From 27c58418e4c7df3420885ba5bc56b167f5f78702 Mon Sep 17 00:00:00 2001
From: Chris <github.account@chrigel.net>
Date: Wed, 18 Dec 2019 14:01:28 +0100
Subject: Make the docker image to run as arbitrary user (#6543)

In container runtime with arbitrary user (e.g. Openshift)
there are permission problems when trying to start
---
 packaging/docker/Dockerfile | 22 +++++++++++++++-------
 packaging/docker/run.sh     |  2 +-
 2 files changed, 16 insertions(+), 8 deletions(-)

(limited to 'packaging')

diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile
index 4be2d93b20..f9f3e73095 100644
--- a/packaging/docker/Dockerfile
+++ b/packaging/docker/Dockerfile
@@ -74,13 +74,21 @@ RUN \
     addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \
     adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}" && \
     # Apply the permissions as described in
-    # https://github.com/netdata/netdata/wiki/netdata-security#netdata-directories
-    chown -R root:netdata /etc/netdata && \
-    chown -R netdata:netdata /var/cache/netdata /var/lib/netdata /usr/share/netdata && \
-    chown -R root:netdata /usr/lib/netdata && \
-    chown -R root:netdata /usr/libexec/netdata/ && \
-    chmod 4750 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin && \
-    chmod 0750 /var/lib/netdata /var/cache/netdata && \
+    # https://docs.netdata.cloud/docs/netdata-security/#netdata-directories, but own everything by root group due to https://github.com/netdata/netdata/pull/6543
+    chown -R root:root \
+        /etc/netdata \
+        /usr/share/netdata \
+        /usr/libexec/netdata && \
+    chown -R netdata:root \
+        /usr/lib/netdata \
+        /var/cache/netdata \
+        /var/lib/netdata \
+        /var/log/netdata && \
+    chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \
+    chmod 4755 /usr/libexec/netdata/plugins.d/cgroup-network /usr/libexec/netdata/plugins.d/apps.plugin && \
+    # Group write permissions due to: https://github.com/netdata/netdata/pull/6543chmod 0770 -R /var/lib/netdata /var/cache/netdata && \
+    find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \
+    find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \
     # Link log files to stdout
     ln -sf /dev/stdout /var/log/netdata/access.log && \
     ln -sf /dev/stdout /var/log/netdata/debug.log && \
diff --git a/packaging/docker/run.sh b/packaging/docker/run.sh
index f4377d4583..e2fedd0eac 100755
--- a/packaging/docker/run.sh
+++ b/packaging/docker/run.sh
@@ -20,6 +20,6 @@ if [ -n "${PGID}" ]; then
     usermod -a -G ${PGID} ${DOCKER_USR} || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
 fi
 
-exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_PORT}" "$@"
+exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@"
 
 echo "Netdata entrypoint script, completed!"
-- 
cgit v1.2.3