diff --git a/openvoxdb/Containerfile b/openvoxdb/Containerfile index cf89935..9ff0279 100644 --- a/openvoxdb/Containerfile +++ b/openvoxdb/Containerfile @@ -87,6 +87,29 @@ COPY Containerfile / # up in the worst case. The other timing parameters are set so that it # takes at most a minute to realize that PuppetDB has failed. # Probe failure during --start-period will not be counted towards the maximum number of retries + +# mirror user permissions to group, set group to root, and set gid bit on dirs +RUN for d in \ + /etc/puppetlabs \ + /var/log/puppetlabs \ + /var/run/puppetlabs \ + /opt/puppetlabs/ \ + ; do \ + mkdir -p "$d"; \ + chgrp -R 0 "$d"; \ + chmod -R g=u "$d"; \ + find "$d" -type d -exec chmod g+s {} +; \ + done + +# the startup script has a check if the current user is puppetdb, this won't work with arbitrary UIDs +# we can workaround the check by not setting a USER +RUN sed -i 's/^USER="puppetdb"/USER=""/' /etc/default/puppetdb +USER puppetdb:0 + +# the foreground script that starts puppetdb tries to install a restartfile with a certain user. +# we don't need it in a container and it also is incompatible with arbitrary UIDs +RUN sed -i 's/^init_restart_file/#init_restart_file/' /opt/puppetlabs/server/apps/puppetdb/cli/apps/foreground + # NOTE: k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK HEALTHCHECK --start-period=5m --interval=10s --timeout=10s --retries=6 CMD ["/healthcheck.sh"] diff --git a/openvoxdb/container-entrypoint.d/20-configure-ssl.sh b/openvoxdb/container-entrypoint.d/20-configure-ssl.sh index ab23468..71afc3c 100755 --- a/openvoxdb/container-entrypoint.d/20-configure-ssl.sh +++ b/openvoxdb/container-entrypoint.d/20-configure-ssl.sh @@ -10,9 +10,3 @@ if [ "$USE_OPENVOXSERVER" = true ]; then # enable SSL in Jetty sed -i '/^# ssl-/s/^# //g' /etc/puppetlabs/puppetdb/conf.d/jetty.ini fi - -if [ -w "$SSLDIR" ] && [ "$(id -un)" = "root" ]; then - # make sure Java apps running as puppetdb can read these files - echo "Setting ownership for $SSLDIR to puppetdb:puppetdb" - chown -R puppetdb:puppetdb ${SSLDIR} -fi diff --git a/openvoxdb/ssl.sh b/openvoxdb/ssl.sh index 05c88a7..b10fddd 100644 --- a/openvoxdb/ssl.sh +++ b/openvoxdb/ssl.sh @@ -152,14 +152,6 @@ ca_running() { httpsreq_insecure "$(get "${CA}/certificate/ca")" > /dev/null } -set_file_perms() { - msg "Securing permissions on ${SSLDIR}" - - # 700 for directories, 600 for files - find "${SSLDIR}/." -type d -exec chmod u=rwx,g=,o= -- {} + - find "${SSLDIR}/." -type f -exec chmod u=rw,g=,o= -- {} + -} - ### Verify we got a signed certificate verify_cert() { if [ -f "${CERTFILE}" ] && [ "$(head -1 "${CERTFILE}")" = "${CERTHEADER}" ]; then @@ -260,7 +252,6 @@ msg "* WAITFORCERT: '${WAITFORCERT}' seconds" certnames=$(cd "${PRIVKEYDIR}" && ls -A -m -- *.pem 2> /dev/null) if [ -s "${CERTFILE}" ]; then msg "Certificates (${certnames}) have already been generated - exiting!" - set_file_perms exit 0 # warn when rekeying an existing host as it's typically user error elif [ -n "${certnames}" ]; then @@ -373,6 +364,4 @@ if ! cert=$(retry_httpsreq "$CERTREQ" $((WAITFORCERT)) 10); then fi printf "%s\n" "${cert}" > "${CERTFILE}" -set_file_perms - verify_cert