diff options
| author | Chris <github.account@chrigel.net> | 2019-12-18 14:01:28 +0100 |
|---|---|---|
| committer | Austin S. Hemmelgarn <austin@netdata.cloud> | 2019-12-18 08:01:28 -0500 |
| commit | 27c58418e4c7df3420885ba5bc56b167f5f78702 (patch) | |
| tree | ed68fc383814328f3500d3516a09adec3080e022 /packaging | |
| parent | ba683c392b2074ce87f32674f29f5cd7c015a9a1 (diff) | |
Make the docker image to run as arbitrary user (#6543)
In container runtime with arbitrary user (e.g. Openshift)
there are permission problems when trying to start
Diffstat (limited to 'packaging')
| -rw-r--r-- | packaging/docker/Dockerfile | 22 | ||||
| -rwxr-xr-x | packaging/docker/run.sh | 2 |
2 files changed, 16 insertions, 8 deletions
diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index 4be2d93b20..f9f3e73095 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -74,13 +74,21 @@ RUN \ addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \ adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}" && \ # Apply the permissions as described in - # https://github.com/netdata/netdata/wiki/netdata-security#netdata-directories - chown -R root:netdata /etc/netdata && \ - chown -R netdata:netdata /var/cache/netdata /var/lib/netdata /usr/share/netdata && \ - chown -R root:netdata /usr/lib/netdata && \ - chown -R root:netdata /usr/libexec/netdata/ && \ - chmod 4750 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin && \ - chmod 0750 /var/lib/netdata /var/cache/netdata && \ + # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543 + chown -R root:root \ + /etc/netdata \ + /usr/share/netdata \ + /usr/libexec/netdata && \ + chown -R netdata:root \ + /usr/lib/netdata \ + /var/cache/netdata \ + /var/lib/netdata \ + /var/log/netdata && \ + chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \ + chmod 4755 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin && \ + # Group write permissions due to: https://github.com/netdata/netdata/pull/6543chmod 0770 -R /var/lib/netdata /var/cache/netdata && \ + find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \ + find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \ # Link log files to stdout ln -sf /dev/stdout /var/log/netdata/access.log && \ ln -sf /dev/stdout /var/log/netdata/debug.log && \ diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh index f4377d4583..e2fedd0eac 100755 --- a/packaging/docker/run.sh +++ b/packaging/docker/run.sh @@ -20,6 +20,6 @@ if [ -n "${PGID}" ]; then usermod -a -G ${PGID} ${DOCKER_USR} || echo >&2 "Could not add netdata user to group docker with ID ${PGID}" fi -exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_PORT}" "$@" +exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@" echo "Netdata entrypoint script, completed!" |