fix(telegraf): Ensure groups passed to container are applied (#729)

Author: powersj

telegraf/1.27/entrypoint.sh

@@ -11,6 +11,20 @@ else
     # Allow telegraf to send ICMP packets and bind to privliged ports
     setcap cap_net_raw,cap_net_bind_service+ep /usr/bin/telegraf || echo "Failed to set additional capabilities on /usr/bin/telegraf"
 
+    # ensure HOME is set to the telegraf user's home dir
     export HOME=$(getent passwd telegraf | cut -d : -f 6)
-    exec setpriv --reuid telegraf --regid telegraf --groups telegraf "$@"
+
+    # honor groups supplied via 'docker run --group-add ...' but drop 'root' (the sed
+    # removes 'telegraf' since we unconditionally add it and don't want it listed twice)
+    groups="telegraf"
+    extra_groups="$(id -Gn | sed \
+    -e 's/ /,/g' \
+    -e 's/,\(root\|telegraf\),/,/g' \
+    -e 's/^\(root\|telegraf\),//g'  \
+    -e 's/,\(root\|telegraf\)$//g' \
+    -e 's/^\(root\|telegraf\)$//g')"
+    if [ -n "$extra_groups" ]; then
+        groups="$groups,$extra_groups"
+    fi
+    exec setpriv --reuid telegraf --regid telegraf --groups "$groups" "$@"
 fi

telegraf/1.28/entrypoint.sh

@@ -11,6 +11,20 @@ else
     # Allow telegraf to send ICMP packets and bind to privliged ports
     setcap cap_net_raw,cap_net_bind_service+ep /usr/bin/telegraf || echo "Failed to set additional capabilities on /usr/bin/telegraf"
 
+    # ensure HOME is set to the telegraf user's home dir
     export HOME=$(getent passwd telegraf | cut -d : -f 6)
-    exec setpriv --reuid telegraf --regid telegraf --groups telegraf "$@"
+
+    # honor groups supplied via 'docker run --group-add ...' but drop 'root' (the sed
+    # removes 'telegraf' since we unconditionally add it and don't want it listed twice)
+    groups="telegraf"
+    extra_groups="$(id -Gn | sed \
+    -e 's/ /,/g' \
+    -e 's/,\(root\|telegraf\),/,/g' \
+    -e 's/^\(root\|telegraf\),//g'  \
+    -e 's/,\(root\|telegraf\)$//g' \
+    -e 's/^\(root\|telegraf\)$//g')"
+    if [ -n "$extra_groups" ]; then
+        groups="$groups,$extra_groups"
+    fi
+    exec setpriv --reuid telegraf --regid telegraf --groups "$groups" "$@"
 fi

telegraf/1.29/entrypoint.sh

@@ -11,6 +11,20 @@ else
     # Allow telegraf to send ICMP packets and bind to privliged ports
     setcap cap_net_raw,cap_net_bind_service+ep /usr/bin/telegraf || echo "Failed to set additional capabilities on /usr/bin/telegraf"
 
+    # ensure HOME is set to the telegraf user's home dir
     export HOME=$(getent passwd telegraf | cut -d : -f 6)
-    exec setpriv --reuid telegraf --regid telegraf --groups telegraf "$@"
+
+    # honor groups supplied via 'docker run --group-add ...' but drop 'root' (the sed
+    # removes 'telegraf' since we unconditionally add it and don't want it listed twice)
+    groups="telegraf"
+    extra_groups="$(id -Gn | sed \
+    -e 's/ /,/g' \
+    -e 's/,\(root\|telegraf\),/,/g' \
+    -e 's/^\(root\|telegraf\),//g'  \
+    -e 's/,\(root\|telegraf\)$//g' \
+    -e 's/^\(root\|telegraf\)$//g')"
+    if [ -n "$extra_groups" ]; then
+        groups="$groups,$extra_groups"
+    fi
+    exec setpriv --reuid telegraf --regid telegraf --groups "$groups" "$@"
 fi