From 83520188be87cbee6edb3ac995c647cf99acdf51 Mon Sep 17 00:00:00 2001 From: Josh Powers Date: Wed, 13 Oct 2021 14:38:09 -0600 Subject: [PATCH 1/2] fix: telegraf do not run as root This runs Telegraf as a non-root user. For the Debian based Dockerfiles, the deb package will create a telegraf user and group for usage. All that is needed is to say run as the telegraf user. For Alpine based images, a telegraf user and group needs to be created and then run as that telegraf user. Fixes: #412 --- telegraf/1.18/Dockerfile | 2 ++ telegraf/1.18/alpine/Dockerfile | 4 ++++ telegraf/1.19/Dockerfile | 2 ++ telegraf/1.19/alpine/Dockerfile | 4 ++++ telegraf/1.20/Dockerfile | 2 ++ telegraf/1.20/alpine/Dockerfile | 4 ++++ 6 files changed, 18 insertions(+) diff --git a/telegraf/1.18/Dockerfile b/telegraf/1.18/Dockerfile index 7c616850d..efdf89cb8 100644 --- a/telegraf/1.18/Dockerfile +++ b/telegraf/1.18/Dockerfile @@ -30,6 +30,8 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" && \ EXPOSE 8125/udp 8092/udp 8094 +USER telegraf + COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] diff --git a/telegraf/1.18/alpine/Dockerfile b/telegraf/1.18/alpine/Dockerfile index 5e9aaa2ea..34647643c 100644 --- a/telegraf/1.18/alpine/Dockerfile +++ b/telegraf/1.18/alpine/Dockerfile @@ -29,6 +29,10 @@ RUN set -ex && \ EXPOSE 8125/udp 8092/udp 8094 +RUN addgroup -S telegraf +RUN adduser -S telegraf -G telegraf +USER telegraf + COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] diff --git a/telegraf/1.19/Dockerfile b/telegraf/1.19/Dockerfile index 13dfb7a7a..20188085b 100644 --- a/telegraf/1.19/Dockerfile +++ b/telegraf/1.19/Dockerfile @@ -30,6 +30,8 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" && \ EXPOSE 8125/udp 8092/udp 8094 +USER telegraf + COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] diff --git a/telegraf/1.19/alpine/Dockerfile b/telegraf/1.19/alpine/Dockerfile index 7075f95ef..2fd19bcaa 100644 --- a/telegraf/1.19/alpine/Dockerfile +++ b/telegraf/1.19/alpine/Dockerfile @@ -29,6 +29,10 @@ RUN set -ex && \ EXPOSE 8125/udp 8092/udp 8094 +RUN addgroup -S telegraf +RUN adduser -S telegraf -G telegraf +USER telegraf + COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] diff --git a/telegraf/1.20/Dockerfile b/telegraf/1.20/Dockerfile index d71500fb9..63c2abe25 100644 --- a/telegraf/1.20/Dockerfile +++ b/telegraf/1.20/Dockerfile @@ -30,6 +30,8 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" && \ EXPOSE 8125/udp 8092/udp 8094 +USER telegraf + COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] diff --git a/telegraf/1.20/alpine/Dockerfile b/telegraf/1.20/alpine/Dockerfile index e8e89f60c..26523c5ee 100644 --- a/telegraf/1.20/alpine/Dockerfile +++ b/telegraf/1.20/alpine/Dockerfile @@ -29,6 +29,10 @@ RUN set -ex && \ EXPOSE 8125/udp 8092/udp 8094 +RUN addgroup -S telegraf +RUN adduser -S telegraf -G telegraf +USER telegraf + COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["telegraf"] From 314576c693263502c1b5a717e9844266731921b1 Mon Sep 17 00:00:00 2001 From: Josh Powers Date: Mon, 18 Oct 2021 12:38:10 -0600 Subject: [PATCH 2/2] telegraf: update alpine dockerfiles * consolidates the addgroup & adduser commands * sets the owner & group of the /etc/telegraf directory to the new telegraf user & group --- telegraf/1.18/alpine/Dockerfile | 7 ++++--- telegraf/1.19/alpine/Dockerfile | 7 ++++--- telegraf/1.20/alpine/Dockerfile | 7 ++++--- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/telegraf/1.18/alpine/Dockerfile b/telegraf/1.18/alpine/Dockerfile index 34647643c..7ff2d9598 100644 --- a/telegraf/1.18/alpine/Dockerfile +++ b/telegraf/1.18/alpine/Dockerfile @@ -25,12 +25,13 @@ RUN set -ex && \ cp -a /usr/src/telegraf*/usr/bin/telegraf /usr/bin/ && \ gpgconf --kill all && \ rm -rf *.tar.gz* /usr/src /root/.gnupg && \ - apk del .build-deps + apk del .build-deps && \ + addgroup -S telegraf && \ + adduser -S telegraf -G telegraf && \ + chown -R telegraf:telegraf /etc/telegraf EXPOSE 8125/udp 8092/udp 8094 -RUN addgroup -S telegraf -RUN adduser -S telegraf -G telegraf USER telegraf COPY entrypoint.sh /entrypoint.sh diff --git a/telegraf/1.19/alpine/Dockerfile b/telegraf/1.19/alpine/Dockerfile index 2fd19bcaa..9a0b38593 100644 --- a/telegraf/1.19/alpine/Dockerfile +++ b/telegraf/1.19/alpine/Dockerfile @@ -25,12 +25,13 @@ RUN set -ex && \ cp -a /usr/src/telegraf*/usr/bin/telegraf /usr/bin/ && \ gpgconf --kill all && \ rm -rf *.tar.gz* /usr/src /root/.gnupg && \ - apk del .build-deps + apk del .build-deps && \ + addgroup -S telegraf && \ + adduser -S telegraf -G telegraf && \ + chown -R telegraf:telegraf /etc/telegraf EXPOSE 8125/udp 8092/udp 8094 -RUN addgroup -S telegraf -RUN adduser -S telegraf -G telegraf USER telegraf COPY entrypoint.sh /entrypoint.sh diff --git a/telegraf/1.20/alpine/Dockerfile b/telegraf/1.20/alpine/Dockerfile index 26523c5ee..095c4368f 100644 --- a/telegraf/1.20/alpine/Dockerfile +++ b/telegraf/1.20/alpine/Dockerfile @@ -25,12 +25,13 @@ RUN set -ex && \ cp -a /usr/src/telegraf*/usr/bin/telegraf /usr/bin/ && \ gpgconf --kill all && \ rm -rf *.tar.gz* /usr/src /root/.gnupg && \ - apk del .build-deps + apk del .build-deps && \ + addgroup -S telegraf && \ + adduser -S telegraf -G telegraf && \ + chown -R telegraf:telegraf /etc/telegraf EXPOSE 8125/udp 8092/udp 8094 -RUN addgroup -S telegraf -RUN adduser -S telegraf -G telegraf USER telegraf COPY entrypoint.sh /entrypoint.sh