From 289f8f310e5cbc8b3aca61f672fb3dfecb8f057f Mon Sep 17 00:00:00 2001 From: Christophe Labouisse Date: Thu, 26 Mar 2015 22:49:37 +0100 Subject: [PATCH 1/3] Make the privilege drop down optional As in some situation, it is impossible to execute `chown` on the data directory running elasticsearch as the `elasticsearch` user is not possible. The entry point now supports to run elasticsearch as `root` if the `RUN_AS_ROOT` environment variable is set to a non empty string. Fixes #5 --- 1.3/docker-entrypoint.sh | 2 +- 1.4/docker-entrypoint.sh | 2 +- 1.5/docker-entrypoint.sh | 2 +- docker-entrypoint.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/1.3/docker-entrypoint.sh b/1.3/docker-entrypoint.sh index a8fca33..970e847 100755 --- a/1.3/docker-entrypoint.sh +++ b/1.3/docker-entrypoint.sh @@ -8,7 +8,7 @@ if [ "${1:0:1}" = '-' ]; then fi # Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' ]; then +if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data exec gosu elasticsearch "$@" diff --git a/1.4/docker-entrypoint.sh b/1.4/docker-entrypoint.sh index a8fca33..970e847 100755 --- a/1.4/docker-entrypoint.sh +++ b/1.4/docker-entrypoint.sh @@ -8,7 +8,7 @@ if [ "${1:0:1}" = '-' ]; then fi # Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' ]; then +if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data exec gosu elasticsearch "$@" diff --git a/1.5/docker-entrypoint.sh b/1.5/docker-entrypoint.sh index a8fca33..970e847 100755 --- a/1.5/docker-entrypoint.sh +++ b/1.5/docker-entrypoint.sh @@ -8,7 +8,7 @@ if [ "${1:0:1}" = '-' ]; then fi # Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' ]; then +if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data exec gosu elasticsearch "$@" diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a8fca33..970e847 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -8,7 +8,7 @@ if [ "${1:0:1}" = '-' ]; then fi # Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' ]; then +if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data exec gosu elasticsearch "$@" From 04356c816e2c2667b9f08e521a45c4b63c47d51a Mon Sep 17 00:00:00 2001 From: Christophe Labouisse Date: Thu, 26 Mar 2015 23:50:16 +0100 Subject: [PATCH 2/3] Make entry point more versatile for USER. The user and group can now be choosen using the `RUN_AS` environment variable. `RUN_AS` should follow the `user[:group]` pattern and both user/group numbers and user/group names are accepted. The `chown`/`gosu` mechanism is skipped when the user is either `0` or `root` or if the command is not `elasticsearch`. --- 1.3/docker-entrypoint.sh | 11 +++++++---- 1.4/docker-entrypoint.sh | 11 +++++++---- 1.5/docker-entrypoint.sh | 11 +++++++---- docker-entrypoint.sh | 11 +++++++---- 4 files changed, 28 insertions(+), 16 deletions(-) diff --git a/1.3/docker-entrypoint.sh b/1.3/docker-entrypoint.sh index 970e847..a510568 100755 --- a/1.3/docker-entrypoint.sh +++ b/1.3/docker-entrypoint.sh @@ -7,11 +7,14 @@ if [ "${1:0:1}" = '-' ]; then set -- elasticsearch "$@" fi -# Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then +RUN_AS=${RUN_AS:-elasticsearch:elasticsearch} +RUN_AS_USER=${RUN_AS/:*/} + +# Drop root privileges if we are running elasticsearch and RUN_AS is not root +if [ "$1" = 'elasticsearch' -a "$RUN_AS_USER" != '0' -a "$RUN_AS_USER" != 'root' ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch - chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data - exec gosu elasticsearch "$@" + chown -R $RUN_AS /usr/share/elasticsearch/data + exec gosu $RUN_AS_USER "$@" fi # As argument is not related to elasticsearch, diff --git a/1.4/docker-entrypoint.sh b/1.4/docker-entrypoint.sh index 970e847..a510568 100755 --- a/1.4/docker-entrypoint.sh +++ b/1.4/docker-entrypoint.sh @@ -7,11 +7,14 @@ if [ "${1:0:1}" = '-' ]; then set -- elasticsearch "$@" fi -# Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then +RUN_AS=${RUN_AS:-elasticsearch:elasticsearch} +RUN_AS_USER=${RUN_AS/:*/} + +# Drop root privileges if we are running elasticsearch and RUN_AS is not root +if [ "$1" = 'elasticsearch' -a "$RUN_AS_USER" != '0' -a "$RUN_AS_USER" != 'root' ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch - chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data - exec gosu elasticsearch "$@" + chown -R $RUN_AS /usr/share/elasticsearch/data + exec gosu $RUN_AS_USER "$@" fi # As argument is not related to elasticsearch, diff --git a/1.5/docker-entrypoint.sh b/1.5/docker-entrypoint.sh index 970e847..a510568 100755 --- a/1.5/docker-entrypoint.sh +++ b/1.5/docker-entrypoint.sh @@ -7,11 +7,14 @@ if [ "${1:0:1}" = '-' ]; then set -- elasticsearch "$@" fi -# Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then +RUN_AS=${RUN_AS:-elasticsearch:elasticsearch} +RUN_AS_USER=${RUN_AS/:*/} + +# Drop root privileges if we are running elasticsearch and RUN_AS is not root +if [ "$1" = 'elasticsearch' -a "$RUN_AS_USER" != '0' -a "$RUN_AS_USER" != 'root' ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch - chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data - exec gosu elasticsearch "$@" + chown -R $RUN_AS /usr/share/elasticsearch/data + exec gosu $RUN_AS_USER "$@" fi # As argument is not related to elasticsearch, diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 970e847..a510568 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -7,11 +7,14 @@ if [ "${1:0:1}" = '-' ]; then set -- elasticsearch "$@" fi -# Drop root privileges if we are running elasticsearch -if [ "$1" = 'elasticsearch' -a -z "$RUN_AS_ROOT" ]; then +RUN_AS=${RUN_AS:-elasticsearch:elasticsearch} +RUN_AS_USER=${RUN_AS/:*/} + +# Drop root privileges if we are running elasticsearch and RUN_AS is not root +if [ "$1" = 'elasticsearch' -a "$RUN_AS_USER" != '0' -a "$RUN_AS_USER" != 'root' ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch - chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data - exec gosu elasticsearch "$@" + chown -R $RUN_AS /usr/share/elasticsearch/data + exec gosu $RUN_AS_USER "$@" fi # As argument is not related to elasticsearch, From 1dc18d4e87e7d0ac3cbf8a4689eb736ce6a48425 Mon Sep 17 00:00:00 2001 From: Christophe Labouisse Date: Thu, 9 Apr 2015 20:20:18 +0200 Subject: [PATCH 3/3] [WIP] use RUN_AS form both chown and gosu --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a510568..6d381b9 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -14,7 +14,7 @@ RUN_AS_USER=${RUN_AS/:*/} if [ "$1" = 'elasticsearch' -a "$RUN_AS_USER" != '0' -a "$RUN_AS_USER" != 'root' ]; then # Change the ownership of /usr/share/elasticsearch/data to elasticsearch chown -R $RUN_AS /usr/share/elasticsearch/data - exec gosu $RUN_AS_USER "$@" + exec gosu $RUN_AS "$@" fi # As argument is not related to elasticsearch,