-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Telegraf docker entrypoint script change needed to support deployment from compose script #734
Comments
hmm doing so would break what was fixed in #724 where the user does the following:
|
Does it? Hmm. Setpriv doesn't just add to the effective groups? It's weird to me to say I think that's the wrong thing to do:
I'm thinking the whole thing needs to be reimagined. |
Referencing #724 and #543 I was still having problems with a specific line in the entrypoint script
The line currently reads:
extra_groups="$(id -Gn || true)"
This script doesn't honor UID; rather, if the UID is 0 (root) it just executes as the 'telegraf' user. Unfortunately, if you are root, that id will get the groups associated with root, not telegraf. I think it needs to be changed to:
extra_groups="$(id -Gn telegraf || true)"
With this change, I can specify a service in a compose file:
I made this change with a custom entrypoint to test it:
and that makes it work.
I think there's about a million ways to solve this problem. I think, though, that the structure of the script really intends to just exec if the uid is not 0, and if the uid is 0 it intends to force you to the 'telegraf' user - that's a strategy and it's fine and reasonably secure, but that
id -Gn
is going to check the extra groups of user 0, come up with only "root" then promptly remove that group.If anybody agrees, please respond - I'll happily submit a pull request for this. Or, if you've got another way to pair docker compose + docker build and make this work, that's fine too. Me having to create a custom entrypoint doesn't seem like the right solution unless I'm the only person still having this problem.
The text was updated successfully, but these errors were encountered: