Merge pull request #13 from Granulate/feature/run-all-as-non-root

run all as non root
Granulate · Feb 26, 2024 · 7211e29 · 7211e29
2 parents dcfc976 + 91226f0
commit 7211e29
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 2 deletions.
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -102,6 +102,7 @@ services:
 
   # ---
   agents-logs-backend:
+    user: "888:888"
     build:
       context: ../src
       dockerfile: gprofiler_logging/Dockerfile
@@ -121,6 +122,7 @@ services:
 
   # ---
   periodic-tasks:
+    user: "888:888"
     build:
       context: periodic_tasks
       dockerfile: Dockerfile

diff --git a/deploy/periodic_tasks/Dockerfile b/deploy/periodic_tasks/Dockerfile
@@ -1,6 +1,6 @@
 FROM alpine:3.18.5
 
-RUN apk add --no-cache dcron wget rsync ca-certificates postgresql-client logrotate
+RUN apk add --no-cache dcron wget rsync ca-certificates postgresql-client logrotate sudo
 
 COPY crontab /etc/cron.d/my-cron-job
 COPY aggregations.sh /aggregations.sh
@@ -16,4 +16,15 @@ RUN crontab /etc/cron.d/my-cron-job
 
 RUN touch /var/log/cron.log
 
-CMD /logrotate_conf.sh && crond && tail -f /var/log/cron.log
+RUN addgroup -S non_root && adduser -S -G non_root -u 888 non_root && \
+    chown -R non_root:non_root /aggregations.sh && \
+    chown -R non_root:non_root /logrotate_conf.sh && \
+    chown -R non_root:non_root /etc/logrotate.conf && \
+    chown -R non_root:non_root /etc/cron.d/my-cron-job && \
+    chown -R non_root:non_root /var/log/cron.log
+
+RUN echo "non_root ALL=(ALL) NOPASSWD: $(which crond)" >> /etc/sudoers
+
+USER non_root
+
+CMD /logrotate_conf.sh && sudo crond && tail -f /var/log/cron.log
diff --git a/src/gprofiler_flamedb_rest/Dockerfile b/src/gprofiler_flamedb_rest/Dockerfile
@@ -21,5 +21,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates
 RUN mkdir -p /data
 
 COPY --from=build /go/src/app /usr/local/bin/app
+
+RUN useradd -m -s /bin/bash -u 888 non_root && \
+    chown -R non_root:non_root /data && \
+    chown -R non_root:non_root /usr/local/bin/app
+
+USER non_root
+
+
 EXPOSE 8080
 ENTRYPOINT ["/usr/local/bin/app"]
diff --git a/src/gprofiler_indexer/Dockerfile b/src/gprofiler_indexer/Dockerfile
@@ -23,4 +23,12 @@ RUN mkdir -p /data
 COPY --from=build /go/src/main /indexer
 COPY conf /conf
 
+RUN useradd -m -s /bin/bash -u 888 non_root && \
+    chown -R non_root:non_root /data && \
+    chown -R non_root:non_root /indexer && \
+    chown -R non_root:non_root /conf
+
+USER non_root
+
+
 ENTRYPOINT ["/indexer"]
diff --git a/src/gprofiler_logging/Dockerfile b/src/gprofiler_logging/Dockerfile
@@ -22,4 +22,10 @@ COPY gprofiler-dev gprofiler-dev
 COPY gprofiler_logging/app app
 COPY gprofiler_logging/run.sh run.sh
 
+
+RUN useradd -m -s /bin/bash -u 888 non_root && \
+    chown -R non_root:non_root /app
+
+USER non_root
+
 CMD ["./run.sh"]