Telegraf docker entrypoint script change needed to support deployment from compose script
wz2b opened this issue · 2 comments
Referencing #724 and #543 I was still having problems with a specific line in the entrypoint script
The line currently reads:
extra_groups="$(id -Gn || true)"
This script doesn't honor UID; rather, if the UID is 0 (root) it just executes as the 'telegraf' user. Unfortunately, if you are root, that id will get the groups associated with root, not telegraf. I think it needs to be changed to:
extra_groups="$(id -Gn telegraf || true)"
With this change, I can specify a service in a compose file:
services:
telegraf:
image: mystack/telegraf
container_name: telegraf
volumes:
- type: bind
source: /etc/telegraf
target: /etc/telegraf
read_only: true
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
build:
context: telegraf
I made this change with a custom entrypoint to test it:
FROM docker.io/telegraf
RUN groupadd -r docker -g 122
RUN usermod -aG docker telegraf
COPY custom-entrypoint.sh /custom-entrypoint.sh
RUN chmod +x /custom-entrypoint.sh
ENTRYPOINT ["/custom-entrypoint.sh"]
CMD ["telegraf"]
and that makes it work.
I think there's about a million ways to solve this problem. I think, though, that the structure of the script really intends to just exec if the uid is not 0, and if the uid is 0 it intends to force you to the 'telegraf' user - that's a strategy and it's fine and reasonably secure, but that id -Gn
is going to check the extra groups of user 0, come up with only "root" then promptly remove that group.
If anybody agrees, please respond - I'll happily submit a pull request for this. Or, if you've got another way to pair docker compose + docker build and make this work, that's fine too. Me having to create a custom entrypoint doesn't seem like the right solution unless I'm the only person still having this problem.
Unfortunately, if you are root, that id will get the groups associated with root, not telegraf. I think it needs to be changed to:
hmm doing so would break what was fixed in #724 where the user does the following:
--user root:$(stat -c '%g' /var/run/docker.sock)
Does it? Hmm. Setpriv doesn't just add to the effective groups?
It's weird to me to say --user anybody
and the entrypoint.sh believes you, but if you say --user root
it hijacks the effective user (to make it "telegraf"), but not necessarily the effective group. The thing is, the 'docker' group is usually empty, and 'root' isn't in it, so to fix it they're trying to force the group to match whatever the docker socket's group is.
I think that's the wrong thing to do:
- You should run telegraf with least privilege, and for docker it doesn't need to be root
- You might want to extend this to do other things that require a different group access. The way this guy did it, you can only have one.
I'm thinking the whole thing needs to be reimagined.