From 9c21f92afbcadc2112a1aa4ad019b9cdfb6fa9e0 Mon Sep 17 00:00:00 2001 From: Gary Pennington Date: Thu, 4 Apr 2024 08:41:52 +0100 Subject: [PATCH] Make router user the owner of the docker image's /dist/data directory (#4898) Since we made our images more secure, we run our router process as user 'router'. If we are running under 'heaptrack', e.g.: in a debug image, then we cannot write to /dist/data because it is owned by 'root'. This changes the ownership of /dist/data from 'root' to 'router' to allow writes to succeed. --- .changesets/fix_garypen_revive_docker_heaptrack.md | 7 +++++++ dockerfiles/Dockerfile.router | 3 ++- dockerfiles/diy/dockerfiles/Dockerfile.repo | 3 ++- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .changesets/fix_garypen_revive_docker_heaptrack.md diff --git a/.changesets/fix_garypen_revive_docker_heaptrack.md b/.changesets/fix_garypen_revive_docker_heaptrack.md new file mode 100644 index 0000000000..53e897278a --- /dev/null +++ b/.changesets/fix_garypen_revive_docker_heaptrack.md @@ -0,0 +1,7 @@ +### Make 'router' user the owner of the docker image's /dist/data directory ([PR #4898](https://github.com/apollographql/router/pull/4898)) + +Since we made our images more secure, we run our router process as user 'router'. If we are running under 'heaptrack', e.g.: in a debug image, then we cannot write to /dist/data because it is owned by 'root'. + +This changes the ownership of /dist/data from 'root' to 'router' to allow writes to succeed. + +By [@garypen](https://github.com/garypen) in https://github.com/apollographql/router/pull/4898 \ No newline at end of file diff --git a/dockerfiles/Dockerfile.router b/dockerfiles/Dockerfile.router index 44aa2ce850..d18c20ebe3 100644 --- a/dockerfiles/Dockerfile.router +++ b/dockerfiles/Dockerfile.router @@ -39,7 +39,8 @@ RUN \ RUN \ if [ "${DEBUG_IMAGE}" = "true" ]; then \ apt-get install -y heaptrack && \ - mkdir data; \ + mkdir data && \ + chown router data; \ fi # Clean up apt lists diff --git a/dockerfiles/diy/dockerfiles/Dockerfile.repo b/dockerfiles/diy/dockerfiles/Dockerfile.repo index aba5d26567..210d165e07 100644 --- a/dockerfiles/diy/dockerfiles/Dockerfile.repo +++ b/dockerfiles/diy/dockerfiles/Dockerfile.repo @@ -58,7 +58,8 @@ RUN \ heaptrack-gui \ x11-apps \ iputils-ping && \ - mkdir data; \ + mkdir data && \ + chown router data; \ fi # Clean up apt lists