Allow this to run in a non-root enviroment

[ctron]

Change file permissions so that a non root user can run the container.

Description

Currently the container is built for running as root. However, in some circumstances it is desired to not run as root. Currently this simply fails (see log below). This change grants the necessary permission on the files, so that the server starts up, even when the effective user is not root.

Motivation and Context

Running the container with a non-root user simply fails:

$ docker run --rm -ti -u 1 docker.io/swaggerapi/swagger-ui:latest
fs.js:115
    throw err;
    ^

Error: EACCES: permission denied, open '/usr/share/nginx/html/index.html'
    at Object.openSync (fs.js:439:3)
    at Object.writeFileSync (fs.js:1190:35)
    at Object.<anonymous> (/usr/share/nginx/configurator/index.js:38:4)
    at Module._compile (internal/modules/cjs/loader.js:689:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
    at Module.load (internal/modules/cjs/loader.js:599:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
    at Function.Module._load (internal/modules/cjs/loader.js:530:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:742:12)
    at startup (internal/bootstrap/node.js:282:19)

In some environment however, it is desirable to run this as "any" (non-root) user.

How Has This Been Tested?

• run with docker run --rm -ti -u 1 docker.io/swaggerapi/swagger-ui:latest
• deployed on OpenShift

Screenshots (if appropriate):

n/a

Checklist

My PR contains...

• No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
• Dependency changes (any modification to dependencies in package.json)
• Bug fixes (non-breaking change which fixes an issue)
• Improvements (misc. changes to existing features)
• Features (non-breaking change which adds functionality)

My changes...

• are breaking changes to a public API (config options, System API, major UI change, etc).
• are breaking changes to a private API (Redux, component props, utility functions, etc.).
• are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
• are not breaking changes.

Documentation

• My changes do not require a change to the project documentation.
• My changes require a change to the project documentation.
• If yes to above: I have updated the documentation accordingly.

Automated tests

• My changes can not or do not need to be tested.
• My changes can and should be tested by unit and/or integration tests.
• If yes to above: I have added tests to cover my changes.
• If yes to above: I have taken care to cover edge cases in my tests.
• All new and existing tests passed.

[JonathanParrilla]

Hey,

Can you please provide some more details for the use case where we'd need to run this as a non-root user?

[ctron]

Can you please provide some more details for the use case where we'd need to run this as a non-root user?

Sure, I would like to run this as non-root, in order to use this on Kubernetes/OpenShift in a secure way:

• "11 Ways (Not) to Get Hacked" – https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#8-run-containers-as-a-non-root-user
• "Just say no to root (in containers)" – https://opensource.com/article/18/3/just-say-no-root-containers
• "Support Arbitrary User IDs" – https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#use-uid

[JonathanParrilla]

Okay. Wonderful. I approve if you can please make one small change.

You right now have it as:

RUN chmod +x /usr/share/nginx/run.sh
RUN chmod -R a+rw /usr/share/nginx
RUN chmod -R a+rw /etc/nginx
RUN chmod -R a+rw /var
RUN chmod -R a+rw /var/run

This has a layer per RUN and does not fix dockerfile best practice.

Can you alter it to fit dockerfile best practices:

RUN chmod +x /usr/share/nginx/run.sh &&
chmod -R a+rw /usr/share/nginx &&
chmod -R a+rw /etc/nginx &&
chmod -R a+rw /var &&
chmod -R a+rw /var/run && \

Thank you.

[JonathanParrilla]

Also, please, update your branch.

[ctron]

Changed & rebased