restore gosu suid bit when container stops

docker/base/alpine/conf/bin/config.sh

@@ -70,24 +70,18 @@ function deprecationNotice() {
  # Run "entrypoint" scripts
  ##
 function runEntrypoints() {
-    ###############
-    # Try to find entrypoint
-    ###############
-
-    ENTRYPOINT_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
-
-    if [ -f "$ENTRYPOINT_SCRIPT" ]; then
-        . "$ENTRYPOINT_SCRIPT"
+    # try to find entrypoint task script
+    TASK_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
+    if [ ! -f "$TASK_SCRIPT" ]; then
+        # run default
+        TASK_SCRIPT="/opt/docker/bin/entrypoint.d/default.sh"
     fi
 
-    ###############
-    # Run default
-    ###############
-    if [ -f "/opt/docker/bin/entrypoint.d/default.sh" ]; then
-        . /opt/docker/bin/entrypoint.d/default.sh
+    if [ ! -f "$TASK_SCRIPT" ]; then
+        exit 1
     fi
 
-    exit 1
+    . "$TASK_SCRIPT"
 }
 
  # Run "entrypoint" provisioning

docker/base/alpine/conf/bin/entrypoint.d/run.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+if [[ -z "$CONTAINER_UID" ]]; then
+    export CONTAINER_UID=application
+fi
+
+set -o pipefail # trace ERR through pipes
+set -o errtrace # trace ERR through 'time command' and other functions
+set -o nounset  ## set -u : exit the script if you try to use an uninitialised variable
+set -o errexit  ## set -e : exit the script if any statement returns a non-true return value
+
+. /opt/docker/bin/config.sh
+
+# auto elevate privileges (if container is not started as root)
+if [[ "$UID" -ne 0 ]]; then
+    export CONTAINER_UID="$UID"
+    exec gosu root "$0" "$@"
+fi
+
+createDockerStdoutStderr
+
+# sanitize input and set task
+TASK="$(echo $1 | sed 's/[^-_a-zA-Z0-9]*//g')"
+
+# remove suid bit `chmod -s /sbin/gosu` in provision/entrypoint.d/05-gosu.sh
+if [ "$TASK" == "supervisord" ] || [ "$TASK" == "noop" ]; then
+    # visible provisioning
+    runProvisionEntrypoint
+else
+    # hidden provisioning
+    runProvisionEntrypoint >/dev/null
+fi
+
+# https://stackoverflow.com/questions/41451159/how-to-execute-a-script-when-i-terminate-a-docker-container
+# https://hynek.me/articles/docker-signals/
+function teardownEntrypoint()
+{
+    # restore suid bit `chmod +s /sbin/gosu` in provision/entrypoint.d/teardown/05-gosu.sh
+    echo "Container stopped, performing teardown..."
+    includeScriptDir /opt/docker/provision/entrypoint.d/teardown
+}
+trap 'teardownEntrypoint' SIGTERM
+runEntrypoints &
+wait $!
+teardownEntrypoint

docker/base/alpine/conf/bin/entrypoint.sh

@@ -1,46 +1,3 @@
 #!/usr/bin/env bash
 
-if [[ -z "$CONTAINER_UID" ]]; then
-    export CONTAINER_UID="application"
-fi
-
-set -o pipefail  # trace ERR through pipes
-set -o errtrace  # trace ERR through 'time command' and other functions
-set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
-set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
-
-# auto elevate privileges (if container is not started as root)
-if [[ "$UID" -ne 0 ]]; then
-    export CONTAINER_UID="$UID"
-    exec gosu root "$0" "$@"
-fi
-# remove suid bit on gosu
-chmod -s /sbin/gosu
-
-trap 'echo sigterm ; exit' SIGTERM
-trap 'echo sigkill ; exit' SIGKILL
-
-# sanitize input and set task
-TASK="$(echo $1| sed 's/[^-_a-zA-Z0-9]*//g')"
-
-source /opt/docker/bin/config.sh
-
-createDockerStdoutStderr
-
-if [[ "$UID" -eq 0 ]]; then
-    # Only run provision if user is root
-
-    if [ "$TASK" == "supervisord" -o "$TASK" == "noop" ]; then
-        # Visible provisioning
-        runProvisionEntrypoint
-    else
-        # Hidden provisioning
-        runProvisionEntrypoint  > /dev/null
-    fi
-fi
-
-#############################
-## COMMAND
-#############################
-
-runEntrypoints "$@"
+exec /opt/docker/bin/entrypoint.d/run.sh "$@"

docker/base/alpine/conf/provision/entrypoint.d/05-gosu.sh

@@ -0,0 +1,2 @@
+# remove suid bit on gosu
+chmod -s /sbin/gosu

docker/base/alpine/conf/provision/entrypoint.d/teardown/05-gosu.sh

@@ -0,0 +1,2 @@
+# add suid bit on gosu
+chmod +s /sbin/gosu

docker/base/centos-7/conf/bin/config.sh

@@ -70,24 +70,18 @@ function deprecationNotice() {
  # Run "entrypoint" scripts
  ##
 function runEntrypoints() {
-    ###############
-    # Try to find entrypoint
-    ###############
-
-    ENTRYPOINT_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
-
-    if [ -f "$ENTRYPOINT_SCRIPT" ]; then
-        . "$ENTRYPOINT_SCRIPT"
+    # try to find entrypoint task script
+    TASK_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
+    if [ ! -f "$TASK_SCRIPT" ]; then
+        # run default
+        TASK_SCRIPT="/opt/docker/bin/entrypoint.d/default.sh"
     fi
 
-    ###############
-    # Run default
-    ###############
-    if [ -f "/opt/docker/bin/entrypoint.d/default.sh" ]; then
-        . /opt/docker/bin/entrypoint.d/default.sh
+    if [ ! -f "$TASK_SCRIPT" ]; then
+        exit 1
     fi
 
-    exit 1
+    . "$TASK_SCRIPT"
 }
 
  # Run "entrypoint" provisioning

docker/base/centos-7/conf/bin/entrypoint.d/run.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+if [[ -z "$CONTAINER_UID" ]]; then
+    export CONTAINER_UID=application
+fi
+
+set -o pipefail # trace ERR through pipes
+set -o errtrace # trace ERR through 'time command' and other functions
+set -o nounset  ## set -u : exit the script if you try to use an uninitialised variable
+set -o errexit  ## set -e : exit the script if any statement returns a non-true return value
+
+. /opt/docker/bin/config.sh
+
+# auto elevate privileges (if container is not started as root)
+if [[ "$UID" -ne 0 ]]; then
+    export CONTAINER_UID="$UID"
+    exec gosu root "$0" "$@"
+fi
+
+createDockerStdoutStderr
+
+# sanitize input and set task
+TASK="$(echo $1 | sed 's/[^-_a-zA-Z0-9]*//g')"
+
+# remove suid bit `chmod -s /sbin/gosu` in provision/entrypoint.d/05-gosu.sh
+if [ "$TASK" == "supervisord" ] || [ "$TASK" == "noop" ]; then
+    # visible provisioning
+    runProvisionEntrypoint
+else
+    # hidden provisioning
+    runProvisionEntrypoint >/dev/null
+fi
+
+# https://stackoverflow.com/questions/41451159/how-to-execute-a-script-when-i-terminate-a-docker-container
+# https://hynek.me/articles/docker-signals/
+function teardownEntrypoint()
+{
+    # restore suid bit `chmod +s /sbin/gosu` in provision/entrypoint.d/teardown/05-gosu.sh
+    echo "Container stopped, performing teardown..."
+    includeScriptDir /opt/docker/provision/entrypoint.d/teardown
+}
+trap 'teardownEntrypoint' SIGTERM
+runEntrypoints &
+wait $!
+teardownEntrypoint

docker/base/centos-7/conf/bin/entrypoint.sh

@@ -1,46 +1,3 @@
 #!/usr/bin/env bash
 
-if [[ -z "$CONTAINER_UID" ]]; then
-    export CONTAINER_UID="application"
-fi
-
-set -o pipefail  # trace ERR through pipes
-set -o errtrace  # trace ERR through 'time command' and other functions
-set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
-set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
-
-# auto elevate privileges (if container is not started as root)
-if [[ "$UID" -ne 0 ]]; then
-    export CONTAINER_UID="$UID"
-    exec gosu root "$0" "$@"
-fi
-# remove suid bit on gosu
-chmod -s /sbin/gosu
-
-trap 'echo sigterm ; exit' SIGTERM
-trap 'echo sigkill ; exit' SIGKILL
-
-# sanitize input and set task
-TASK="$(echo $1| sed 's/[^-_a-zA-Z0-9]*//g')"
-
-source /opt/docker/bin/config.sh
-
-createDockerStdoutStderr
-
-if [[ "$UID" -eq 0 ]]; then
-    # Only run provision if user is root
-
-    if [ "$TASK" == "supervisord" -o "$TASK" == "noop" ]; then
-        # Visible provisioning
-        runProvisionEntrypoint
-    else
-        # Hidden provisioning
-        runProvisionEntrypoint  > /dev/null
-    fi
-fi
-
-#############################
-## COMMAND
-#############################
-
-runEntrypoints "$@"
+exec /opt/docker/bin/entrypoint.d/run.sh "$@"

docker/base/centos-7/conf/provision/entrypoint.d/05-gosu.sh

@@ -0,0 +1,2 @@
+# remove suid bit on gosu
+chmod -s /sbin/gosu

docker/base/centos-7/conf/provision/entrypoint.d/teardown/05-gosu.sh

@@ -0,0 +1,2 @@
+# add suid bit on gosu
+chmod +s /sbin/gosu

docker/base/debian-10/conf/bin/config.sh

@@ -70,24 +70,18 @@ function deprecationNotice() {
  # Run "entrypoint" scripts
  ##
 function runEntrypoints() {
-    ###############
-    # Try to find entrypoint
-    ###############
-
-    ENTRYPOINT_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
-
-    if [ -f "$ENTRYPOINT_SCRIPT" ]; then
-        . "$ENTRYPOINT_SCRIPT"
+    # try to find entrypoint task script
+    TASK_SCRIPT="/opt/docker/bin/entrypoint.d/${TASK}.sh"
+    if [ ! -f "$TASK_SCRIPT" ]; then
+        # run default
+        TASK_SCRIPT="/opt/docker/bin/entrypoint.d/default.sh"
     fi
 
-    ###############
-    # Run default
-    ###############
-    if [ -f "/opt/docker/bin/entrypoint.d/default.sh" ]; then
-        . /opt/docker/bin/entrypoint.d/default.sh
+    if [ ! -f "$TASK_SCRIPT" ]; then
+        exit 1
     fi
 
-    exit 1
+    . "$TASK_SCRIPT"
 }
 
  # Run "entrypoint" provisioning

docker/base/debian-10/conf/bin/entrypoint.d/run.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+if [[ -z "$CONTAINER_UID" ]]; then
+    export CONTAINER_UID=application
+fi
+
+set -o pipefail # trace ERR through pipes
+set -o errtrace # trace ERR through 'time command' and other functions
+set -o nounset  ## set -u : exit the script if you try to use an uninitialised variable
+set -o errexit  ## set -e : exit the script if any statement returns a non-true return value
+
+. /opt/docker/bin/config.sh
+
+# auto elevate privileges (if container is not started as root)
+if [[ "$UID" -ne 0 ]]; then
+    export CONTAINER_UID="$UID"
+    exec gosu root "$0" "$@"
+fi
+
+createDockerStdoutStderr
+
+# sanitize input and set task
+TASK="$(echo $1 | sed 's/[^-_a-zA-Z0-9]*//g')"
+
+# remove suid bit `chmod -s /sbin/gosu` in provision/entrypoint.d/05-gosu.sh
+if [ "$TASK" == "supervisord" ] || [ "$TASK" == "noop" ]; then
+    # visible provisioning
+    runProvisionEntrypoint
+else
+    # hidden provisioning
+    runProvisionEntrypoint >/dev/null
+fi
+
+# https://stackoverflow.com/questions/41451159/how-to-execute-a-script-when-i-terminate-a-docker-container
+# https://hynek.me/articles/docker-signals/
+function teardownEntrypoint()
+{
+    # restore suid bit `chmod +s /sbin/gosu` in provision/entrypoint.d/teardown/05-gosu.sh
+    echo "Container stopped, performing teardown..."
+    includeScriptDir /opt/docker/provision/entrypoint.d/teardown
+}
+trap 'teardownEntrypoint' SIGTERM
+runEntrypoints &
+wait $!
+teardownEntrypoint

docker/base/debian-10/conf/bin/entrypoint.sh

@@ -1,46 +1,3 @@
 #!/usr/bin/env bash
 
-if [[ -z "$CONTAINER_UID" ]]; then
-    export CONTAINER_UID="application"
-fi
-
-set -o pipefail  # trace ERR through pipes
-set -o errtrace  # trace ERR through 'time command' and other functions
-set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
-set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
-
-# auto elevate privileges (if container is not started as root)
-if [[ "$UID" -ne 0 ]]; then
-    export CONTAINER_UID="$UID"
-    exec gosu root "$0" "$@"
-fi
-# remove suid bit on gosu
-chmod -s /sbin/gosu
-
-trap 'echo sigterm ; exit' SIGTERM
-trap 'echo sigkill ; exit' SIGKILL
-
-# sanitize input and set task
-TASK="$(echo $1| sed 's/[^-_a-zA-Z0-9]*//g')"
-
-source /opt/docker/bin/config.sh
-
-createDockerStdoutStderr
-
-if [[ "$UID" -eq 0 ]]; then
-    # Only run provision if user is root
-
-    if [ "$TASK" == "supervisord" -o "$TASK" == "noop" ]; then
-        # Visible provisioning
-        runProvisionEntrypoint
-    else
-        # Hidden provisioning
-        runProvisionEntrypoint  > /dev/null
-    fi
-fi
-
-#############################
-## COMMAND
-#############################
-
-runEntrypoints "$@"
+exec /opt/docker/bin/entrypoint.d/run.sh "$@"

docker/base/debian-10/conf/provision/entrypoint.d/05-gosu.sh

@@ -0,0 +1,2 @@
+# remove suid bit on gosu
+chmod -s /sbin/gosu

docker/base/debian-10/conf/provision/entrypoint.d/teardown/05-gosu.sh

@@ -0,0 +1,2 @@
+# add suid bit on gosu
+chmod +s /sbin/gosu