Merge pull request #815 from influxdata/telegraf

chore: Replace su-exec with setpriv for Telegraf alpine

Author: jdstrand

telegraf/1.35/alpine/Dockerfile

@@ -1,7 +1,7 @@
-FROM alpine:3.20
+FROM alpine:3.22
 
 RUN echo 'hosts: files dns' >> /etc/nsswitch.conf
-RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata su-exec libcap && \
+RUN apk add --no-cache iputils ca-certificates net-snmp-tools procps lm_sensors tzdata setpriv libcap && \
     update-ca-certificates
 
 ENV TELEGRAF_VERSION 1.35.1

telegraf/1.35/alpine/entrypoint.sh

@@ -11,5 +11,19 @@ else
     # Allow telegraf to send ICMP packets and bind to privliged ports
     setcap cap_net_raw,cap_net_bind_service+ep /usr/bin/telegraf || echo "Failed to set additional capabilities on /usr/bin/telegraf"
 
-    exec su-exec telegraf "$@"
+    # ensure HOME is set to the telegraf user's home dir
+    export HOME=$(getent passwd telegraf | cut -d : -f 6)
+
+    # honor groups supplied via 'docker run --group-add ...' but drop 'root'
+    # (also removes 'telegraf' since we unconditionally add it and don't want it listed twice)
+    # see https://github.com/influxdata/influxdata-docker/issues/724
+    groups="telegraf"
+    extra_groups="$(id -Gn || true)"
+    for group in $extra_groups; do
+        case "$group" in
+            root | telegraf) ;;
+            *) groups="$groups,$group" ;;
+        esac
+    done
+    exec setpriv --reuid telegraf --regid telegraf --groups "$groups" "$@"
 fi