feat: run Chronograf as non-root (#731)

powersj · web-flow · commit f677a3a86af4 · 2024-04-17T08:26:51.000-06:00
diff --git a/chronograf/1.10/alpine/Dockerfile b/chronograf/1.10/alpine/Dockerfile
@@ -1,7 +1,7 @@
 FROM alpine:3.18
 
 RUN echo 'hosts: files dns' >> /etc/nsswitch.conf
-RUN apk add --no-cache ca-certificates && \
+RUN apk add --no-cache ca-certificates su-exec && \
     update-ca-certificates
 
 ENV CHRONOGRAF_VERSION 1.10.3
@@ -25,7 +25,11 @@ RUN set -ex && \
     cp -a /usr/src/chronograf-*/* /usr/bin/ && \
     gpgconf --kill all && \
     rm -rf *.tar.gz* /usr/src /root/.gnupg && \
-    apk del .build-deps
+    apk del .build-deps && \
+    addgroup -S chronograf && \
+    adduser -S chronograf -G chronograf && \
+    mkdir -m 0750 -p /var/lib/chronograf && \
+    chown chronograf:chronograf /var/lib/chronograf
 
 COPY LICENSE /usr/share/chronograf/LICENSE
 COPY agpl-3.0.md /usr/share/chronograf/agpl-3.0.md
diff --git a/chronograf/1.10/alpine/entrypoint.sh b/chronograf/1.10/alpine/entrypoint.sh
@@ -9,4 +9,8 @@ if [ "$1" = 'chronograf' ]; then
   export BOLT_PATH=${BOLT_PATH:-/var/lib/chronograf/chronograf-v1.db}
 fi
 
-exec "$@"
+if [ "$(id -u)" -ne 0 ] || [ "${CHRONOGRAF_AS_ROOT}" = "true" ]; then
+    exec "$@"
+else
+    exec su-exec chronograf "$@"
+fi
diff --git a/chronograf/1.10/entrypoint.sh b/chronograf/1.10/entrypoint.sh
@@ -9,4 +9,8 @@ if [ "$1" = 'chronograf' ]; then
   export BOLT_PATH=${BOLT_PATH:-/var/lib/chronograf/chronograf-v1.db}
 fi
 
-exec "$@"
+if [ "$(id -u)" -ne 0 ] || [ "${CHRONOGRAF_AS_ROOT}" = "true" ]; then
+    exec "$@"
+else
+    exec setpriv --reuid chronograf --regid chronograf --init-groups "$@"
+fi
