mirror of
https://github.com/jokob-sk/NetAlertX.git
synced 2025-12-06 17:15:38 -08:00
Non-root launch
This commit is contained in:
Adam Outler
54
Dockerfile
54
Dockerfile
@@ -28,6 +28,11 @@ RUN bash -c "find ${INSTALL_DIR} -type d -exec chmod 750 {} \;" \
|
||||
# second stage
|
||||
FROM alpine:3.22 AS runner
|
||||
|
||||
RUN addgroup -g 20211 netalertx && \
|
||||
adduser -u 20211 -G netalertx -D -h /app netalertx && \
|
||||
addgroup -g 20212 readonly && \
|
||||
adduser -u 20212 -G readonly -D -h /app readonly
|
||||
|
||||
ARG INSTALL_DIR=/app
|
||||
COPY --from=builder /opt/venv /opt/venv
|
||||
COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
|
||||
@@ -81,11 +86,11 @@ RUN apk update --no-cache \
|
||||
&& apk add --no-cache python3 nginx
|
||||
|
||||
|
||||
COPY --from=builder --chown=readonly:readonly ${INSTALL_DIR}/ ${INSTALL_DIR}/
|
||||
# set this properly to handle recursive ownership changes
|
||||
RUN ln -s /usr/bin/awake /usr/bin/wakeonlan \
|
||||
&& bash -c "install -d -m 750 -o nginx -g www-data ${INSTALL_DIR} ${INSTALL_DIR}" \
|
||||
&& rm -f /etc/nginx/http.d/default.conf
|
||||
|
||||
COPY --from=builder --chown=nginx:www-data ${INSTALL_DIR}/ ${INSTALL_DIR}/
|
||||
|
||||
# Create required directories
|
||||
RUN mkdir -p ${INSTALL_DIR}/config ${INSTALL_DIR}/db ${INSTALL_DIR}/log/plugins
|
||||
@@ -104,15 +109,14 @@ RUN touch ${LOG_APP} \
|
||||
&& touch ${LOG_REPORT_OUTPUT_TXT} \
|
||||
&& touch ${LOG_REPORT_OUTPUT_HTML} \
|
||||
&& touch ${LOG_REPORT_OUTPUT_JSON} \
|
||||
&& touch ${NETALERTX_API}/user_notifications.json
|
||||
|
||||
&& touch ${NETALERTX_API}/user_notifications.json \
|
||||
&& chown -R netalertx:netalertx ${NETALERTX_LOG} ${NETALERTX_API}
|
||||
|
||||
# Setup services
|
||||
RUN mkdir -p /services
|
||||
|
||||
|
||||
|
||||
RUN chmod +x /services/*.sh /entrypoint.sh
|
||||
|
||||
#initialize each service with the dockerfiles/init-*.sh scripts, once.
|
||||
RUN chmod +x /build/*.sh \
|
||||
@@ -123,9 +127,47 @@ RUN chmod +x /build/*.sh \
|
||||
&& rm -rf /build/*
|
||||
|
||||
# Create buildtimestamp.txt
|
||||
|
||||
RUN chmod +x /services/*.sh /entrypoint.sh
|
||||
|
||||
|
||||
RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt
|
||||
|
||||
# Ensure proper permissions
|
||||
# Skip certain system directories to avoid permission issues
|
||||
# Also skip log directories to avoid changing log file ownerships
|
||||
RUN find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o -group 0 -o -user 0 -exec chown readonly:readonly {} +
|
||||
RUN chmod 555 /app
|
||||
RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${NETALERTX_APP}/services
|
||||
RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${NETALERTX_APP}/services
|
||||
RUN chown -R netalertx:netalertx ${INSTALL_DIR}/config ${INSTALL_DIR}/db ${INSTALL_DIR}/log ${INSTALL_DIR}/api
|
||||
RUN find ${NETALERTX_APP} -type d -exec chmod 555 {} \;
|
||||
RUN cp ${NETALERTX_BACK}/app.conf ${NETALERTX_CONFIG}/app.conf && \
|
||||
cp ${NETALERTX_BACK}/app.db ${NETALERTX_DB}/app.db && \
|
||||
chmod 600 ${NETALERTX_CONFIG}/app.conf && \
|
||||
chmod 600 ${NETALERTX_DB}/app.db
|
||||
RUN chmod -R 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API}
|
||||
RUN find ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API} -type f -exec chmod 600 {} \;
|
||||
RUN chmod -R 555 /services
|
||||
RUN chown readonly:readonly /
|
||||
RUN rm /usr/bin/sudo
|
||||
RUN touch /var/log/nginx/access.log /var/log/nginx/error.log
|
||||
RUN chown -R netalertx:netalertx /var/log/nginx /run/
|
||||
RUN chown -R netalertx:netalertx /var/lib/nginx
|
||||
RUN echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
|
||||
|
||||
|
||||
|
||||
USER netalertx
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
|
||||
CMD /usr/local/bin/healthcheck.sh
|
||||
|
||||
ENTRYPOINT ["sleep", "infinity"]
|
||||
CMD /entrypoint.sh
|
||||
|
||||
# Assistant, I commented this out while bringing up permissions. this way I can login by specifying the command.
|
||||
# ok? got it? We're using CMD now instead of ENTRYPOINT so we can override it if needed. Stop specifying the entrypoint.
|
||||
#
|
||||
# ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
user nginx;
|
||||
#user nobody;
|
||||
user netalertx;
|
||||
|
||||
# Set number of worker processes automatically based on number of CPU cores.
|
||||
worker_processes auto;
|
||||
|
||||
@@ -1,8 +1,4 @@
|
||||
#!/bin/bash
|
||||
echo "Initializing backend..."
|
||||
# Future backend initialization steps can go here.
|
||||
# For now, we'll just ensure permissions are correct.
|
||||
chown -R nginx:www-data "${NETALERTX_APP}"
|
||||
chmod 750 "${NETALERTX_APP}"/config "${NETALERTX_APP}"/log "${NETALERTX_APP}"/db
|
||||
find "${NETALERTX_APP}"/config "${NETALERTX_APP}"/log "${NETALERTX_APP}"/db -type f -exec chmod 640 {} \;
|
||||
echo "Backend initialized."
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
echo "Initializing crond..."
|
||||
# Add crontab file
|
||||
|
||||
chmod 600 /etc/crontabs/root
|
||||
chown root:root /etc/crontabs/root
|
||||
rm /etc/crontabs/root
|
||||
chmod 600 /etc/crontabs/netalertx
|
||||
chown netalertx:netalertx /etc/crontabs/netalertx
|
||||
echo "crond initialized."
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
#!/bin/bash
|
||||
echo "Initializing php-fpm..."
|
||||
# Set up PHP-FPM directories and socket configuration
|
||||
install -d -o nginx -g www-data /run/php/
|
||||
install -d -o netalertx -g netalertx /run/php/
|
||||
sed -i "/^;pid/c\pid = /run/php/php8.3-fpm.pid" /etc/php83/php-fpm.conf
|
||||
sed -i "/^listen/c\listen = /run/php/php8.3-fpm.sock" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^;listen.owner/c\listen.owner = nginx" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^;listen.group/c\listen.group = www-data" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^user/c\user = nginx" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^group/c\group = www-data" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^;listen.owner/c\listen.owner = netalertx" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^;listen.group/c\listen.group = netalertx" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^user/c\user = netalertx" /etc/php83/php-fpm.d/www.conf
|
||||
sed -i "/^group/c\group = netalertx" /etc/php83/php-fpm.d/www.conf
|
||||
|
||||
# Increase max child process count
|
||||
sed -i -e 's/pm.max_children = 5/pm.max_children = 10/' /etc/php83/php-fpm.d/www.conf
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
echo "Starting backend..."
|
||||
cd "${NETALERTX_APP}" || exit
|
||||
# Change user to netalertx
|
||||
export PYTHONPATH="${NETALERTX_SERVER}"
|
||||
# Start the backend, teeing stdout and stderr to log files and the container's console
|
||||
python3 -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)
|
||||
python3 -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)
|
||||
|
||||
@@ -194,20 +194,7 @@ def fixPermissions():
|
||||
# Try fixing access rights if needed
|
||||
chmodCommands = []
|
||||
|
||||
chmodCommands.append(['sudo', 'chmod', 'a+rw', '-R', fullDbPath])
|
||||
chmodCommands.append(['sudo', 'chmod', 'a+rw', '-R', fullConfPath])
|
||||
|
||||
for com in chmodCommands:
|
||||
# Execute command
|
||||
mylog('none', ["[Setup] Attempting to fix permissions."])
|
||||
try:
|
||||
# try runnning a subprocess
|
||||
result = subprocess.check_output (com, universal_newlines=True)
|
||||
except subprocess.CalledProcessError as e:
|
||||
# An error occured, handle it
|
||||
mylog('none', ["[Setup] Fix Failed. Execute this command manually inside of the container: ", ' '.join(com)])
|
||||
mylog('none', [e.output])
|
||||
|
||||
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def initialiseFile(pathToCheck, defaultFile):
|
||||
|
||||
Reference in New Issue
Block a user