Merge pull request #87 from Landoop/run-under-any-user

andmarios · web-flow · commit 49b52b7894a4 · 2018-10-22T23:39:31.000+03:00
Run under any user
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -9,21 +9,25 @@ RUN apk add --no-cache ca-certificates wget \
 # Add and Setup Caddy webserver
 RUN wget "https://github.com/mholt/caddy/releases/download/v0.10.11/caddy_v0.10.11_linux_amd64.tar.gz" -O /caddy.tgz \
     && mkdir caddy \
-    && tar xzf caddy.tgz -C /caddy \
+    && tar xzf caddy.tgz -C /caddy --no-same-owner \
     && rm -f /caddy.tgz
 
 # Add and Setup Kafka Connect UI
 ARG KAFKA_CONNECT_UI_VERSION="0.9.6"
 ARG KAFKA_CONNECT_UI_URL="https://github.com/Landoop/kafka-connect-ui/releases/download/v.${KAFKA_CONNECT_UI_VERSION}/kafka-connect-ui-${KAFKA_CONNECT_UI_VERSION}.tar.gz"
 RUN wget "$KAFKA_CONNECT_UI_URL" -O /kafka-connect-ui.tar.gz \
     && mkdir /kafka-connect-ui \
-    && tar xzf /kafka-connect-ui.tar.gz -C /kafka-connect-ui \
-    && rm -f /kafka-connect-ui.tar.gz
+    && tar xzf /kafka-connect-ui.tar.gz -C /kafka-connect-ui --no-same-owner \
+    && rm -f /kafka-connect-ui.tar.gz \
+    && rm -f /kafka-connect-ui/env.js \
+    && ln -s /tmp/env.js /kafka-connect-ui/env.js
 
 # Add configuration and runtime files
 ADD Caddyfile /caddy/Caddyfile.template
 ADD run.sh /
 RUN chmod +x /run.sh
 
 EXPOSE 8000
+
+# USER nobody:nogroup
 ENTRYPOINT ["/run.sh"]
diff --git a/docker/run.sh b/docker/run.sh
@@ -20,7 +20,7 @@ PORT="${PORT:-8000}"
     CONNECT_URL="${CONNECT_URL:-http://localhost:8083}"
 
     cat /caddy/Caddyfile.template |
-        sed -e "s/8000/$PORT/" > /caddy/Caddyfile
+        sed -e "s/8000/$PORT/" > /tmp/Caddyfile
 
     if echo "$PROXY" | egrep -sq "true|TRUE|y|Y|yes|YES|1"; then
         echo "Enabling proxy. You can disable this via PROXY=false."
@@ -38,7 +38,7 @@ PORT="${PORT:-8000}"
         let "NUM_CLUSTER+=1"
         if [[ "$NUM_CLUSTER" == 1 ]]; then
             OPEN_CURL="{"
-            cat <<EOF >/kafka-connect-ui/env.js
+            cat <<EOF >/tmp/env.js
 var clusters = [
 EOF
         fi
@@ -55,43 +55,49 @@ EOF
             CLUSTER_SANITIZED_NAME="${CLUSTER_NAME//[^a-zA-Z0-9_.-]/}"
         fi
         if echo $PROXY | egrep -sq "true|TRUE|y|Y|yes|YES|1"; then
-            cat <<EOF >>/caddy/Caddyfile
+            cat <<EOF >>/tmp/Caddyfile
 proxy /api/$CLUSTER_SANITIZED_NAME $CLUSTER_URL {
     without /api/$CLUSTER_SANITIZED_NAME
     $INSECURE_PROXY
 }
 EOF
-            cat <<EOF >>/kafka-connect-ui/env.js
+            cat <<EOF >>/tmp/env.js
    $OPEN_CURL
      NAME: "$CLUSTER_NAME",
      KAFKA_CONNECT: "/api/$CLUSTER_SANITIZED_NAME"
    }
 EOF
         else
-            cat <<EOF >>/kafka-connect-ui/env.js
+            cat <<EOF >>/tmp/env.js
    $OPEN_CURL
      NAME: "$CLUSTER_NAME",
      KAFKA_CONNECT: "$CLUSTER_URL"
    }
 EOF
         fi
     done
-    echo "]" >> /kafka-connect-ui/env.js
+    echo "]" >> /tmp/env.js
 
     if [[ -n "${CADDY_OPTIONS}" ]]; then
         echo "Applying custom options to Caddyfile"
-        cat <<EOF >>/caddy/Caddyfile
+        cat <<EOF >>/tmp/Caddyfile
 $CADDY_OPTIONS
 EOF
     fi
 
 
     # Here we emulate the output by Caddy. Why? Because we can't
     # redirect caddy to stderr as the logging would also get redirected.
-    echo
-    echo "Activating privacy features... done."
-    echo "http://0.0.0.0:$PORT"
+    cat <<EOF
+Note: if you use a PORT lower than 1024, please note that kafka-connect-ui can
+now run under any user. In the future a non-root user may become the default.
+In this case you will have to explicitly allow binding to such ports, either by
+setting the root user or something like '--sysctl net.ipv4.ip_unprivileged_port_start=0'.
+
+Activating privacy features... done.
+http://0.0.0.0:$PORT
+EOF
 } 1>&2
 
 
-exec /caddy/caddy -conf /caddy/Caddyfile -quiet
+exec /caddy/caddy -conf /tmp/Caddyfile -quiet
