PIN users to UIDs and monkey patch initctldocker-pin

4 files changed, 97 insertions, 18 deletions

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 05521af6963..ad26d932d31 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -25,14 +25,16 @@ RUN mkdir -p /opt/gitlab/sv/sshd/supervise \
     && ln -s /opt/gitlab/sv/sshd /opt/gitlab/service \
     && mkdir -p /var/run/sshd
 
-# Prepare default configuration
-RUN ( \
-  echo "" && \
-  echo "# Docker options" && \
-  echo "# Prevent Postgres from trying to allocate 25% of total memory" && \
-  echo "postgresql['shared_buffers'] = '1MB'" ) >> /etc/gitlab/gitlab.rb && \
-  mkdir -p /assets/ && \
-  cp /etc/gitlab/gitlab.rb /assets/gitlab.rb
+# Copy assets
+COPY assets/ /assets/
+RUN cat /assets/gitlab-docker.rb /etc/gitlab/gitlab.rb > /assets/gitlab.rb && \
+    rm /etc/gitlab/gitlab.rb
+
+# Monkey patch missing initctl
+COPY assets/initctl /sbin/initctl
+
+# Allow to access embedded tools
+ENV PATH /opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH
 
 # Expose web & ssh
 EXPOSE 443 80 22
@@ -40,8 +42,5 @@ EXPOSE 443 80 22
 # Define data volumes
 VOLUME ["/etc/gitlab", "/var/opt/gitlab", "/var/log/gitlab"]
 
-# Copy assets
-COPY assets/wrapper /usr/local/bin/
-
 # Wrapper to handle signal, trigger runit and reconfigure GitLab
-CMD ["/usr/local/bin/wrapper"]
+CMD ["/assets/wrapper"]
diff --git a/docker/assets/gitlab-docker.rb b/docker/assets/gitlab-docker.rb
new file mode 100644
index 00000000000..b6d487a84c7
--- /dev/null
+++ b/docker/assets/gitlab-docker.rb
@@ -0,0 +1,16 @@
+# Docker options
+## Prevent Postgres from trying to allocate 25% of total memory
+postgresql['shared_buffers'] = '1MB'
+
+## PIN users to UIDs
+user['uid'] = 998
+user['gid'] = 998
+postgresql['uid'] = 996
+postgresql['gid'] = 996
+redis['uid'] = 997
+redis['gid'] = 997
+web_server['uid'] = 999
+web_server['gid'] = 999
+gitlab_ci['uid'] = 995
+gitlab_ci['gid'] = 995
+
diff --git a/docker/assets/initctl b/docker/assets/initctl
new file mode 100755
index 00000000000..944741ee66c
--- /dev/null
+++ b/docker/assets/initctl
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Monkey patch missing initctl in docker environment
+
+fail() {
+	echo "$@" 1>&2
+	exit 1
+}
+
+verify_args() {
+	if [[ "$2" != "gitlab-runsvdir" ]]; then
+		fail "initctl: Unknown job: $2"
+	fi
+	if [[ $# -ne 2 ]]; then
+		fail "usage: $0 command gitlab-runsvdir"
+	fi
+}
+
+proxy_gitlab_ctl() {
+	gitlab-ctl "$COMMAND"
+}
+
+COMMAND="$1"
+shift
+SERVICE="$1"
+
+case "$COMMAND" in
+	start)
+		verify_args "$COMMAND" "$@"
+		RUNSVDIR=$(pidof runsvdir)
+		if [[ -z "$RUNSVDIR" ]]; then
+			/opt/gitlab/embedded/bin/runsvdir-start &
+		fi
+		;;
+
+	stop|restart)
+		verify_args "$COMMAND" "$@"
+		proxy_gitlab_ctl "$COMMAND" "$@"
+		;;
+
+	status)
+		verify_args "$COMMAND" "$@"
+		if [[ ! -f /etc/init/$SERVICE.conf ]]; then
+			fail "initctl: Unknown job: $SERVICE"
+		fi
+
+		RUNSVDIR=$(pidof runsvdir)
+		if [[ -n "$RUNSVDIR" ]]; then
+			echo "$SERVICE start/running, process $RUNSVDIR"
+		else
+			echo "$SERVICE stop/waiting"
+		fi
+		;;
+
+	reload)
+		verify_args "$COMMAND" "$@"
+		proxy_gitlab_ctl "hup" "$@"
+		;;
+
+	list)
+		echo "gitlab-runsvdir"
+		;;
+
+	*)
+		exit 0
+		;;
+esac
diff --git a/docker/assets/wrapper b/docker/assets/wrapper
index 8bc8370fbc9..cd7e50b5719 100755
--- a/docker/assets/wrapper
+++ b/docker/assets/wrapper
@@ -7,15 +7,12 @@ function sigterm_handler() {
 
 trap "sigterm_handler; exit" TERM
 
-function entrypoint() {
-    /opt/gitlab/embedded/bin/runsvdir-start &
-    gitlab-ctl reconfigure # will also start everything
-    gitlab-ctl tail # tail all logs
-}
+set -xe
 
 if [[ ! -e /etc/gitlab/gitlab.rb ]]; then
 	cp /assets/gitlab.rb /etc/gitlab/gitlab.rb
 	chmod 0600 /etc/gitlab/gitlab.rb
 fi
 
-entrypoint
+gitlab-ctl reconfigure # start everything
+gitlab-ctl tail # all logs