Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create group icingaweb2 and users for daemon services #82

Open
t3easy opened this issue Apr 14, 2022 · 1 comment
Open

Create group icingaweb2 and users for daemon services #82

t3easy opened this issue Apr 14, 2022 · 1 comment

Comments

@t3easy
Copy link

t3easy commented Apr 14, 2022

The Docker Image should add the same group like the Install from Source documentation.
https://icinga.com/docs/icinga-web-2/latest/doc/02-Installation/07-From-Source/#preparing-icinga-web-2-setup

Also it would be useful to create the users for the daemons like director, vspheredb, x509.
This would make the image better extendable for the daemon services.

At the moment, I do something like

services:
  icingaweb2:
    build:
      target: icingaweb2
  director-daemon:
    build:
      target: director-daemon
  vspheredb-daemon:
    build:
      target: vspheredb-daemon
  x509-daemon:
    build:
      target: x509-daemon

with the Dockerfile:

# Icinga Web 2
FROM icinga/icingaweb2:${ICINGAWEB2_VERSION} as icingaweb2

COPY --from=downloader /grafana /usr/share/icingaweb2/modules/grafana
COPY --from=ca-certificates:latest /usr/local/share/ca-certificates/*.crt /usr/local/share/ca-certificates/
USER root
RUN set -eux; \
        update-ca-certificates;
USER www-data

# Icinga Web 2 Director daemon
FROM icingaweb2 as director-daemon
USER root
RUN set -eux; \
        useradd -r -g www-data -d /var/lib/icingadirector -s /bin/false icingadirector; \
        install -d -o icingadirector -g www-data -m 0750 /var/lib/icingadirector;
ENTRYPOINT []
USER icingadirector
CMD ["/usr/bin/php","/usr/local/bin/icingacli","director","daemon","run"]

# Icinga Web 2 vSphere DB daemon
FROM icingaweb2 as vspheredb-daemon
USER root
RUN set -eux; \
        useradd -r -g www-data -d /var/lib/icingavspheredb -s /bin/false icingavspheredb; \
        install -d -o icingavspheredb -g www-data -m 0750 /var/lib/icingavspheredb;\
        install -d -o icingavspheredb -g www-data -m 755 /run/icinga-vspheredb;
ENTRYPOINT []
USER icingavspheredb
CMD ["/usr/bin/php","/usr/local/bin/icingacli","vspheredb","daemon","run"]

# Icinga Web 2 x509 daemon
FROM icingaweb2 as x509-daemon
ENTRYPOINT []
CMD ["/usr/bin/php","/usr/local/bin/icingacli","x509","jobs","run"]

If users, group, home folders and run folders already existed, it would be enough to override the user, entrypoint and command in the docker-compose.yml and don't require an Dockerfile and a build step.
@Al2Klimov
Copy link
Member

Distinct users are only required for isolation, but you already run separate containers which do that, so why the additional users? A daemon doesn't care as which unprivileged user it was started, so why not just the existing user (www-data)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3easy @Al2Klimov