diff --git a/api/Dockerfile b/api/Dockerfile index b92e909e4..0d949e25e 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -22,5 +22,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/. +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/api/Dockerfile.alerts b/api/Dockerfile.alerts index 5830966b3..c4614b3c1 100644 --- a/api/Dockerfile.alerts +++ b/api/Dockerfile.alerts @@ -16,5 +16,7 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/api/Dockerfile.bundle b/api/Dockerfile.bundle index 2f58635f2..b047f6d6c 100644 --- a/api/Dockerfile.bundle +++ b/api/Dockerfile.bundle @@ -23,5 +23,7 @@ ARG envarg ENV ENTERPRISE_BUILD ${envarg} ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini RUN chmod +x /tini +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/tini", "--"] CMD ./entrypoint.sh diff --git a/backend/Dockerfile b/backend/Dockerfile index 132fef1b0..4f060587d 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -21,12 +21,13 @@ RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o service -tags musl openrep FROM alpine AS entrypoint RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main RUN apk add --no-cache ca-certificates +RUN adduser -u 1001 openreplay -D ENV TZ=UTC \ FS_ULIMIT=1000 \ FS_DIR=/mnt/efs \ - MAXMINDDB_FILE=/root/geoip.mmdb \ - UAPARSER_FILE=/root/regexes.yaml \ + MAXMINDDB_FILE=/home/openreplay/geoip.mmdb \ + UAPARSER_FILE=/home/openreplay/regexes.yaml \ HTTP_PORT=80 \ KAFKA_USE_SSL=true \ KAFKA_MAX_POLL_INTERVAL_MS=400000 \ @@ -68,5 +69,6 @@ RUN if [ "$SERVICE_NAME" = "http" ]; then \ wget https://static.openreplay.com/geoip/GeoLite2-Country.mmdb -O "$MAXMINDDB_FILE"; fi -COPY --from=build /root/service /root/service -ENTRYPOINT /root/service +COPY --from=build /root/service /home/openreplay/service +USER 1001 +ENTRYPOINT /home/openreplay/service diff --git a/ee/api/Dockerfile b/ee/api/Dockerfile index 1c5be7f36..2500d2bfb 100644 --- a/ee/api/Dockerfile +++ b/ee/api/Dockerfile @@ -20,5 +20,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/. +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/ee/api/Dockerfile.alerts b/ee/api/Dockerfile.alerts index a3bee2a28..785b0a5f9 100644 --- a/ee/api/Dockerfile.alerts +++ b/ee/api/Dockerfile.alerts @@ -16,5 +16,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/ee/api/Dockerfile.crons b/ee/api/Dockerfile.crons index e29b4440f..0647c6fc6 100644 --- a/ee/api/Dockerfile.crons +++ b/ee/api/Dockerfile.crons @@ -18,5 +18,8 @@ WORKDIR /work COPY . . RUN mv env.default .env && mv entrypoint_crons.sh entrypoint.sh +RUN adduser -u 1001 openreplay -D +USER 1001 + ENTRYPOINT ["/sbin/tini", "--"] CMD ./entrypoint.sh diff --git a/ee/utilities/Dockerfile b/ee/utilities/Dockerfile index 3c9d2f600..2de6197a2 100644 --- a/ee/utilities/Dockerfile +++ b/ee/utilities/Dockerfile @@ -2,15 +2,19 @@ FROM node:18-alpine LABEL Maintainer="KRAIEM Taha Yassine" RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main RUN apk add --no-cache tini git libc6-compat && ln -s /lib/libc.musl-x86_64.so.1 /lib/ld-linux-x86-64.so.2 + ARG envarg ENV ENTERPRISE_BUILD=${envarg} \ - MAXMINDDB_FILE=/root/geoip.mmdb - + MAXMINDDB_FILE=/home/openreplay/geoip.mmdb WORKDIR /work -ADD https://static.openreplay.com/geoip/GeoLite2-Country.mmdb $MAXMINDDB_FILE COPY package.json . COPY package-lock.json . RUN npm install COPY . . + +RUN adduser -u 1001 openreplay -D +USER 1001 +ADD --chown=1001 https://static.openreplay.com/geoip/GeoLite2-Country.mmdb $MAXMINDDB_FILE + ENTRYPOINT ["/sbin/tini", "--"] CMD npm start diff --git a/frontend/Dockerfile b/frontend/Dockerfile index b87d5c172..2ab0312ab 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -17,3 +17,11 @@ LABEL maintainer=Rajesh RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main COPY --from=builder /work/public /var/www/openreplay COPY nginx.conf /etc/nginx/conf.d/default.conf + +RUN chown -R nginx:nginx /var/cache/nginx && \ + chown -R nginx:nginx /var/log/nginx && \ + chown -R nginx:nginx /etc/nginx/conf.d && \ + touch /var/run/nginx.pid && \ + chown -R nginx:nginx /var/run/nginx.pid + +USER nginx diff --git a/frontend/app/components/BugFinder/SessionList/SessionList.js b/frontend/app/components/BugFinder/SessionList/SessionList.js index 46a200192..a2901812b 100644 --- a/frontend/app/components/BugFinder/SessionList/SessionList.js +++ b/frontend/app/components/BugFinder/SessionList/SessionList.js @@ -10,7 +10,7 @@ import AnimatedSVG, { ICONS } from 'Shared/AnimatedSVG/AnimatedSVG'; // const ALL = 'all'; const PER_PAGE = 10; -const AUTOREFRESH_INTERVAL = 3 * 60 * 1000; +const AUTOREFRESH_INTERVAL = 5 * 60 * 1000; var timeoutId; @connect(state => ({ diff --git a/frontend/app/duck/search.js b/frontend/app/duck/search.js index c49b00b26..71361da14 100644 --- a/frontend/app/duck/search.js +++ b/frontend/app/duck/search.js @@ -150,6 +150,7 @@ export const reduceThenFetchResource = filter.filters = filter.filters.map(filterMap); filter.limit = 10; filter.page = getState().getIn(['search', 'currentPage']); + const forceFetch = filter.filters.length === 0; // duration filter from local storage if (!filter.filters.find((f) => f.type === FilterKey.DURATION)) { @@ -172,7 +173,7 @@ export const reduceThenFetchResource = } } - return isRoute(ERRORS_ROUTE, window.location.pathname) ? dispatch(fetchErrorsList(filter)) : dispatch(fetchSessionList(filter)); + return isRoute(ERRORS_ROUTE, window.location.pathname) ? dispatch(fetchErrorsList(filter)) : dispatch(fetchSessionList(filter, forceFetch)); }; export const edit = reduceThenFetchResource((instance) => ({ diff --git a/frontend/app/duck/sessions.js b/frontend/app/duck/sessions.js index 0d40ae9e5..e4a4ff7bd 100644 --- a/frontend/app/duck/sessions.js +++ b/frontend/app/duck/sessions.js @@ -67,8 +67,8 @@ const reducer = (state = initialState, action = {}) => { switch (action.type) { case INIT: return state.set('current', Session(action.session)); - case FETCH_LIST.REQUEST: - return action.clear ? state.set('list', List()) : state; + // case FETCH_LIST.REQUEST: + // return action.clear ? state.set('list', List()) : state; case FETCH_ERROR_STACK.SUCCESS: return state.set('errorStack', List(action.data.trace).map(ErrorStack)).set('sourcemapUploaded', action.data.sourcemapUploaded); case FETCH_LIVE_LIST.SUCCESS: @@ -224,7 +224,7 @@ function init(session) { } export const fetchList = - (params = {}, clear = false, force = false) => + (params = {}, force = false) => (dispatch, getState) => { if (!force) { // compare with the last fetched filter const oldFilters = getSessionFilter(); @@ -237,7 +237,6 @@ export const fetchList = return dispatch({ types: FETCH_LIST.toArray(), call: (client) => client.post('/sessions/search2', params), - clear, params: cleanParams(params), }); }; diff --git a/peers/Dockerfile b/peers/Dockerfile index 98475f750..b05fdee3a 100644 --- a/peers/Dockerfile +++ b/peers/Dockerfile @@ -10,5 +10,7 @@ COPY package.json . COPY package-lock.json . RUN npm install COPY . . +RUN adduser -u 1001 openreplay -D +USER 1001 ENTRYPOINT ["/sbin/tini", "--"] CMD npm start diff --git a/scripts/helmcharts/init.sh b/scripts/helmcharts/init.sh index 078a60583..5fe454f90 100644 --- a/scripts/helmcharts/init.sh +++ b/scripts/helmcharts/init.sh @@ -107,8 +107,12 @@ sed_i_wrapper -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"$(randomPa sed_i_wrapper -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"$(randomPass)\"/g" vars.yaml sed_i_wrapper -i "s/domainName: \"\"/domainName: \"${DOMAIN_NAME}\"/g" vars.yaml +info "Setting proper permission for shared folder" +sudo mkdir -p /openreplay/storage/nfs +sudo chown -R 1001:1001 /openreplay/storage/nfs + ## Installing OpenReplay -info "Installing databases" +info "installing databases" helm upgrade --install databases ./databases -n db --create-namespace --wait -f ./vars.yaml --atomic -info "Installing application" +info "installing application" helm upgrade --install openreplay ./openreplay -n app --create-namespace --wait -f ./vars.yaml --atomic diff --git a/scripts/helmcharts/openreplay/charts/sink/values.yaml b/scripts/helmcharts/openreplay/charts/sink/values.yaml index 11df1d4e7..a37ecfa41 100644 --- a/scripts/helmcharts/openreplay/charts/sink/values.yaml +++ b/scripts/helmcharts/openreplay/charts/sink/values.yaml @@ -25,7 +25,11 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + fsGroupChangePolicy: "OnRootMismatch" # fsGroup: 2000 securityContext: {} diff --git a/scripts/helmcharts/openreplay/charts/storage/values.yaml b/scripts/helmcharts/openreplay/charts/storage/values.yaml index 5adbf189f..b73c2cf1e 100644 --- a/scripts/helmcharts/openreplay/charts/storage/values.yaml +++ b/scripts/helmcharts/openreplay/charts/storage/values.yaml @@ -25,7 +25,11 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + fsGroupChangePolicy: "OnRootMismatch" # fsGroup: 2000 securityContext: {} diff --git a/scripts/helmcharts/openreplay/values.yaml b/scripts/helmcharts/openreplay/values.yaml index 92a932aad..1652dedab 100644 --- a/scripts/helmcharts/openreplay/values.yaml +++ b/scripts/helmcharts/openreplay/values.yaml @@ -92,6 +92,27 @@ nginx-ingress: # Overrides the image tag whose default is the chart appVersion. tag: "buster" +# By default http listens to 80 port, and for v1.7.0 http listens in 80 +http: + podSecurityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + fsGroupChangePolicy: "OnRootMismatch" +# Running sink and storage as non root users, because of existing volume permission change will take time +sink: + podSecurityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + fsGroupChangePolicy: "OnRootMismatch" +storage: + podSecurityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + fsGroupChangePolicy: "OnRootMismatch" + ingress-nginx: enabled: true controller: @@ -102,4 +123,5 @@ ingress-nginx: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.2.1" + tag: "v1.3.0" + digest: "" diff --git a/utilities/Dockerfile b/utilities/Dockerfile index cb9d081f1..2de6197a2 100644 --- a/utilities/Dockerfile +++ b/utilities/Dockerfile @@ -1,16 +1,20 @@ FROM node:18-alpine LABEL Maintainer="KRAIEM Taha Yassine" -RUN apk add --no-cache tini RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main +RUN apk add --no-cache tini git libc6-compat && ln -s /lib/libc.musl-x86_64.so.1 /lib/ld-linux-x86-64.so.2 + ARG envarg ENV ENTERPRISE_BUILD=${envarg} \ - MAXMINDDB_FILE=/root/geoip.mmdb - + MAXMINDDB_FILE=/home/openreplay/geoip.mmdb WORKDIR /work -ADD https://static.openreplay.com/geoip/GeoLite2-Country.mmdb $MAXMINDDB_FILE COPY package.json . COPY package-lock.json . RUN npm install COPY . . + +RUN adduser -u 1001 openreplay -D +USER 1001 +ADD --chown=1001 https://static.openreplay.com/geoip/GeoLite2-Country.mmdb $MAXMINDDB_FILE + ENTRYPOINT ["/sbin/tini", "--"] CMD npm start