From d6bff604beaa94925b9a0a6dc69e72b51068b9c8 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+vmcj@users.noreply.github.com>
Date: Fri, 2 Aug 2024 13:10:00 +0200
Subject: [PATCH 1/3] Use composer from distribution

---
 docker/domserver/Dockerfile       | 14 ++------------
 docker/judgehost/Dockerfile.build |  8 +-------
 2 files changed, 3 insertions(+), 19 deletions(-)

diff --git a/docker/domserver/Dockerfile b/docker/domserver/Dockerfile
index 04e87ddd..01c8c490 100644
--- a/docker/domserver/Dockerfile
+++ b/docker/domserver/Dockerfile
@@ -7,7 +7,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y \
 	autoconf automake git pkg-config \
-	gcc g++ make acl zip unzip \
+	gcc g++ make acl zip unzip composer \
 	php-cli php-zip php-bcmath \
 	php-gd php-curl php-mysql php-json php-intl \
 	php-gmp php-xml php-mbstring \
@@ -25,11 +25,6 @@ RUN python3 -m venv /venv && . /venv/bin/activate && pip3 install sphinx sphinx-
 # Set up user
 RUN useradd -m domjudge
 
-# Install composer
-RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
-	&& php composer-setup.php \
-	&& mv /composer.phar /usr/local/bin/composer
-
 # Add DOMjudge source code and build script
 ADD domjudge.tar.gz /domjudge-src
 COPY domserver/build.sh /domjudge-src/build.sh
@@ -58,18 +53,13 @@ RUN useradd -m domjudge
 RUN apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y \
 	acl curl zip unzip supervisor mariadb-client pv apache2-utils \
-	nginx php-cli php-fpm php-zip php-bcmath \
+	nginx php-cli php-fpm php-zip php-bcmath composer \
 	php-gd php-curl php-mysql php-json php-intl \
 	php-gmp php-xml php-mbstring php-ldap \
 	enscript lpr \
 	ca-certificates python3-yaml python3-requests \
 	&& rm -rf /var/lib/apt/lists/*
 
-# Install composer
-RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
-	&& php composer-setup.php \
-	&& mv /composer.phar /usr/local/bin/composer
-
 # Copy domserver
 COPY --from=domserver-build /opt/domjudge/domserver /opt/domjudge/domserver
 COPY --from=domserver-build /opt/domjudge/doc /opt/domjudge/doc
diff --git a/docker/judgehost/Dockerfile.build b/docker/judgehost/Dockerfile.build
index 716dda59..93f27b00 100644
--- a/docker/judgehost/Dockerfile.build
+++ b/docker/judgehost/Dockerfile.build
@@ -10,7 +10,7 @@ RUN apt-get update \
 	gcc g++ make zip unzip \
 	php-cli php-zip lsb-release debootstrap \
 	php-gd php-curl php-mysql php-json \
-	php-gmp php-xml php-mbstring \
+	php-gmp php-xml php-mbstring composer \
 	sudo bsdmainutils ntp libcgroup-dev procps \
 	libcurl4-gnutls-dev libjsoncpp-dev libmagic-dev \
 	ca-certificates \
@@ -19,12 +19,6 @@ RUN apt-get update \
 # Set up user
 RUN useradd -m domjudge
 
-# Install composer
-
-RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
-	&& php composer-setup.php \
-	&& mv /composer.phar /usr/local/bin/composer
-
 # Add DOMjudge source code and build script
 ADD domjudge.tar.gz /domjudge-src
 ADD judgehost/build.sh /domjudge-src

From 79cdae746f808e8aa85580a5549c37cc60f1a445 Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+vmcj@users.noreply.github.com>
Date: Fri, 2 Aug 2024 13:09:58 +0200
Subject: [PATCH 2/3] Create the user first to get the expected uid

---
 docker/domserver/Dockerfile       | 6 +++---
 docker/judgehost/Dockerfile.build | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docker/domserver/Dockerfile b/docker/domserver/Dockerfile
index 01c8c490..fd20a7df 100644
--- a/docker/domserver/Dockerfile
+++ b/docker/domserver/Dockerfile
@@ -3,6 +3,9 @@ LABEL org.opencontainers.image.authors="DOMjudge team <team@domjudge.org>"
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+# Set up user
+RUN useradd -m domjudge
+
 # Install required packages for build of domserver
 RUN apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y \
@@ -22,9 +25,6 @@ RUN apt-get update \
 # Use venv to install latest Sphinx. 6.1.0 or higher is required to build DOMjudge docs.
 RUN python3 -m venv /venv && . /venv/bin/activate && pip3 install sphinx sphinx-rtd-theme rst2pdf
 
-# Set up user
-RUN useradd -m domjudge
-
 # Add DOMjudge source code and build script
 ADD domjudge.tar.gz /domjudge-src
 COPY domserver/build.sh /domjudge-src/build.sh
diff --git a/docker/judgehost/Dockerfile.build b/docker/judgehost/Dockerfile.build
index 93f27b00..c8c68f22 100644
--- a/docker/judgehost/Dockerfile.build
+++ b/docker/judgehost/Dockerfile.build
@@ -3,6 +3,9 @@ LABEL org.opencontainers.image.authors="DOMjudge team <team@domjudge.org>"
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+# Set up user
+RUN useradd -m domjudge
+
 # Install required packages for build of judgehost
 RUN apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y \
@@ -16,9 +19,6 @@ RUN apt-get update \
 	ca-certificates \
 	&& rm -rf /var/lib/apt/lists/*
 
-# Set up user
-RUN useradd -m domjudge
-
 # Add DOMjudge source code and build script
 ADD domjudge.tar.gz /domjudge-src
 ADD judgehost/build.sh /domjudge-src

From 5b31860d1dbfce09f31d97abca327e9d1414753c Mon Sep 17 00:00:00 2001
From: MCJ Vasseur <14887731+vmcj@users.noreply.github.com>
Date: Fri, 2 Aug 2024 13:10:01 +0200
Subject: [PATCH 3/3] Set the user/group to well known id

---
 docker/domserver/Dockerfile | 8 ++++++++
 docker/judgehost/Dockerfile | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/docker/domserver/Dockerfile b/docker/domserver/Dockerfile
index fd20a7df..a50a48fc 100644
--- a/docker/domserver/Dockerfile
+++ b/docker/domserver/Dockerfile
@@ -60,6 +60,14 @@ RUN apt-get update \
 	ca-certificates python3-yaml python3-requests \
 	&& rm -rf /var/lib/apt/lists/*
 
+# Check the UID and GID of the domjudge user are the same as in the previous build stage
+# (otherwise the COPY directives below won't set the correct ownership)
+COPY --from=domserver-build /etc/passwd /tmp/domserver-build-etc-passwd
+RUN sed -i -n '/^domjudge:/p' /tmp/domserver-build-etc-passwd \
+	&& sed -n '/^domjudge:/p' /etc/passwd | diff /tmp/domserver-build-etc-passwd - \
+	|| { echo "error: UID/GID of 'domjudge' differ from previous build stage; they must be the same for COPY to work" >&2; exit 1; } \
+	&& rm /tmp/domserver-build-etc-passwd
+
 # Copy domserver
 COPY --from=domserver-build /opt/domjudge/domserver /opt/domjudge/domserver
 COPY --from=domserver-build /opt/domjudge/doc /opt/domjudge/doc
diff --git a/docker/judgehost/Dockerfile b/docker/judgehost/Dockerfile
index bda39f01..aac8795a 100644
--- a/docker/judgehost/Dockerfile
+++ b/docker/judgehost/Dockerfile
@@ -28,6 +28,15 @@ ADD chroot.tar.gz /
 ADD judgehost.tar.gz /
 RUN cp /opt/domjudge/judgehost/etc/sudoers-domjudge /etc/sudoers.d/
 
+# Check that the ownership of some well-known directory is correctly set to "domjudge"
+# (the ownership will be incorrect if the UID is different in the .tar.gz archives from the previous build stage, added above)
+RUN current_uid="$(id -u domjudge)" \
+	&& archive_uid="$(stat -c %u /opt/domjudge/judgehost/run)" \
+	&& [ "$current_uid" = "$archive_uid" ] \
+	|| { echo "error: expected owner UID of /opt/domjudge/judgehost/run to be $current_uid (domjudge), but it is $archive_uid ($(id -un "$archive_uid" || echo no such user))" >&2; \
+		echo "hint: check that the UID of user 'domjudge' is the same in both build stages" >&2; \
+		exit 1; }
+
 # Add scripts
 COPY judgehost/scripts /scripts/