Create group icingaweb2 and users for daemon services
Opened this issue · 1 comments
The Docker Image should add the same group like the Install from Source
documentation.
https://icinga.com/docs/icinga-web-2/latest/doc/02-Installation/07-From-Source/#preparing-icinga-web-2-setup
Also it would be useful to create the users for the daemons like director, vspheredb, x509.
This would make the image better extendable for the daemon services.
At the moment, I do something like
services:
icingaweb2:
build:
target: icingaweb2
director-daemon:
build:
target: director-daemon
vspheredb-daemon:
build:
target: vspheredb-daemon
x509-daemon:
build:
target: x509-daemon
with the Dockerfile:
# Icinga Web 2
FROM icinga/icingaweb2:${ICINGAWEB2_VERSION} as icingaweb2
COPY --from=downloader /grafana /usr/share/icingaweb2/modules/grafana
COPY --from=ca-certificates:latest /usr/local/share/ca-certificates/*.crt /usr/local/share/ca-certificates/
USER root
RUN set -eux; \
update-ca-certificates;
USER www-data
# Icinga Web 2 Director daemon
FROM icingaweb2 as director-daemon
USER root
RUN set -eux; \
useradd -r -g www-data -d /var/lib/icingadirector -s /bin/false icingadirector; \
install -d -o icingadirector -g www-data -m 0750 /var/lib/icingadirector;
ENTRYPOINT []
USER icingadirector
CMD ["/usr/bin/php","/usr/local/bin/icingacli","director","daemon","run"]
# Icinga Web 2 vSphere DB daemon
FROM icingaweb2 as vspheredb-daemon
USER root
RUN set -eux; \
useradd -r -g www-data -d /var/lib/icingavspheredb -s /bin/false icingavspheredb; \
install -d -o icingavspheredb -g www-data -m 0750 /var/lib/icingavspheredb;\
install -d -o icingavspheredb -g www-data -m 755 /run/icinga-vspheredb;
ENTRYPOINT []
USER icingavspheredb
CMD ["/usr/bin/php","/usr/local/bin/icingacli","vspheredb","daemon","run"]
# Icinga Web 2 x509 daemon
FROM icingaweb2 as x509-daemon
ENTRYPOINT []
CMD ["/usr/bin/php","/usr/local/bin/icingacli","x509","jobs","run"]
If users, group, home folders and run folders already existed, it would be enough to override the user, entrypoint and command in the docker-compose.yml and don't require an Dockerfile and a build step.
Distinct users are only required for isolation, but you already run separate containers which do that, so why the additional users? A daemon doesn't care as which unprivileged user it was started, so why not just the existing user (www-data)?