From 9d015bf64ed68584bfd9de744e097afd5419260d Mon Sep 17 00:00:00 2001 From: Jens Kutzsche Date: Thu, 16 Sep 2021 11:20:33 +0200 Subject: [PATCH 1/2] chore: creates and uses the non-privileged user iris in EPS Docker files The applications are started in the container by a script under the user iris. Still as root, all directories and files under settings/ are assigned to this user beforehand so that the applications can use all files. --- .scripts/entrypoint-eps.sh | 5 +++++ .scripts/entrypoint-proxy.sh | 5 +++++ .scripts/entrypoint-sd.sh | 5 +++++ docker/Eps.dockerfile | 9 +++++++-- docker/InternalServer.dockerfile | 6 ++++++ docker/Proxy.dockerfile | 9 +++++++-- docker/Scripts.dockerfile | 1 + docker/Sd.dockerfile | 9 +++++++-- 8 files changed, 43 insertions(+), 6 deletions(-) create mode 100644 .scripts/entrypoint-eps.sh create mode 100644 .scripts/entrypoint-proxy.sh create mode 100644 .scripts/entrypoint-sd.sh diff --git a/.scripts/entrypoint-eps.sh b/.scripts/entrypoint-eps.sh new file mode 100644 index 0000000..b5f0c39 --- /dev/null +++ b/.scripts/entrypoint-eps.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +chown -R iris:iris ./settings + +exec su iris -c "./eps $*" diff --git a/.scripts/entrypoint-proxy.sh b/.scripts/entrypoint-proxy.sh new file mode 100644 index 0000000..c8167ee --- /dev/null +++ b/.scripts/entrypoint-proxy.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +chown -R iris:iris ./settings + +exec su iris -c "./proxy $*" diff --git a/.scripts/entrypoint-sd.sh b/.scripts/entrypoint-sd.sh new file mode 100644 index 0000000..13ebb4f --- /dev/null +++ b/.scripts/entrypoint-sd.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +chown -R iris:iris ./settings + +exec su iris -c "./sd $*" diff --git a/docker/Eps.dockerfile b/docker/Eps.dockerfile index 3a2eb8c..9eb5676 100644 --- a/docker/Eps.dockerfile +++ b/docker/Eps.dockerfile @@ -14,6 +14,11 @@ COPY . . RUN make FROM alpine:latest + +# Create a group and user +RUN addgroup --gid 9999 iris && adduser --disabled-password --gecos '' --uid 9999 -G iris -s /bin/ash iris + WORKDIR /app -COPY --from=builder /go/bin/eps /app/eps -ENTRYPOINT ["./eps"] +COPY --from=builder /go/bin/eps /app/.scripts/entrypoint-eps.sh /app/ + +ENTRYPOINT ["/bin/sh", "./entrypoint-eps.sh"] diff --git a/docker/InternalServer.dockerfile b/docker/InternalServer.dockerfile index 07b8a96..75bc636 100644 --- a/docker/InternalServer.dockerfile +++ b/docker/InternalServer.dockerfile @@ -14,6 +14,12 @@ COPY . . RUN make examples FROM alpine:latest + +# Create a group and user +RUN addgroup --gid 9999 iris && adduser --disabled-password --gecos '' --uid 9999 -G iris -s /bin/ash iris +# Change to non-root privilege +USER iris:iris + WORKDIR /app COPY --from=builder /go/bin/internal-server /app/internal-server ENTRYPOINT ["./internal-server"] diff --git a/docker/Proxy.dockerfile b/docker/Proxy.dockerfile index d1f969c..5140dc9 100644 --- a/docker/Proxy.dockerfile +++ b/docker/Proxy.dockerfile @@ -14,6 +14,11 @@ COPY . . RUN make FROM alpine:latest + +# Create a group and user +RUN addgroup --gid 9999 iris && adduser --disabled-password --gecos '' --uid 9999 -G iris -s /bin/ash iris + WORKDIR /app -COPY --from=builder /go/bin/proxy /app/proxy -ENTRYPOINT ["./proxy"] +COPY --from=builder /go/bin/proxy /app/.scripts/entrypoint-proxy.sh /app/ + +ENTRYPOINT ["/bin/sh", "./entrypoint-proxy.sh"] diff --git a/docker/Scripts.dockerfile b/docker/Scripts.dockerfile index 4e54ae9..28c3bcb 100644 --- a/docker/Scripts.dockerfile +++ b/docker/Scripts.dockerfile @@ -4,6 +4,7 @@ RUN apk add --update bash RUN apk add --update coreutils && rm -rf /var/cache/apk/* RUN bash --version RUN bash + WORKDIR /app COPY . . ENTRYPOINT [ "make" ] diff --git a/docker/Sd.dockerfile b/docker/Sd.dockerfile index 7daa5ec..c04eb01 100644 --- a/docker/Sd.dockerfile +++ b/docker/Sd.dockerfile @@ -14,6 +14,11 @@ COPY . . RUN make FROM alpine:latest + +# Create a group and user +RUN addgroup --gid 9999 iris && adduser --disabled-password --gecos '' --uid 9999 -G iris -s /bin/ash iris + WORKDIR /app -COPY --from=builder /go/bin/sd /app/sd -ENTRYPOINT ["./sd"] +COPY --from=builder /go/bin/sd /app/.scripts/entrypoint-sd.sh /app/ + +ENTRYPOINT ["/bin/sh", "./entrypoint-sd.sh"] From b0b5a252a12caa71a4647a05594ffbad82d0b610 Mon Sep 17 00:00:00 2001 From: Jens Kutzsche Date: Wed, 22 Sep 2021 18:55:39 +0200 Subject: [PATCH 2/2] chore: `chown` is now only done if there are files in the `settings` folder that are not readable. This is necessary to avoid errors in a K8S environment that occur when the mounted volume is readonly. In this environment, the `defaultMode` for the volume must then be `0644` so that the files can be read. --- .scripts/entrypoint-eps.sh | 4 +++- .scripts/entrypoint-proxy.sh | 4 +++- .scripts/entrypoint-sd.sh | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.scripts/entrypoint-eps.sh b/.scripts/entrypoint-eps.sh index b5f0c39..68469ad 100644 --- a/.scripts/entrypoint-eps.sh +++ b/.scripts/entrypoint-eps.sh @@ -1,5 +1,7 @@ #!/bin/sh -chown -R iris:iris ./settings +if ! su iris -c "find ./settings -type f -exec cat {} > /dev/null +"; then + chown -R iris:iris ./settings +fi exec su iris -c "./eps $*" diff --git a/.scripts/entrypoint-proxy.sh b/.scripts/entrypoint-proxy.sh index c8167ee..e248a3f 100644 --- a/.scripts/entrypoint-proxy.sh +++ b/.scripts/entrypoint-proxy.sh @@ -1,5 +1,7 @@ #!/bin/sh -chown -R iris:iris ./settings +if ! su iris -c "find ./settings -type f -exec cat {} > /dev/null +"; then + chown -R iris:iris ./settings +fi exec su iris -c "./proxy $*" diff --git a/.scripts/entrypoint-sd.sh b/.scripts/entrypoint-sd.sh index 13ebb4f..1601400 100644 --- a/.scripts/entrypoint-sd.sh +++ b/.scripts/entrypoint-sd.sh @@ -1,5 +1,7 @@ #!/bin/sh -chown -R iris:iris ./settings +if ! su iris -c "find ./settings -type f -exec cat {} > /dev/null +"; then + chown -R iris:iris ./settings +fi exec su iris -c "./sd $*"