chore(docker): Run non root users for containers

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>
2022-07-20 17:18:04 +00:00 · 2022-07-20 17:18:04 +00:00 · 591efd5a65
commit 591efd5a65
parent ab800a40d7
14 changed files with 48 additions and 4 deletions
--- a/api/Dockerfile
+++ b/api/Dockerfile
@ -22,5 +22,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/.

+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
--- a/api/Dockerfile.alerts
+++ b/api/Dockerfile.alerts
@ -16,5 +16,7 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh

+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
--- a/api/Dockerfile.bundle
+++ b/api/Dockerfile.bundle
@ -23,5 +23,7 @@ ARG envarg
 ENV ENTERPRISE_BUILD ${envarg}
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/tini", "--"]
 CMD ./entrypoint.sh
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -69,4 +69,6 @@ RUN if [ "$SERVICE_NAME" = "http" ]; then \


 COPY --from=build /root/service /root/service
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT /root/service
--- a/ee/api/Dockerfile
+++ b/ee/api/Dockerfile
@ -20,5 +20,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/.

+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
--- a/ee/api/Dockerfile.alerts
+++ b/ee/api/Dockerfile.alerts
@ -16,5 +16,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh

+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
--- a/ee/api/Dockerfile.crons
+++ b/ee/api/Dockerfile.crons
@ -18,5 +18,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv entrypoint_crons.sh entrypoint.sh

+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
--- a/ee/utilities/Dockerfile
+++ b/ee/utilities/Dockerfile
@ -12,5 +12,7 @@ COPY package.json .
 COPY package-lock.json .
 RUN npm install
 COPY . .
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD npm start
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@ -17,3 +17,11 @@ LABEL maintainer=Rajesh<rajesh@openreplay.com>
 RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
 COPY --from=builder /work/public /var/www/openreplay
 COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+RUN chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d && \
+    touch /var/run/nginx.pid && \
+    chown -R nginx:nginx /var/run/nginx.pid
+
+USER nginx
--- a/peers/Dockerfile
+++ b/peers/Dockerfile
@ -10,5 +10,7 @@ COPY package.json .
 COPY package-lock.json .
 RUN npm install
 COPY . .
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD npm start
--- a/scripts/helmcharts/init.sh
+++ b/scripts/helmcharts/init.sh
@ -107,8 +107,12 @@ sed_i_wrapper -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"$(randomPa
 sed_i_wrapper -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"$(randomPass)\"/g" vars.yaml
 sed_i_wrapper -i "s/domainName: \"\"/domainName: \"${DOMAIN_NAME}\"/g" vars.yaml

+info "Setting proper permission for shared folder"
+sudo mkdir -p /openreplay/storage/nfs
+sudo chown -R 1001:1001 /openreplay/storage/nfs
+
 ## Installing OpenReplay
-info "Installing databases"
+info "installing databases"
 helm upgrade --install databases ./databases -n db --create-namespace --wait -f ./vars.yaml --atomic
-info "Installing application"
+info "installing application"
 helm upgrade --install openreplay ./openreplay -n app --create-namespace --wait -f ./vars.yaml --atomic
--- a/scripts/helmcharts/openreplay/charts/sink/values.yaml
+++ b/scripts/helmcharts/openreplay/charts/sink/values.yaml
@ -25,7 +25,11 @@ serviceAccount:

 podAnnotations: {}

-podSecurityContext: {}
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 1001
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
  # fsGroup: 2000

 securityContext: {}
--- a/scripts/helmcharts/openreplay/charts/storage/values.yaml
+++ b/scripts/helmcharts/openreplay/charts/storage/values.yaml
@ -25,7 +25,11 @@ serviceAccount:

 podAnnotations: {}

-podSecurityContext: {}
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 1001
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
  # fsGroup: 2000

 securityContext: {}
--- a/utilities/Dockerfile
+++ b/utilities/Dockerfile
@ -12,5 +12,7 @@ COPY package.json .
 COPY package-lock.json .
 RUN npm install
 COPY . .
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD npm start