From 176bbd852dd14e4f36205ebd553edfdf0af6598e Mon Sep 17 00:00:00 2001 From: Thode Jocelyn Date: Thu, 8 Nov 2018 09:38:51 +0100 Subject: [PATCH] Allow arbitrary user to run atlantis --- docker-base/Dockerfile | 19 +++++++++++++------ docker-entrypoint.sh | 21 ++++++++++++++++++--- helm/atlantis/templates/statefulset.yaml | 3 +-- 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/docker-base/Dockerfile b/docker-base/Dockerfile index 81bb0ab3e3..658c2ee0f4 100644 --- a/docker-base/Dockerfile +++ b/docker-base/Dockerfile @@ -4,13 +4,20 @@ FROM alpine:3.8 LABEL authors="Anubhav Mishra, Luke Kysow" -# create atlantis user +# We use gosu to step down from root and run as the atlantis user so we need +# to create that user and group. +# We add the atlantis user to the root group and make its home directory +# owned by root so that OpenShift users can use /home/atlantis as their +# data dir because OpenShift runs containers as a random uid that's part of +# the root group. RUN addgroup atlantis && \ - adduser -S -G atlantis atlantis + adduser -S -G atlantis atlantis && \ + adduser atlantis root && \ + chown atlantis:root /home/atlantis/ && \ + chmod g=u /home/atlantis/ && \ + chmod g=u /etc/passwd -ENV ATLANTIS_HOME_DIR=/home/atlantis - -# install atlantis dependencies +# Install dumb-init and gosu. ENV DUMB_INIT_VERSION=1.2.0 ENV GOSU_VERSION=1.10 RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap openssl && \ @@ -35,6 +42,6 @@ RUN apk add --no-cache ca-certificates gnupg curl git unzip bash openssh libcap apk del gnupg openssl && \ rm -rf /root/.gnupg && rm -rf /var/cache/apk/* -# set up nsswitch.conf for Go's "netgo" implementation +# Set up nsswitch.conf for Go's "netgo" implementation # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275 RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index b4c1ae9197..de9ffb346a 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -9,15 +9,30 @@ if [ "${1:0:1}" = '-' ]; then set -- atlantis "$@" fi -# Look for atlantis subcommands. +# If the user is running an atlantis subcommand (ex. server) then we want to prepend +# atlantis as the first arg to exec. To detect if they're running a subcommand +# we take the potential subcommand and run it through atlantis help {subcommand}. +# If the output contains "atlantis subcommand" then we know it's a subcommand +# since the help output contains that string. For anything else (ex. sh) +# it won't contain that string. +# NOTE: We use grep instead of the exit code since help always returns 0. if atlantis --help "$1" 2>&1 | grep -q "atlantis $1"; then # We can't use the return code to check for the existence of a subcommand, so # we have to use grep to look for a pattern in the help output. set -- atlantis "$@" fi -# If we are running atlantis, make sure it executes as the proper user. -if [ "$1" = 'atlantis' ]; then +# If the current uid running does not have a user create one in /etc/passwd +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/atlantis:/sbin/nologin" >> /etc/passwd + fi +fi + +# If we're running as root and we're trying to execute atlantis then we use +# gosu to step down from root and run as the atlantis user. +# In OpenShift, containers are run as a random users so we don't need to use gosu. +if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then # If requested, set the capability to bind to privileged ports before # we drop to the non-root user. Note that this doesn't work with all # storage drivers (it won't work with AUFS). diff --git a/helm/atlantis/templates/statefulset.yaml b/helm/atlantis/templates/statefulset.yaml index 797f4c26f9..2dc5d454e1 100644 --- a/helm/atlantis/templates/statefulset.yaml +++ b/helm/atlantis/templates/statefulset.yaml @@ -19,8 +19,7 @@ spec: app: {{ template "atlantis.name" . }} release: {{ .Release.Name }} spec: - securityContext: - fsGroup: 1000 + securityContext: {} volumes: {{- range $name, $_ := .Values.serviceAccountSecrets }} - name: {{ $name }}-volume