Skip to content

Commit fee239d

Browse files
HeleneHelene
committed
grafana-bridge should run with a non root user in a container
1 parent fdc3915 commit fee239d

File tree

1 file changed

+36
-16
lines changed

1 file changed

+36
-16
lines changed

Dockerfile

Lines changed: 36 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,14 @@ RUN echo "Installed python packages: $(/usr/bin/pip3 list)"
1313
USER root
1414

1515
RUN mkdir -p /opt/IBM/bridge
16-
COPY ./source/ /opt/IBM/bridge
17-
COPY LICENSE /opt/IBM/bridge
18-
19-
RUN mkdir -p /var/mmfs/gen
2016
RUN mkdir -p /opt/IBM/zimon
17+
RUN mkdir -p /var/mmfs/gen
18+
RUN mkdir -p /etc/ssl/certs
19+
RUN mkdir -p /etc/perfmon-api-keys
20+
21+
COPY LICENSE /licenses/
22+
23+
COPY ./source/ /opt/IBM/bridge
2124
COPY ./source/gpfsConfig/mmsdrfs* /var/mmfs/gen/
2225
COPY ./source/gpfsConfig/ZIMon* /opt/IBM/zimon/
2326

@@ -33,8 +36,9 @@ ARG PERFMONPORT=9980
3336
ENV SERVERPORT=$PERFMONPORT
3437
RUN echo "the PERFMONPORT port is set to $SERVERPORT"
3538

36-
ARG CERTPATH=None
39+
ARG CERTPATH='/etc/bridge_ssl/certs'
3740
ENV TLSKEYPATH=$CERTPATH
41+
RUN mkdir -p $CERTPATH
3842

3943
ARG KEYFILE=None
4044
ENV TLSKEYFILE=$KEYFILE
@@ -47,6 +51,7 @@ ENV APIKEYNAME=$KEYNAME
4751

4852
ARG KEYVALUE=None
4953
ENV APIKEYVALUE=$KEYVALUE
54+
RUN if [ "${APIKEYVALUE:0:1}" = "/" ]; then ln -s $APIKEYVALUE /etc/perfmon-api-keys; echo "APIKEYVALUE is a PATH"; else echo "APIKEYVALUE not a PATH"; fi
5055

5156
RUN if [ -z "$TLSKEYPATH" ] || [ -z "$TLSCERTFILE" ] || [ -z "$TLSKEYFILE" ] && [ "$PROTOCOL" = "https" ]; then echo "TLSKEYPATH FOR SSL CONNECTION NOT SET - ERROR"; exit 1; else echo "PASS"; fi
5257
RUN echo "the ssl certificates path is set to $TLSKEYPATH"
@@ -55,23 +60,38 @@ ARG PMCOLLECTORIP=0.0.0.0
5560
ENV SERVER=$PMCOLLECTORIP
5661
RUN echo "the pmcollector server ip is set to $SERVER"
5762

63+
ARG DEFAULTLOGPATH='/var/log/ibm_bridge_for_grafana'
64+
ENV LOGPATH=$DEFAULTLOGPATH
65+
RUN mkdir -p $LOGPATH
66+
RUN echo "the log will use $LOGPATH"
5867

5968
WORKDIR /opt/IBM/bridge
60-
61-
ARG DEFAULTLOGPATH='/var/log/ibm_bridge_for_grafana/install.log'
62-
ENV LOGPATH=$DEFAULTLOGPATH
63-
RUN mkdir -p $(dirname $LOGPATH)
64-
RUN echo "the log will use $(dirname $LOGPATH)"
6569
RUN echo "$(pwd)"
6670

67-
RUN touch $LOGPATH
68-
RUN echo "log path: $(dirname $LOGPATH)" >> $LOGPATH
69-
RUN echo "pmcollector_server: $SERVER" >> $LOGPATH
70-
RUN echo "ssl certificates location: $TLSKEYPATH" >> $LOGPATH
71-
RUN echo "HTTP/S port: $PORT" >> $LOGPATH
71+
RUN touch "${LOGPATH}/install.log"
72+
RUN echo "log path: $LOGPATH" >> ${LOGPATH}/install.log
73+
RUN echo "pmcollector_server: $SERVER" >> ${LOGPATH}/install.log
74+
RUN echo "ssl certificates location: $TLSKEYPATH" >> ${LOGPATH}/install.log
75+
RUN echo "HTTP/S port: $PORT" >> ${LOGPATH}/install.log
76+
77+
# Create a user 'bridge' under 'root' group
78+
RUN groupadd -g 2099 bridge
79+
RUN useradd -rm -d /home/2001 -s /bin/bash -g 2099 -u 2001 bridge
80+
81+
# Chown all the files to the grafanabridge 'bridge' user.
82+
RUN chown -R 2001:2099 /opt/IBM/bridge
83+
RUN chown -R 2001:2099 /opt/IBM/zimon
84+
RUN chown -R 2001:2099 /var/mmfs/gen
85+
RUN chown -R 2001:2099 /etc/ssl/certs
86+
RUN chown -R 2001:2099 /etc/perfmon-api-keys
87+
RUN chown -R 2001:2099 $TLSKEYPATH
88+
RUN chown -R 2001:2099 $LOGPATH
89+
90+
# Switch to user 'bridge'
91+
USER 2001
7292

7393

74-
CMD ["sh", "-c", "python3 zimonGrafanaIntf.py -c 10 -s $SERVER -r $PROTOCOL -p $PORT -P $SERVERPORT -t $TLSKEYPATH --tlsKeyFile $TLSKEYFILE --tlsCertFile $TLSCERTFILE --apiKeyName $APIKEYNAME --apiKeyValue $APIKEYVALUE"]
94+
CMD ["sh", "-c", "python3 zimonGrafanaIntf.py -c 10 -s $SERVER -r $PROTOCOL -p $PORT -P $SERVERPORT -t $TLSKEYPATH -l $LOGPATH --tlsKeyFile $TLSKEYFILE --tlsCertFile $TLSCERTFILE --apiKeyName $APIKEYNAME --apiKeyValue $APIKEYVALUE"]
7595

7696
EXPOSE 4242 8443
7797

0 commit comments

Comments
 (0)