Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Allow the Docker image to be run with a random user id (#12905)" #18872

Merged
merged 2 commits into from
Jun 2, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958]
- Add backoff configuration options for the Kafka output. {issue}16777[16777] {pull}17808[17808]
- Add TLS support to Kerberos authentication in Elasticsearch. {pull}18607[18607]
- Change ownership of files in docker images so they can be used in secured environments. {pull}12905[12905]
- Upgrade k8s.io/client-go and k8s keystore tests. {pull}18817[18817]

*Auditbeat*
Expand Down
9 changes: 2 additions & 7 deletions dev-tools/packaging/package_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -186,13 +186,8 @@ func checkDocker(t *testing.T, file string) {
checkDockerEntryPoint(t, p, info)
checkDockerLabels(t, p, info, file)
checkDockerUser(t, p, info, *rootUserContainer)

// The configuration file in the Docker image is expected to be readable and writable by any user who belongs to
// the root group. This is done in order to allow the docker image to run on secured Kubernetes environment where
// the user ID used to run a container can't be known in advance.
checkConfigPermissionsWithMode(t, p, os.FileMode(0660))
checkManifestPermissionsWithMode(t, p, os.FileMode(0660))

checkConfigPermissionsWithMode(t, p, os.FileMode(0640))
checkManifestPermissionsWithMode(t, p, os.FileMode(0640))
checkModulesPresent(t, "", p)
checkModulesDPresent(t, "", p)
}
Expand Down
10 changes: 5 additions & 5 deletions dev-tools/packaging/templates/docker/Dockerfile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint
RUN groupadd --gid 1000 {{ .BeatName }}

RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
chown -R root:root {{ $beatHome }} && \
find {{ $beatHome }} -type d -exec chmod 0770 {} \; && \
find {{ $beatHome }} -type f -exec chmod 0660 {} \; && \
chmod 0770 {{ $beatBinary }} && \
chown -R root:{{ .BeatName }} {{ $beatHome }} && \
find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \
find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \
chmod 0750 {{ $beatBinary }} && \
{{- if .linux_capabilities }}
setcap {{ .linux_capabilities }} {{ $beatBinary }} && \
{{- end }}
Expand All @@ -43,7 +43,7 @@ RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs

{{- if ne .user "root" }}
RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }}
{{- end }}
USER {{ .user }}

Expand Down