Switched processes to non-root user.

adivinho · Sep 9, 2016 · 5fc27c4 · 5fc27c4
1 parent 34845ea
commit 5fc27c4
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -18,14 +18,16 @@ RUN apt-get -y update && apt-get install -y \
 	python \
 	python-requests \
 	supervisor && \
-	rm -f /etc/cron.daily/apt
+	rm -f /etc/cron.daily/apt && \
+	useradd -s /bin/false pmm
 
 # ########## #
 # Prometheus #
 # ########## #
 
 RUN curl -s -LO https://github.com/prometheus/prometheus/releases/download/v1.0.2/prometheus-1.0.2.linux-amd64.tar.gz && \
-	mkdir prometheus && \
+	mkdir -p prometheus/data && \
+	chown -R pmm:pmm /opt/prometheus/data && \
 	tar xfz prometheus-1.0.2.linux-amd64.tar.gz --strip-components=1 -C prometheus
 COPY prometheus.yml /opt/prometheus/
 
@@ -49,15 +51,19 @@ RUN /opt/grafana-postinstall.sh
 
 RUN curl -s -LO https://releases.hashicorp.com/consul/0.6.4/consul_0.6.4_linux_amd64.zip && \
 	unzip consul_0.6.4_linux_amd64.zip && \
-	mkdir -p /opt/consul-data
+	mkdir -p /opt/consul-data && \
+	chown -R pmm:pmm /opt/consul-data
 
 # ##### #
 # Nginx #
 # ##### #
 
 COPY nginx.conf /etc/nginx
 COPY nginx-ssl.conf /etc/nginx
-RUN touch /etc/nginx/.htpasswd
+RUN touch /etc/nginx/.htpasswd && \
+	touch /run/nginx.pid && \
+	chown -R www-data:www-data /var/lib/nginx /run/nginx.pid && \
+	setcap cap_net_bind_service=+ep /usr/sbin/nginx
 
 # ########################### #
 # Supervisor and landing page # 

diff --git a/nginx.conf b/nginx.conf
@@ -1,4 +1,3 @@
-user www-data;
 worker_processes 4;
 pid /run/nginx.pid;
 daemon off;

diff --git a/supervisord.conf b/supervisord.conf
@@ -20,27 +20,31 @@ password = dummy
 
 [program:mysql]
 priority = 1
+user = mysql
 command = /usr/bin/mysqld_safe
 stdout_logfile = /var/log/mysqld.log
 stderr_logfile = /var/log/mysqld.log
 autorestart = true
 
 [program:consul]
 priority = 2
+user = pmm
 command = /opt/consul agent -server -data-dir="/opt/consul-data" -bootstrap -client="0.0.0.0" -advertise="127.0.0.1" -ui
 stdout_logfile = /var/log/consul.log
 stderr_logfile = /var/log/consul.log
 autorestart = true
 
 [program:grafana]
 priority = 3
+user = grafana
 command = /usr/sbin/grafana-server --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini cfg:default.paths.data=/var/lib/grafana cfg:default.paths.logs=/var/log/grafana cfg:default.server.root_url="%%(protocol)s://%%(domain)s:%%(http_port)s/graph"
 stdout_logfile = /var/log/grafana.log
 stderr_logfile = /var/log/grafana.log
 autorestart = true
 
 [program:qan-api]
 priority = 4
+user = pmm
 environment = BG=no,BASE_PATH=/qan-api
 command = /usr/local/percona/qan-api/start
 stdout_logfile = /var/log/qan-api.log
@@ -49,6 +53,7 @@ autorestart = true
 
 [program:nginx]
 priority = 5 
+user = www-data
 command = nginx
 stdout_logfile = /var/log/nginx.log
 stderr_logfile = /var/log/nginx.log
@@ -63,6 +68,7 @@ autorestart = true
 
 [program:prometheus]
 priority = 7
+user = pmm
 # Sleep to wait for consul to start up.
 command = bash -c "sleep 5 && /opt/prometheus/prometheus -config.file=/opt/prometheus/prometheus.yml -storage.local.path=/opt/prometheus/data -web.listen-address=:9090 -storage.local.retention=${METRICS_RETENTION:-720h} -storage.local.memory-chunks=${METRICS_MEMORY:-262144} -web.console.libraries=/opt/prometheus/console_libraries -web.console.templates=/opt/prometheus/consoles -web.external-url=http://localhost:9090/prometheus/"
 stdout_logfile = /var/log/prometheus.log