diff options
author | Chris <github.account@chrigel.net> | 2018-02-23 18:11:22 +0100 |
---|---|---|
committer | Chris <github.account@chrigel.net> | 2018-02-23 18:11:22 +0100 |
commit | bf75ba7a667aba1693af4f6cda9c80481c186a2b (patch) | |
tree | 546503b38c6c1b773ecc5e91a1669e64c6528bfc /Dockerfile.alpine | |
parent | 19a10536563fe35ebe3e6d481936b06ffe4f9156 (diff) |
Alpine docker image improvements and hardening
Diffstat (limited to 'Dockerfile.alpine')
-rw-r--r-- | Dockerfile.alpine | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 3fe5ac0ea9..1f80d5b28a 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -13,14 +13,17 @@ WORKDIR /opt/netdata.git # Install source RUN chmod +x ./netdata-installer.sh && \ sync && sleep 1 && \ - ./netdata-installer.sh --dont-wait --dont-start-it + ./netdata-installer.sh --dont-wait --dont-start-it && \ + sync && sleep 1 && \ +# Compile fping + /usr/libexec/netdata/plugins.d/fping.plugin install ################################################################################ FROM alpine:edge # Reinstall some prerequisites RUN apk --no-cache add lm_sensors nodejs libuuid python py-mysqldb \ - py-psycopg2 py-yaml netcat-openbsd jq + py-psycopg2 py-yaml netcat-openbsd jq curl # Copy files over COPY --from=builder /usr/share/netdata /usr/share/netdata @@ -29,9 +32,25 @@ COPY --from=builder /var/cache/netdata /var/cache/netdata COPY --from=builder /var/lib/netdata /var/lib/netdata COPY --from=builder /usr/sbin/netdata /usr/sbin/netdata COPY --from=builder /etc/netdata /etc/netdata - -# Link log files to stdout -RUN mkdir -p /var/log/netdata && \ +COPY --from=builder /usr/local/bin/fping /usr/local/bin/fping + +ARG NETDATA_UID=101 +ARG NETDATA_GID=101 + +RUN \ + mkdir -p /var/log/netdata && \ + # Add netdata user + addgroup -g ${NETDATA_GID} -S netdata && \ + adduser -S -H -s /bin/sh -u ${NETDATA_GID} -h /etc/netdata -G netdata netdata && \ + # Apply the permissions as described in + # https://github.com/firehol/netdata/wiki/netdata-security#netdata-directories + find /usr/share/netdata -type f -exec chmod 0644 -- {} + && \ + chown -R root:netdata /usr/share/netdata /etc/netdata && \ + chown -R netdata:netdata /var/cache/netdata /var/lib/netdata && \ + chown root:netdata /usr/libexec/netdata/plugins.d/apps.plugin /usr/libexec/netdata/plugins.d/cgroup-network && \ + chmod 4750 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin /usr/local/bin/fping && \ + chmod 0750 /var/lib/netdata /var/cache/netdata && \ + # Link log files to stdout ln -sf /dev/stdout /var/log/netdata/access.log && \ ln -sf /dev/stdout /var/log/netdata/debug.log && \ ln -sf /dev/stderr /var/log/netdata/error.log @@ -39,3 +58,5 @@ RUN mkdir -p /var/log/netdata && \ EXPOSE 19999 CMD [ "/usr/sbin/netdata" , "-D", "-s", "/host", "-p", "19999"] + +USER netdata:netdata |