Try run as non-root

wallarm · Nov 28, 2023 · 7a383d0 · 7a383d0
1 parent 7c0324a
commit 7a383d0
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 14 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -9,10 +9,9 @@ LABEL AIO_VERSION=${AIO_VERSION}
 # core deps
 RUN addgroup -S wallarm && \
     adduser -S -D -G wallarm -h /opt/wallarm wallarm && \
-    adduser -S -D -G www-data -h /var/cache/nginx www-data && \
     apk update && \
     apk upgrade && \
-    apk add bash runuser socat logrotate libgcc gomplate && \
+    apk add bash socat logrotate libgcc gomplate && \
     rm -r /var/cache/apk/*
 
 # install wallarm
@@ -32,10 +31,15 @@ COPY scripts/init /usr/local/bin/
 RUN /bin/bash -c \
     'mkdir -p /etc/nginx/{modules-available,modules-enabled,sites-available,sites-enabled} && \
     ln -sf /etc/nginx/modules-available/mod-http-wallarm.conf /etc/nginx/modules-enabled/ && \
-    rm /etc/nginx/conf.d/default.conf'
+    rm /etc/nginx/conf.d/default.conf && \
+    ln -sf /dev/stdout /var/log/nginx/access.log && \
+    ln -sf /dev/stderr /var/log/nginx/error.log && \
+    touch /etc/environment && \
+    chown -R wallarm:wallarm /run /etc/environment /etc/nginx /var/log/nginx /var/cache/nginx'
 COPY conf/nginx /etc/nginx/
 COPY conf/nginx_templates /opt/wallarm/
 
 EXPOSE 80 443
+USER wallarm
 
 CMD ["/usr/local/bin/init"]
diff --git a/conf/nginx/nginx.conf b/conf/nginx/nginx.conf
@@ -1,4 +1,4 @@
-user  www-data;
+user  wallarm;
 worker_processes  auto;
 pid        /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;

diff --git a/scripts/init b/scripts/init
@@ -51,17 +51,17 @@ register_node() {
     && [ -n "$NODE_SECRET" ] \
     && [ -n "$WALLARM_API_TOKEN" ]
   then
-    runuser -g wallarm -u wallarm -- /opt/wallarm/register-node \
+    /opt/wallarm/register-node \
       $args \
         --uuid "$NODE_UUID"
   else
-    runuser -g wallarm -u wallarm -- /opt/wallarm/register-node \
+    /opt/wallarm/register-node \
       $args
   fi
 }
 
 sync_node() {
-  cmd="runuser -g wallarm -u wallarm -- /opt/wallarm/usr/share/wallarm-common/syncnode -l STDOUT"
+  cmd="/opt/wallarm/usr/share/wallarm-common/syncnode -l STDOUT"
 
   for i in $(seq 1 3); do
     if $cmd; then
@@ -82,11 +82,11 @@ configure_nginx() {
      return 0
   fi
 
-  if [ x"${WALLARM_NGINX_LOG_TO_FILES}" != x"true" ]
-  then
-    ln -sf /dev/stdout /var/log/nginx/access.log
-    ln -sf /dev/stderr /var/log/nginx/error.log
-  fi
+  # if [ x"${WALLARM_NGINX_LOG_TO_FILES}" != x"true" ]
+  # then
+  #   ln -sf /dev/stdout /var/log/nginx/access.log
+  #   ln -sf /dev/stderr /var/log/nginx/error.log
+  # fi
 
   [ -n "$NGINX_BACKEND" ] || return 0
 
@@ -160,8 +160,8 @@ if [ x"$POSTANALYTIC_ONLY" = x"true" ] \
   || [ x"$POSTANALYTIC_ONLY" = x"True" ] \
   || [ x"$POSTANALYTIC_ONLY" = x"yes" ]
 then
-  exec /opt/wallarm/usr/bin/python3.8 /opt/wallarm/usr/bin/supervisord -n -u wallarm -c /opt/wallarm/etc/supervisord.conf
+  exec /opt/wallarm/usr/bin/python3.8 /opt/wallarm/usr/bin/supervisord -n -c /opt/wallarm/etc/supervisord.conf
 else
-  /opt/wallarm/usr/bin/python3.8 /opt/wallarm/usr/bin/supervisord -n -u wallarm -c /opt/wallarm/etc/supervisord.conf &
+  /opt/wallarm/usr/bin/python3.8 /opt/wallarm/usr/bin/supervisord -n -c /opt/wallarm/etc/supervisord.conf &
   exec /usr/sbin/nginx -g "daemon off;"
 fi