[misc] narrow down write access/ownership for the run-time user

services/clsi/.dockerignore

@@ -5,4 +5,6 @@ gitrev
 .npm
 .nvmrc
 nodemon.json
+cache/
+compiles/
 db/

services/clsi/Dockerfile

@@ -24,7 +24,7 @@ COPY . /app
 FROM base
 
 COPY --from=app /app /app
-RUN mkdir -p db \
-&&  chown node:node db
+RUN mkdir -p cache compiles db \
+&&  chown node:node cache compiles db
 
 CMD ["node", "--expose-gc", "app.js"]

services/clsi/buildscript.txt

@@ -1,6 +1,6 @@
 clsi
 --acceptance-creds=None
---data-dirs=db
+--data-dirs=cache,compiles,db
 --dependencies=
 --docker-repos=gcr.io/overleaf-ops
 --env-add=

services/clsi/entrypoint.sh

@@ -2,22 +2,21 @@
 
 docker --version >&2
 
+# add the node user to the docker group on the host
 DOCKER_GROUP=$(stat -c '%g' /var/run/docker.sock)
 groupadd --non-unique --gid ${DOCKER_GROUP} dockeronhost
 usermod -aG dockeronhost node
 
-mkdir -p /app/cache
-chown -R node:node /app/cache
+# compatibility: initial volume setup
+chown node:node /app/cache
+chown node:node /app/compiles
+chown node:node /app/db
 
-mkdir -p /app/compiles
-chown -R node:node /app/compiles
-
-chown -R node:node /app/bin/synctex
+# acceptance tests
 mkdir -p /app/test/acceptance/fixtures/tmp/
-chown -R node:node /app
-
-chown -R node:node /app/bin
+chown -R node:node /app/test/acceptance/fixtures
 
+# make synctex available for remount in compiles
 cp /app/bin/synctex /app/bin/synctex-mount/synctex
 
 exec runuser -u node -- "$@"