Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Containerfile.alpine
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@
# renovate: datasource=rubygems depName=rugged
ARG RUBYGEM_RUGGED=1.9.0

ARG OPENVOX_USER_UID=1001
ARG OPENVOX_USER_GID=1001
ARG OPENVOX_USER_UID=999
ARG OPENVOX_USER_GID=999

# renovate: datasource=custom.voxpupuli-artifacts depName=openvox-server
ARG OPENVOXSERVER_VERSION=8.14.0
Expand All @@ -50,7 +50,7 @@
org.label-schema.version="$OPENVOXSERVER_VERSION" \
org.label-schema.name="OpenVox Server"

ENV AUTOSIGN=true \

Check warning on line 53 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Scan alpine / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 53 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Scan alpine / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 53 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Build alpine / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 53 in Containerfile.alpine

View workflow job for this annotation

GitHub Actions / Build alpine / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
CA_ALLOW_SUBJECT_ALT_NAMES=false \
CA_ENABLED=true \
CA_TTL=157680000 \
Expand Down
4 changes: 2 additions & 2 deletions Containerfile.ubuntu
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@
# renovate: datasource=rubygems depName=rugged
ARG RUBYGEM_RUGGED=1.9.0

ARG OPENVOX_USER_UID=1001
ARG OPENVOX_USER_GID=1001
ARG OPENVOX_USER_UID=999
ARG OPENVOX_USER_GID=999

# renovate: datasource=custom.voxpupuli-artifacts depName=openvox-server
ARG OPENVOXSERVER_VERSION=8.14.0
Expand All @@ -59,7 +59,7 @@
org.label-schema.version="$OPENVOXSERVER_VERSION" \
org.label-schema.name="OpenVox Server"

ENV AUTOSIGN=true \

Check warning on line 62 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Scan ubuntu / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 62 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Scan ubuntu / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 62 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Build ubuntu / arm64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 62 in Containerfile.ubuntu

View workflow job for this annotation

GitHub Actions / Build ubuntu / amd64 CI container

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "INTERMEDIATE_CA_KEY") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
CA_ALLOW_SUBJECT_ALT_NAMES=false \
CA_ENABLED=true \
CA_TTL=157680000 \
Expand Down
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
- [Permissions](#permissions)
- [Rootless Podman](#rootless-podman)
- [Docker](#docker)
- [UID/GID](#uidgid)
- [How to deploy OpenVox/Puppet code](#how-to-deploy-openvoxpuppet-code)
- [✅ Preferred way to deploy your code](#-preferred-way-to-deploy-your-code)
- [🔥 Not recommended way, but often used, pattern from the non-container world](#-not-recommended-way-but-often-used-pattern-from-the-non-container-world)
Expand Down Expand Up @@ -207,6 +208,18 @@ Permissions are managed for you, and from there the volume can be migrated using

Docker always runs rootfull, and does not need permissions adjustments.

### UID/GID

The image creates the `puppet` user with UID 999 and a corresponding group with GID 999 by default.
These IDs determine file ownership inside the image and can be changed at build time.

The container is configured with `USER puppet:0`, so the server process uses the `puppet` user's UID and group 0 at runtime.
Directories required by the server are group-owned by group 0 and grant the group the same permissions as the owner.
This also supports platforms such as OpenShift that run containers with an arbitrary UID in group 0.

The build arguments only affect newly built images. They cannot be set as environment variables when starting an existing image.
When changing the default IDs, ensure that bind mounts and existing volumes have compatible ownership and permissions.

## How to deploy OpenVox/Puppet code

### ✅ Preferred way to deploy your code
Expand Down
42 changes: 28 additions & 14 deletions openvoxserver/prep_release_container.sh
Original file line number Diff line number Diff line change
@@ -1,8 +1,19 @@
#!/bin/bash

set -e
source /etc/os-release

if command -v apk > /dev/null 2>&1; then
if [ "$ID" = "alpine" ]; then
if [ "$OPENVOX_USER_GID" -eq 999 ]; then
OPENVOX_GROUP=ping
else
OPENVOX_GROUP=puppet
fi
Comment on lines +7 to +11

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks very odd, what's that about? On Alpine, if the OPENVOX_USER_GID is 999, the OPENVOX_GROUP should be called ping?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh this is because of #150 (comment). Tricky. I wonder whether the answer is to just have different UID/GID numbers on Ubuntu vs Alpine?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When alpine and desired gid 999 use the name ping for the group. Because it already exists it is not required to create it. If not 999 use puppet as group name and create it.

else
OPENVOX_GROUP=puppet
fi

if [ "$ID" = "alpine" ]; then
apk update
apk add --no-cache \
alpine-sdk \
Expand All @@ -22,7 +33,7 @@ if command -v apk > /dev/null 2>&1; then
ruby \
ruby-dev \
runuser
elif command -v apt-get > /dev/null 2>&1; then
elif [ "$ID" = "ubuntu" ] || [ "$ID" = "debian" ]; then
apt-get update
apt-get install -y --no-install-recommends \
build-essential \
Expand Down Expand Up @@ -56,7 +67,7 @@ gem install --no-document rugged:${RUBYGEM_RUGGED} -- --with-ssh
gem install --no-document racc:1.8.1
gem install --no-document syslog:0.4.0

if command -v apk > /dev/null 2>&1; then
if [ "$ID" = "alpine" ]; then
apk del --purge alpine-sdk
else
apt-get purge -y build-essential
Expand All @@ -67,26 +78,29 @@ fi

# Create puppet user and group, and set permissions on necessary directories
# Used for rootless execution of the container and to match permissions expected by Puppet Server
if command -v addgroup > /dev/null 2>&1 && command -v apk > /dev/null 2>&1; then
addgroup -g "${OPENVOX_USER_GID}" puppet
adduser -G puppet -u "${OPENVOX_USER_UID}" -h /opt/puppetlabs/server/data/puppetserver -H -D -s /sbin/nologin puppet
if [ "$ID" = "alpine" ]; then
if [ "$OPENVOX_USER_GID" != 999 ]; then
addgroup -g "${OPENVOX_USER_GID}" "${OPENVOX_GROUP}"
fi

adduser -G "${OPENVOX_GROUP}" -u "${OPENVOX_USER_UID}" -h /opt/puppetlabs/server/data/puppetserver -H -D -s /sbin/nologin puppet
else
groupadd --gid "${OPENVOX_USER_GID}" puppet
groupadd --gid "${OPENVOX_USER_GID}" "${OPENVOX_GROUP}"
useradd \
--gid puppet \
--gid "${OPENVOX_USER_GID}" \
--home-dir /opt/puppetlabs/server/data/puppetserver \
--no-create-home \
--shell /usr/sbin/nologin \
--uid "${OPENVOX_USER_UID}" \
puppet
fi

chown -R puppet:puppet /etc/puppetlabs/code
chown -R puppet:puppet /etc/puppetlabs/puppet/ssl
chown -R puppet:puppet /etc/puppetlabs/puppetserver/ca
chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver
chown -R puppet:puppet /var/log/puppetlabs/puppetserver
chown -R puppet:puppet /var/run/puppetlabs/puppetserver
chown -R puppet:"${OPENVOX_GROUP}" /etc/puppetlabs/code
chown -R puppet:"${OPENVOX_GROUP}" /etc/puppetlabs/puppet/ssl
chown -R puppet:"${OPENVOX_GROUP}" /etc/puppetlabs/puppetserver/ca
chown -R puppet:"${OPENVOX_GROUP}" /opt/puppetlabs/server/data/puppetserver
chown -R puppet:"${OPENVOX_GROUP}" /var/log/puppetlabs/puppetserver
chown -R puppet:"${OPENVOX_GROUP}" /var/run/puppetlabs/puppetserver

chmod 0700 /opt/puppetlabs/server/data/puppetserver/jars
chmod 0700 /opt/puppetlabs/server/data/puppetserver/yaml
Expand Down
Loading