diff --git a/api/Dockerfile b/api/Dockerfile index 79f8e8d5e..cdd8cd295 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -22,5 +22,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/. +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/api/Dockerfile.alerts b/api/Dockerfile.alerts index 5830966b3..c4614b3c1 100644 --- a/api/Dockerfile.alerts +++ b/api/Dockerfile.alerts @@ -16,5 +16,7 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/api/Dockerfile.bundle b/api/Dockerfile.bundle index 2f58635f2..b047f6d6c 100644 --- a/api/Dockerfile.bundle +++ b/api/Dockerfile.bundle @@ -23,5 +23,7 @@ ARG envarg ENV ENTERPRISE_BUILD ${envarg} ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini RUN chmod +x /tini +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/tini", "--"] CMD ./entrypoint.sh diff --git a/backend/Dockerfile b/backend/Dockerfile index 3e353243b..152f6aa3d 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -69,4 +69,6 @@ RUN if [ "$SERVICE_NAME" = "http" ]; then \ COPY --from=build /root/service /root/service +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT /root/service diff --git a/ee/api/Dockerfile b/ee/api/Dockerfile index 92a2868a9..f599bfc45 100644 --- a/ee/api/Dockerfile +++ b/ee/api/Dockerfile @@ -20,5 +20,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/. +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/ee/api/Dockerfile.alerts b/ee/api/Dockerfile.alerts index a3bee2a28..785b0a5f9 100644 --- a/ee/api/Dockerfile.alerts +++ b/ee/api/Dockerfile.alerts @@ -16,5 +16,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/ee/api/Dockerfile.crons b/ee/api/Dockerfile.crons index e29b4440f..0647c6fc6 100644 --- a/ee/api/Dockerfile.crons +++ b/ee/api/Dockerfile.crons @@ -18,5 +18,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv entrypoint_crons.sh entrypoint.sh +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/ee/utilities/Dockerfile b/ee/utilities/Dockerfile index 3c9d2f600..f01c7d71c 100644 --- a/ee/utilities/Dockerfile +++ b/ee/utilities/Dockerfile @@ -12,5 +12,7 @@ COPY package.json . COPY package-lock.json . RUN npm install COPY . . +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/sbin/tini", "--"] CMD npm start diff --git a/frontend/Dockerfile b/frontend/Dockerfile index b87d5c172..2ab0312ab 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -17,3 +17,11 @@ LABEL maintainer=Rajesh RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main COPY --from=builder /work/public /var/www/openreplay COPY nginx.conf /etc/nginx/conf.d/default.conf + +RUN chown -R nginx:nginx /var/cache/nginx && \ + chown -R nginx:nginx /var/log/nginx && \ + chown -R nginx:nginx /etc/nginx/conf.d && \ + touch /var/run/nginx.pid && \ + chown -R nginx:nginx /var/run/nginx.pid + +USER nginx diff --git a/peers/Dockerfile b/peers/Dockerfile index 98475f750..b05fdee3a 100644 --- a/peers/Dockerfile +++ b/peers/Dockerfile @@ -10,5 +10,7 @@ COPY package.json . COPY package-lock.json . RUN npm install COPY . . +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/sbin/tini", "--"] CMD npm start diff --git a/scripts/helmcharts/init.sh b/scripts/helmcharts/init.sh index 078a60583..5fe454f90 100644 --- a/scripts/helmcharts/init.sh +++ b/scripts/helmcharts/init.sh @@ -107,8 +107,12 @@ sed_i_wrapper -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"$(randomPa sed_i_wrapper -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"$(randomPass)\"/g" vars.yaml sed_i_wrapper -i "s/domainName: \"\"/domainName: \"${DOMAIN_NAME}\"/g" vars.yaml +info "Setting proper permission for shared folder" +sudo mkdir -p /openreplay/storage/nfs +sudo chown -R 1001:1001 /openreplay/storage/nfs + ## Installing OpenReplay -info "Installing databases" +info "installing databases" helm upgrade --install databases ./databases -n db --create-namespace --wait -f ./vars.yaml --atomic -info "Installing application" +info "installing application" helm upgrade --install openreplay ./openreplay -n app --create-namespace --wait -f ./vars.yaml --atomic diff --git a/scripts/helmcharts/openreplay/charts/sink/values.yaml b/scripts/helmcharts/openreplay/charts/sink/values.yaml index 11df1d4e7..a37ecfa41 100644 --- a/scripts/helmcharts/openreplay/charts/sink/values.yaml +++ b/scripts/helmcharts/openreplay/charts/sink/values.yaml @@ -25,7 +25,11 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + fsGroupChangePolicy: "OnRootMismatch" # fsGroup: 2000 securityContext: {} diff --git a/scripts/helmcharts/openreplay/charts/storage/values.yaml b/scripts/helmcharts/openreplay/charts/storage/values.yaml index 5adbf189f..b73c2cf1e 100644 --- a/scripts/helmcharts/openreplay/charts/storage/values.yaml +++ b/scripts/helmcharts/openreplay/charts/storage/values.yaml @@ -25,7 +25,11 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + fsGroupChangePolicy: "OnRootMismatch" # fsGroup: 2000 securityContext: {} diff --git a/utilities/Dockerfile b/utilities/Dockerfile index cb9d081f1..cbf217339 100644 --- a/utilities/Dockerfile +++ b/utilities/Dockerfile @@ -12,5 +12,7 @@ COPY package.json . COPY package-lock.json . RUN npm install COPY . . +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/sbin/tini", "--"] CMD npm start