile

@@ -23,6 +23,12 @@ RUN apk add --no-cache --virtual .build-dependencies build-base curl && \
     apk del .build-dependencies ocaml && \
     rm -rf /tmp/unison-${UNISON_VERSION}
 
+ENV HOME="/root" \
+    UNISON_USER="root" \
+    UNISON_GROUP="root" \
+    UNISON_UID="0" \
+    UNISON_GID="0"
+
 # Copy the bg-sync script into the container.
 COPY sync.sh /usr/local/bin/bg-sync
 RUN chmod +x /usr/local/bin/bg-sync

README.md

@@ -46,6 +46,10 @@ documented below.
     If you are using bg-sync to avoid filesystem slowness, you should set this
     path to whatever path the volume is at in your application container. In the
     example above, for instance, this would be `/var/www/myapp`.
+  * **`SYNC_PREFER`** (default: `/source`): Control the conflict strategy to apply
+    when there are conflits. By default the contents from the source folder are
+    left unchanged but there is also the "newer" option to pick up the most
+    recent files.
   * **`SYNC_VERBOSE`** (default: "0"): Set this variable to "1" to get more log
     output from Unison.
   * **`SYNC_MAX_INOTIFY_WATCHES`** (default: ''): If set, the sync script will
@@ -65,6 +69,13 @@ documented below.
   * **`SYNC_NODELETE_SOURCE`** (default: '1'): Set this variable to "0" to allow
     Unison to sync deletions to the source directory. This could cause unpredictable
     behaviour with your source files.
+  * **`UNISON_USER`** (default: 'root'): The user running Unison. When this value
+    is customized it's also possible to specify UNISON_UID, UNISON_GROUP and
+    UNISON_GID to ensure that unison has the correct permissions to manage files
+    under SYNC_SOURCE and SYNC_DESTINATION.
+  * **`UNISON_UID`** (default: '0'): See UNISON_USER.
+  * **`UNISON_GROUP`** (default: 'root'): See UNISON_USER.
+  * **`UNISON_GID`** (default: '0'): See UNISON_USER.
 
 ## Why not use *x*?
 

sync.sh

@@ -18,6 +18,16 @@ log_error_exit() {
   exit 1
 }
 
+# Create non-root user
+if [ "$UNISON_USER" != "root" ]; then
+  log_heading "Setting up non-root user ${UNISON_USER}."
+  HOME="/home/${UNISON_USER}"
+  addgroup -g $UNISON_GID -S $UNISON_GROUP
+  adduser -u $UNISON_UID -D -S -G $UNISON_GROUP $UNISON_USER
+  mkdir -p ${HOME}/.unison
+  chown -R ${UNISON_USER}:${UNISON_GROUP} ${HOME}
+fi
+
 #
 # Set defaults for all variables that we depend on (if they aren't already set in env).
 #
@@ -29,6 +39,9 @@ log_error_exit() {
 # synced to the destination.
 : ${SYNC_DESTINATION:="/destination"}
 
+# The preferred approach to deal with conflicts
+: ${SYNC_PREFER:=$SYNC_SOURCE}
+
 # If set, there will be more verbose log output from various commands that are
 # run by this script.
 : ${SYNC_VERBOSE:="0"}
@@ -106,7 +119,7 @@ fi
 # Generate a unison profile so that we don't have a million options being passed
 # to the unison command.
 log_heading "Generating Unison profile"
-[ -d "/root/.unison" ] || mkdir /root/.unison
+[ -d "${HOME}/.unison" ] || mkdir -p ${HOME}/.unison
 
 unisonsilent="true"
 if [[ "$SYNC_VERBOSE" == "0" ]]; then
@@ -118,6 +131,11 @@ if [[ "$SYNC_NODELETE_SOURCE" == "1" ]]; then
   nodelete="nodeletion=$SYNC_SOURCE"
 fi
 
+prefer="$SYNC_SOURCE"
+if [ -z "${SYNC_PREFER}" ]; then
+  prefer=${SYNC_PREFER}
+fi
+
 echo "
 # This file is automatically generated by bg-sync. Do not modify.
 
@@ -133,7 +151,7 @@ contactquietly=true
 fastcheck=true
 maxthreads=10
 $nodelete
-prefer=$SYNC_SOURCE
+prefer=$SYNC_PREFER
 repeat=watch
 silent=$unisonsilent
 
@@ -145,9 +163,9 @@ ignore = Name *___jb_tmp___*
 # Additional user configuration
 $SYNC_EXTRA_UNISON_PROFILE_OPTS
 
-" > /root/.unison/default.prf
+" > ${HOME}/.unison/default.prf
 
 # Start syncing files.
 log_heading "Starting continuous sync."
-unison default
 
+su -c "unison default" -s /bin/sh ${UNISON_USER}