From 72e41c03f55ae4ca4e5a70fff592d32d48b73fee Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 13 May 2021 20:11:49 +0200 Subject: [PATCH] lifecycle: run worker as root and drop perms later to fix docker permission issues Signed-off-by: Jens Langhammer --- Dockerfile | 10 +--------- docker-compose.yml | 5 +++++ lifecycle/bootstrap.sh | 23 +++++++++++++++++++---- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 883f1920a..6e4bb223a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,7 +48,7 @@ ARG GIT_BUILD_HASH ENV GIT_BUILD_HASH=$GIT_BUILD_HASH RUN apt-get update && \ - apt-get install -y --no-install-recommends curl ca-certificates gnupg git && \ + apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \ curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \ echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \ apt-get update && \ @@ -58,14 +58,7 @@ RUN apt-get update && \ apt-get autoremove --purge -y && \ apt-get clean && \ rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \ - # This is quite hacky, but docker has no guaranteed Group ID - # we could instead check for the GID of the socket and add the user dynamically, - # but then we have to drop permmissions later - groupadd -g 998 docker_998 && \ - groupadd -g 999 docker_999 && \ adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \ - usermod -a -G docker_998 authentik && \ - usermod -a -G docker_999 authentik && \ mkdir /backups && \ chown authentik:authentik /backups @@ -77,7 +70,6 @@ COPY ./lifecycle/ /lifecycle COPY --from=builder /work/authentik /authentik-proxy USER authentik -STOPSIGNAL SIGINT ENV TMPDIR /dev/shm/ ENV PYTHONUBUFFERED 1 ENTRYPOINT [ "/lifecycle/bootstrap.sh" ] diff --git a/docker-compose.yml b/docker-compose.yml index 722377f38..bd27285c2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -64,8 +64,13 @@ services: AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} # AUTHENTIK_ERROR_REPORTING__ENABLED: "true" + # This is optional, and can be removed. If you remove this, the following will happen + # - The permissions for the /backups and /media folders aren't fixed, so make sure they are 1000:1000 + # - The docker socket can't be accessed anymore + user: root volumes: - ./backups:/backups + - ./media:/media - /var/run/docker.sock:/var/run/docker.sock - ./custom-templates:/templates - geoip:/geoip diff --git a/lifecycle/bootstrap.sh b/lifecycle/bootstrap.sh index 98256e1d5..fa0fe2be5 100755 --- a/lifecycle/bootstrap.sh +++ b/lifecycle/bootstrap.sh @@ -1,14 +1,29 @@ #!/bin/bash -e python -m lifecycle.wait_for_db printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr + +function check_if_root { + if [[ $EUID -ne 0 ]]; then + printf '{"event": "Not running as root, disabling permission fixes", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr + return + fi + SOCKET="/var/run/docker.sock" + if [[ -e "$SOCKET" ]]; then + # Get group ID of the docker socket, so we can create a matching group and + # add ourselves to it + DOCKER_GID=$(stat -c '%g' $SOCKET) + usermod -a -G $DOCKER_GID authentik + fi + # Fix permissions of backups and media + chown -R authentik:authentik /media /backups +} + if [[ "$1" == "server" ]]; then python -m lifecycle.migrate /authentik-proxy elif [[ "$1" == "worker" ]]; then - celery -A authentik.root.celery worker --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events -elif [[ "$1" == "migrate" ]]; then - printf "DEPERECATED: database migrations are now executed automatically on startup." - python -m lifecycle.migrate + check_if_root + chpst -u authentik env HOME=/authentik celery -A authentik.root.celery worker --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events elif [[ "$1" == "backup" ]]; then python -m manage dbbackup --clean elif [[ "$1" == "restore" ]]; then