mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-24 18:45:52 +03:00
Run the server as an unprivileged user
This commit is contained in:
parent
f72c9c1fb6
commit
e9021e16c4
2 changed files with 8 additions and 5 deletions
|
@ -1,6 +1,6 @@
|
|||
FROM python:2-alpine
|
||||
|
||||
RUN apk add --no-cache --virtual .nacl_deps build-base libffi-dev zlib-dev openssl-dev libjpeg-turbo-dev linux-headers postgresql-dev
|
||||
RUN apk add --no-cache --virtual .nacl_deps su-exec build-base libffi-dev zlib-dev openssl-dev libjpeg-turbo-dev linux-headers postgresql-dev
|
||||
|
||||
COPY . /synapse
|
||||
|
||||
|
|
|
@ -9,14 +9,16 @@ convert = lambda src, dst, environ: open(dst, "w").write(jinja2.Template(open(sr
|
|||
mode = sys.argv[1] if len(sys.argv) > 1 else None
|
||||
environ = os.environ.copy()
|
||||
|
||||
# Check mandatory parameters and build the base start arguments
|
||||
if "SYNAPSE_SERVER_NAME" not in environ:
|
||||
print("Environment variable SYNAPSE_SERVER_NAME is mandatory, exiting.")
|
||||
sys.exit(2)
|
||||
|
||||
permissions = "{}:{}".format(environ.get("UID", 991), environ.get("GID", 991))
|
||||
args = ["python", "-m", "synapse.app.homeserver",
|
||||
"--server-name", os.environ.get("SYNAPSE_SERVER_NAME"),
|
||||
"--report-stats", os.environ.get("SYNAPSE_REPORT_STATS", "no"),
|
||||
"--config-path", os.environ.get("SYNAPSE_CONFIG_PATH", "/compiled/homeserver.yaml")]
|
||||
"--server-name", environ.get("SYNAPSE_SERVER_NAME"),
|
||||
"--report-stats", environ.get("SYNAPSE_REPORT_STATS", "no"),
|
||||
"--config-path", environ.get("SYNAPSE_CONFIG_PATH", "/compiled/homeserver.yaml")]
|
||||
|
||||
# Generate any missing shared secret
|
||||
for secret in ("SYNAPSE_REGISTRATION_SHARED_SECRET", "SYNAPSE_MACAROON_SECRET_KEY"):
|
||||
|
@ -35,4 +37,5 @@ if mode == "generate":
|
|||
# In normal mode, generate missing keys if any, then run synapse
|
||||
else:
|
||||
subprocess.check_output(args + ["--generate-keys"])
|
||||
os.execv("/usr/local/bin/python", args)
|
||||
subprocess.check_output(["chown", "-R", permissions, "/data"])
|
||||
os.execv("/sbin/su-exec", ["su-exec", permissions] + args)
|
||||
|
|
Loading…
Reference in a new issue