Optimize how much data needs to be `chown`/`chmod`ed on container startup (#7793)

* Optimize how much data needs to be `chown`/`chmod`ed on container startup

This works around an issue where `chmod`/`chown` operations inside a
container can be extremely slow when using the `overlay2` storage
driver, resulting in 10min+ container startup times.

It modifies the owner of the webapp when building the container so that
only the `data` and `extensions` directories (which are commonly mapped
as volumes into the container) have to be modified by the
`access-permissions.sh` script at container startup.

When not running via docker the behaviour of the `access-permissions.sh`
script is unchanged.

* Take DATA_PATH environment variable into account when fixing permissions

* Revert change to using bash for arrays

(the alpine image doesn't include `bash`)

* A few more improvements

* Slightly tweak reapply permissions variable

- lowercase to indicate it's not an env variable
- use 0/1 to address potentially-irrational paranoia about unset variables

* Remove conditional logic to skip reapplying permissions

Also documents why in a comment so it's not missed in the future.

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

Docker/Dockerfile

@@ -16,7 +16,7 @@ RUN apt-get update && \
 RUN mkdir -p /var/www/FreshRSS/ /run/apache2/
 WORKDIR /var/www/FreshRSS
 
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/sites-available/
 
 ARG FRESHRSS_VERSION

Docker/Dockerfile-Alpine

@@ -13,7 +13,7 @@ RUN apk add --no-cache \
 RUN mkdir -p /var/www/FreshRSS /run/apache2/
 WORKDIR /var/www/FreshRSS
 
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
 ARG FRESHRSS_VERSION

Docker/Dockerfile-Newest

@@ -14,7 +14,7 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/reposit
 RUN mkdir -p /var/www/FreshRSS /run/apache2/
 WORKDIR /var/www/FreshRSS
 
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
 ARG FRESHRSS_VERSION

Docker/Dockerfile-Oldest

@@ -13,7 +13,7 @@ RUN apk add --no-cache \
 RUN mkdir -p /var/www/FreshRSS /run/apache2/
 WORKDIR /var/www/FreshRSS
 
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
 ARG FRESHRSS_VERSION

Docker/entrypoint.sh

@@ -45,7 +45,7 @@ if [ -n "$CRON_MIN" ]; then
 		-r "s#^[^ ]+ #$CRON_MIN #" | crontab -
 fi
 
-./cli/access-permissions.sh
+./cli/access-permissions.sh --only-userdirs
 
 php -f ./cli/prepare.php >/dev/null
 
@@ -82,6 +82,8 @@ if [ -n "$FRESHRSS_USER" ]; then
 	fi
 fi
 
-./cli/access-permissions.sh
+# Fix permissions of data added by prepare.php as well as a potential
+# installation/user setup
+./cli/access-permissions.sh --only-userdirs
 
 exec "$@"

cli/access-permissions.sh

@@ -11,12 +11,22 @@ if [ "$(id -u)" -ne 0 ]; then
 	exit 3
 fi
 
+# Always fix permissions on the data and extensions directories
+# If specified, only fix the data and extensions directories
+data_path="${DATA_PATH:-./data}"
+if [ "${1:-}" = "--only-userdirs" ]; then
+	to_update="./extensions"
+else
+	to_update="."
+fi
+
+mkdir -p "${data_path}/users/_/"
+
 # Based on group access
-chown -R :www-data .
+chown -R :www-data "$data_path" "$to_update"
 
 # Read files, and directory traversal
-chmod -R g+rX .
+chmod -R g+rX "$data_path" "$to_update"
 
-# Write access
-mkdir -p ./data/users/_/
-chmod -R g+w ./data/
+# Write access to data
+chmod -R g+w "$data_path"