Fix sudo usage for linux in kubehound.sh and makefile (#120)

* Fix sudo usage for linux in kubehound.sh * Check for docker availability in the makefile
DataDog · Sep 27, 2023 · 7ff2aa7 · 7ff2aa7
1 parent 77ac3c0
commit 7ff2aa7
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 36 deletions.
diff --git a/Makefile b/Makefile
@@ -7,7 +7,7 @@ DOCKER_COMPOSE_PROFILE := --profile infra
 DEV_ENV_FILE_PATH := test/setup/.config
 DEFAULT_KUBEHOUND_ENV := dev
 SYSTEM_TEST_CMD := system-test system-test-clean
-
+DOCKER_CMD := docker
 # get the latest commit hash in the short form
 COMMIT := $(shell git rev-parse --short HEAD)
 DATE := $(shell git log -1 --format=%cd --date=format:"%Y%m%d")
@@ -50,30 +50,39 @@ else
 	DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.testing.yaml
 endif
 
-UNAME_S := $(shell uname -s)
-ifndef DOCKER_CMD
-	ifeq ($(UNAME_S),Linux)
-# https://docs.github.com/en/actions/learn-github-actions/variables
-		ifneq (${CI},true)
-			DOCKER_CMD := sudo docker
-		else
-			DOCKER_CMD := docker
-		endif
-	else
-		DOCKER_CMD := docker
-	endif
+# This block should handle the difference docker edge case (not installed, not allowed to run as the user...)
+# check if we can run the docker command from the current user
+# if not we try again with sudo, and if that also fail we assume the docker setup is broken and cannot work
+# so we abort
+docker-check:
+# exit early without error if custom docker cmd is provided
+ifeq ("docker", ${DOCKER_CMD})
+	@echo "Using provided docker cmd: ${DOCKER_CMD}"
 	DOCKER_CMD := ${DOCKER_CMD}
+else
+# exit early if docker is not found. No point in continuing
+ifeq (, $(shell command -v docker))
+    $(error "Docker not found")
+endif
+
+ifneq (, $(findstring Server Version,$(shell docker info)))
+    DOCKER_CMD := docker
+else ifneq (, $(findstring Server Version,$(shell sudo docker info)))
+    DOCKER_CMD := sudo docker
+else
+    $(error "We don't have the permission to run docker. Are you root or in the docker group?")
+endif
 endif
 
 RACE_FLAG_SYSTEM_TEST := "-race"
 ifeq (${CI},true)
 	RACE_FLAG_SYSTEM_TEST := ""
 endif
 
-DOCKER_HOSTNAME := $(shell hostname)
-ifneq (${CI},true)
-	DOCKER_CMD := DOCKER_HOSTNAME=$(DOCKER_HOSTNAME) $(DOCKER_CMD)
-endif
+# DOCKER_HOSTNAME := $(shell hostname)
+# ifneq (${CI},true)
+# 	DOCKER_CMD := DOCKER_HOSTNAME=$(DOCKER_HOSTNAME) $(DOCKER_CMD)
+# endif
 
 all: build
 
@@ -89,11 +98,11 @@ build: ## Build the application
 kubehound: | backend-up build ## Prepare kubehound (deploy backend, build go binary)
 
 .PHONY: backend-down
-backend-down: ## Tear down the kubehound stack
+backend-down: | docker-check ## Tear down the kubehound stack
 	$(DOCKER_CMD) compose $(DOCKER_COMPOSE_FILE_PATH) $(DOCKER_COMPOSE_PROFILE) rm -fvs 
 
 .PHONY: backend-up
-backend-up: ## Spawn the kubehound stack
+backend-up: | docker-check ## Spawn the kubehound stack
 	$(DOCKER_CMD) compose $(DOCKER_COMPOSE_FILE_PATH) $(DOCKER_COMPOSE_PROFILE) up --force-recreate --build -d 
 
 .PHONY: backend-reset

diff --git a/scripts/kubehound.sh b/scripts/kubehound.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-
 #
 # Lightweight wrapper script to run KubeHound from a release archive
 #
@@ -16,22 +15,34 @@ fi
 
 # Set the environment variables for the compose
 DOCKER_COMPOSE_PROFILE="--profile infra"
-export DOCKER_HOSTNAME=$(hostname)
+DOCKER_HOSTNAME=$(hostname)
+export DOCKER_HOSTNAME
 
-# Resolve the correct docker command for this environment (Linux requires sudo)
-UNAME_S=$(uname -s)
-if [ -z "${DOCKER_CMD}" ]; then
-    if [ "${UNAME_S}" == "Linux" ]; then
-        if [ -z "${CI}" ]; then
-            DOCKER_CMD="sudo docker"
-        else
-            DOCKER_CMD="docker"
-        fi
-    else
-        DOCKER_CMD="docker"
+# Make sure we have docker installed and we can access it (group / sudo permission)
+# This function is only called when docker is required
+check_docker() {
+    if [ -n "${DOCKER_CMD}" ]; then
+        return
     fi
-    DOCKER_CMD="${DOCKER_CMD}"
-fi
+
+    if ! [ -x "$(command -v docker)" ]; then
+    # docker isn't available at all, there's no point in continuing
+        echo "Docker isn't available. You should install it."
+        exit 1
+    fi
+
+    DOCKER_CMD="docker"
+    if ! $DOCKER_CMD info > /dev/null 2>&1; then
+        echo "Docker isn't accessible with the current user. Retrying with sudo."
+        # We need to pass the env vars (DOCKER_HOSTNAME and DD_API_KEY) to sudo
+        DOCKER_CMD="sudo DOCKER_HOSTNAME=${DOCKER_HOSTNAME} DD_API_KEY=${DD_API_KEY} docker"
+    fi
+
+    if ! $DOCKER_CMD info > /dev/null 2>&1; then
+        echo "We don't have the permission to run docker. Are you root or in the docker group?"
+        exit 1
+    fi
+}
 
 # Run the kubehound binary
 run() {
@@ -40,25 +51,29 @@ run() {
 
 # Shut down the kubehound backend
 backend_down() {
+    check_docker
     ${DOCKER_CMD} compose ${DOCKER_COMPOSE_FILE_PATH} ${DOCKER_COMPOSE_PROFILE} rm -fvs
 }
 
 # Bring up the kubehound backend
 backend_up() {
+    check_docker
     ${DOCKER_CMD} compose ${DOCKER_COMPOSE_FILE_PATH} ${DOCKER_COMPOSE_PROFILE} up --force-recreate --build -d
 }
 
 # Reset the kubehound backend
 backend_reset() {
+    check_docker
     ${DOCKER_CMD} compose ${DOCKER_COMPOSE_FILE_PATH} ${DOCKER_COMPOSE_PROFILE} rm -fvs
     ${DOCKER_CMD} compose ${DOCKER_COMPOSE_FILE_PATH} ${DOCKER_COMPOSE_PROFILE} up --force-recreate --build -d
 }
 
 # Reset the kubehound backend (WIPING ALL DATA)
 backend_reset_hard() {
+    check_docker
     backend_down
-    ${DOCKER_CMD} volume rm kubehound-${KUBEHOUND_ENV}_mongodb_data
-    ${DOCKER_CMD} volume rm kubehound-${KUBEHOUND_ENV}_kubegraph_data
+    ${DOCKER_CMD} volume rm "kubehound-${KUBEHOUND_ENV}_mongodb_data"
+    ${DOCKER_CMD} volume rm "kubehound-${KUBEHOUND_ENV}_kubegraph_data"
     backend_up
 }