Switch to su to run telegraf as non-root (#544)

Author: reimda

telegraf/1.18/Dockerfile

@@ -30,8 +30,6 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" && \
 
 EXPOSE 8125/udp 8092/udp 8094
 
-USER telegraf
-
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]

telegraf/1.18/alpine/Dockerfile

@@ -1,7 +1,7 @@
 FROM alpine:3.14
 
 RUN echo 'hosts: files dns' >> /etc/nsswitch.conf
-RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata && \
+RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata su-exec && \
     update-ca-certificates
 
 ENV TELEGRAF_VERSION 1.18.3
@@ -32,8 +32,6 @@ RUN set -ex && \
 
 EXPOSE 8125/udp 8092/udp 8094
 
-USER telegraf
-
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]

telegraf/1.18/alpine/entrypoint.sh

@@ -5,4 +5,8 @@ if [ "${1:0:1}" = '-' ]; then
     set -- telegraf "$@"
 fi
 
-exec "$@"
+if [ $EUID -ne 0 ]; then
+    exec "$@"
+else
+    exec su-exec telegraf "$@"
+fi

telegraf/1.18/entrypoint.sh

@@ -5,4 +5,8 @@ if [ "${1:0:1}" = '-' ]; then
     set -- telegraf "$@"
 fi
 
-exec "$@"
+if [ $EUID -ne 0 ]; then
+    exec "$@"
+else
+    exec setpriv --reuid telegraf --init-groups "$@"
+fi

telegraf/1.19/Dockerfile

@@ -30,8 +30,6 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" && \
 
 EXPOSE 8125/udp 8092/udp 8094
 
-USER telegraf
-
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]

telegraf/1.19/alpine/Dockerfile

@@ -1,7 +1,7 @@
 FROM alpine:3.14
 
 RUN echo 'hosts: files dns' >> /etc/nsswitch.conf
-RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata && \
+RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata su-exec && \
     update-ca-certificates
 
 ENV TELEGRAF_VERSION 1.19.3
@@ -32,8 +32,6 @@ RUN set -ex && \
 
 EXPOSE 8125/udp 8092/udp 8094
 
-USER telegraf
-
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]

telegraf/1.19/alpine/entrypoint.sh

@@ -5,4 +5,8 @@ if [ "${1:0:1}" = '-' ]; then
     set -- telegraf "$@"
 fi
 
-exec "$@"
+if [ $EUID -ne 0 ]; then
+    exec "$@"
+else
+    exec su-exec telegraf "$@"
+fi

telegraf/1.19/entrypoint.sh

@@ -5,4 +5,8 @@ if [ "${1:0:1}" = '-' ]; then
     set -- telegraf "$@"
 fi
 
-exec "$@"
+if [ $EUID -ne 0 ]; then
+    exec "$@"
+else
+    exec setpriv --reuid telegraf --init-groups "$@"
+fi

telegraf/1.20/Dockerfile

@@ -30,8 +30,6 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" && \
 
 EXPOSE 8125/udp 8092/udp 8094
 
-USER telegraf
-
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]

telegraf/1.20/alpine/Dockerfile

@@ -1,7 +1,7 @@
 FROM alpine:3.14
 
 RUN echo 'hosts: files dns' >> /etc/nsswitch.conf
-RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata && \
+RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata su-exec && \
     update-ca-certificates
 
 ENV TELEGRAF_VERSION 1.20.3
@@ -32,8 +32,6 @@ RUN set -ex && \
 
 EXPOSE 8125/udp 8092/udp 8094
 
-USER telegraf
-
 COPY entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["telegraf"]