Create group icingaweb2 and users for daemon services

Question

Create group icingaweb2 and users for daemon services

Opened this issue 2 years ago · 1 comments

The Docker Image should add the same group like the Install from Source documentation.
https://icinga.com/docs/icinga-web-2/latest/doc/02-Installation/07-From-Source/#preparing-icinga-web-2-setup

Also it would be useful to create the users for the daemons like director, vspheredb, x509.
This would make the image better extendable for the daemon services.

At the moment, I do something like

services:
  icingaweb2:
    build:
      target: icingaweb2
  director-daemon:
    build:
      target: director-daemon
  vspheredb-daemon:
    build:
      target: vspheredb-daemon
  x509-daemon:
    build:
      target: x509-daemon

with the Dockerfile:

# Icinga Web 2
FROM icinga/icingaweb2:${ICINGAWEB2_VERSION} as icingaweb2

COPY --from=downloader /grafana /usr/share/icingaweb2/modules/grafana
COPY --from=ca-certificates:latest /usr/local/share/ca-certificates/*.crt /usr/local/share/ca-certificates/
USER root
RUN set -eux; \
        update-ca-certificates;
USER www-data

# Icinga Web 2 Director daemon
FROM icingaweb2 as director-daemon
USER root
RUN set -eux; \
        useradd -r -g www-data -d /var/lib/icingadirector -s /bin/false icingadirector; \
        install -d -o icingadirector -g www-data -m 0750 /var/lib/icingadirector;
ENTRYPOINT []
USER icingadirector
CMD ["/usr/bin/php","/usr/local/bin/icingacli","director","daemon","run"]

# Icinga Web 2 vSphere DB daemon
FROM icingaweb2 as vspheredb-daemon
USER root
RUN set -eux; \
        useradd -r -g www-data -d /var/lib/icingavspheredb -s /bin/false icingavspheredb; \
        install -d -o icingavspheredb -g www-data -m 0750 /var/lib/icingavspheredb;\
        install -d -o icingavspheredb -g www-data -m 755 /run/icinga-vspheredb;
ENTRYPOINT []
USER icingavspheredb
CMD ["/usr/bin/php","/usr/local/bin/icingacli","vspheredb","daemon","run"]

# Icinga Web 2 x509 daemon
FROM icingaweb2 as x509-daemon
ENTRYPOINT []
CMD ["/usr/bin/php","/usr/local/bin/icingacli","x509","jobs","run"]

If users, group, home folders and run folders already existed, it would be enough to override the user, entrypoint and command in the docker-compose.yml and don't require an Dockerfile and a build step.

Answer 1 · 2024-04-19T12:23:55.000Z

Distinct users are only required for isolation, but you already run separate containers which do that, so why the additional users? A daemon doesn't care as which unprivileged user it was started, so why not just the existing user (www-data)?