From e6a1a1c129681d50a845b5a79b9355b28350ec09 Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Thu, 8 Oct 2020 20:53:07 +0200
Subject: [PATCH] fix(docker): add again pwuser (#3899)

In version 1.4 we introduced a breaking change for the Docker behaviour since we removed the pwuser completely. In this PR I add this user again and create a symlink so that root uses the browser of the pwuser. This has also the benefit, that the users who wants to use the seccomp profile that they don't have to create this user.

Reference: https://playwright.slack.com/archives/CSUHZPVLM/p1600240776120400

Tested on root and on pwuser. Works.

References #4084
---
 docs/docker/Dockerfile.bionic | 13 ++++++++++---
 docs/docker/README.md         |  3 +--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/docker/Dockerfile.bionic b/docs/docker/Dockerfile.bionic
index c728e78386..5408cd149c 100644
--- a/docs/docker/Dockerfile.bionic
+++ b/docs/docker/Dockerfile.bionic
@@ -61,6 +61,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 RUN apt-get update && apt-get install -y --no-install-recommends git ssh && \
     npm install -g yarn
 
+# 9. Create the pwuser (we internally create a symlink for the pwuser and the root user)
+RUN adduser pwuser
+
 # === BAKE BROWSERS INTO IMAGE ===
 
 # 1. Add tip-of-tree Playwright package to install its browsers.
@@ -68,7 +71,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends git ssh && \
 COPY ./playwright.tar.gz /tmp/playwright.tar.gz
 
 # 2. Install playwright and then delete the installation.
-#    Browsers will remain downloaded in `/root/.cache/ms-playwright`.
-RUN mkdir /tmp/pw && cd /tmp/pw && npm init -y && \
-    npm i /tmp/playwright.tar.gz && \
+#    Browsers will remain downloaded in `/home/pwuser/.cache/ms-playwright`.
+RUN su pwuser -c "mkdir /tmp/pw && cd /tmp/pw && npm init -y && \
+    npm i /tmp/playwright.tar.gz" && \
     rm -rf /tmp/pw && rm /tmp/playwright.tar.gz
+
+# 3. Symlink downloaded browsers for root user
+RUN mkdir /root/.cache/ && \
+    ln -s /home/pwuser/.cache/ms-playwright/ /root/.cache/ms-playwright
diff --git a/docs/docker/README.md b/docs/docker/README.md
index 39ee56c255..02ab703ab0 100644
--- a/docs/docker/README.md
+++ b/docs/docker/README.md
@@ -48,7 +48,7 @@ docker run -it --rm --ipc=host mcr.microsoft.com/playwright:bionic /bin/bash
 On untrusted websites, it's recommended to use a separate user for launching the browsers in combination with the seccomp profile. Inside the container or if you are using the Docker image as a base image you have to use `adduser` for it.
 
 ```
-$ docker run -it --rm --ipc=host --security-opt seccomp=seccomp_profile.json mcr.microsoft.com/playwright:bionic /bin/bash
+$ docker run -it --rm --ipc=host --user pwuser --security-opt seccomp=seccomp_profile.json mcr.microsoft.com/playwright:bionic /bin/bash
 ```
 
 [`seccomp_profile.json`](seccomp_profile.json) is needed to run Chromium with sandbox. This is
@@ -73,7 +73,6 @@ a [default Docker seccomp profile](https://github.com/docker/engine/blob/d0d99b0
 
 > **NOTE**: Using `--ipc=host` is recommended when using Chrome ([Docker docs](https://docs.docker.com/engine/reference/run/#ipc-settings---ipc)). Chrome can run out of memory without this flag.
 
-Since the seccomp profile is now in use, you have to create a separate user with `adduser pwuser` which you use to run your browsers with Playwright.
 
 ### Using on CI