Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bumping vault version to 0.9.1 #3832

Merged
merged 2 commits into from
Dec 21, 2017
Merged

Conversation

chrishoffman
Copy link
Contributor

No description provided.

@tianon
Copy link
Member

tianon commented Dec 21, 2017

Diff:
warning: insecure protocol git:// detected: git://github.com/hashicorp/docker-vault
diff --git a/_bashbrew-list b/_bashbrew-list
index abdea49..1e328fc 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -1,2 +1,2 @@
-vault:0.9.0
+vault:0.9.1
 vault:latest
diff --git a/vault_latest/Dockerfile b/vault_latest/Dockerfile
index c0667d5..db83fe5 100644
--- a/vault_latest/Dockerfile
+++ b/vault_latest/Dockerfile
@@ -2,11 +2,7 @@ FROM alpine:3.6
 MAINTAINER Jeff Mitchell <jeff@hashicorp.com> (@jefferai)
 
 # This is the release of Vault to pull in.
-ENV VAULT_VERSION=0.9.0
-
-# This is the release of https://github.com/hashicorp/docker-base to pull in order
-# to provide HashiCorp-built versions of basic utilities like dumb-init and gosu.
-ENV DOCKER_BASE_VERSION=0.0.4
+ENV VAULT_VERSION=0.9.1
 
 # Create a vault user and group first so the IDs get set the same way,
 # even as the rest of this may change over time.
@@ -14,17 +10,10 @@ RUN addgroup vault && \
     adduser -S -G vault vault
 
 # Set up certificates, our base tools, and Vault.
-RUN apk add --no-cache ca-certificates gnupg openssl libcap && \
+RUN apk add --no-cache ca-certificates gnupg openssl libcap su-exec dumb-init && \
     gpg --keyserver pgp.mit.edu --recv-keys 91A6E7F85D05C65630BEF18951852D87348FFC4C && \
     mkdir -p /tmp/build && \
     cd /tmp/build && \
-    wget https://releases.hashicorp.com/docker-base/${DOCKER_BASE_VERSION}/docker-base_${DOCKER_BASE_VERSION}_linux_amd64.zip && \
-    wget https://releases.hashicorp.com/docker-base/${DOCKER_BASE_VERSION}/docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS && \
-    wget https://releases.hashicorp.com/docker-base/${DOCKER_BASE_VERSION}/docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS.sig && \
-    gpg --batch --verify docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS.sig docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS && \
-    grep ${DOCKER_BASE_VERSION}_linux_amd64.zip docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS | sha256sum -c && \
-    unzip docker-base_${DOCKER_BASE_VERSION}_linux_amd64.zip && \
-    cp bin/gosu bin/dumb-init /bin && \
     wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
     wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \
     wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \
diff --git a/vault_latest/docker-entrypoint.sh b/vault_latest/docker-entrypoint.sh
index 244e5e8..71c10ea 100755
--- a/vault_latest/docker-entrypoint.sh
+++ b/vault_latest/docker-entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/dumb-init /bin/sh
+#!/usr/bin/dumb-init /bin/sh
 set -e
 
 # Note above that we run dumb-init as PID 1 in order to reap zombie processes
@@ -91,7 +91,9 @@ if [ "$1" = 'vault' ]; then
         fi
     fi
 
-    set -- gosu vault "$@"
+    if [ -z "$DISABLE_SU" ]; then
+      set -- su-exec vault "$@"
+    fi
 fi
 
 exec "$@"

@tianon
Copy link
Member

tianon commented Dec 21, 2017

For this new DISABLE_SU environment variable, couldn't folks already get the same behavior by simply doing --entrypoint vault?

@jefferai
Copy link
Contributor

Hi @tianon ,

The entrypoint we have doesn't just do some su stuff; it also runs under dump-init for proper process reaping, does some configuration file reading, sets dev mode, and so on. I would assume using --entrypoint would override the entire entrypoint script rather than just the final executable.

@tianon
Copy link
Member

tianon commented Dec 21, 2017

So the use case for this new environment variable is folks who want to run the whole script and service as root?

@jefferai
Copy link
Contributor

It comes from hashicorp/docker-vault#69 -- basically, they wanted to specify the user via Docker rather than have it be set for them in the entrypoint.

@tianon
Copy link
Member

tianon commented Dec 21, 2017

Ah, we usually handle that automatically instead of forcing the user to supply an extra environment variable, since that situation is trivial to detect (ala if [ "$(id -u)" = '0' ]; then ...).

See docker-library/rabbitmq#60, docker-library/cassandra#48, docker-library/mongo#81, redis/docker-library-redis#48, docker-library/mysql#161, MariaDB/mariadb-docker#59, docker-library/percona#21, docker-library/ghost#54, and docker-library/postgres#253 for some explicit implementation examples from other official images.

@jefferai
Copy link
Contributor

@tianon Sounds good -- I've updated the PR.

@tianon
Copy link
Member

tianon commented Dec 21, 2017

Diff:
warning: insecure protocol git:// detected: git://github.com/hashicorp/docker-vault
diff --git a/_bashbrew-list b/_bashbrew-list
index abdea49..1e328fc 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -1,2 +1,2 @@
-vault:0.9.0
+vault:0.9.1
 vault:latest
diff --git a/vault_latest/Dockerfile b/vault_latest/Dockerfile
index c0667d5..db83fe5 100644
--- a/vault_latest/Dockerfile
+++ b/vault_latest/Dockerfile
@@ -2,11 +2,7 @@ FROM alpine:3.6
 MAINTAINER Jeff Mitchell <jeff@hashicorp.com> (@jefferai)
 
 # This is the release of Vault to pull in.
-ENV VAULT_VERSION=0.9.0
-
-# This is the release of https://github.com/hashicorp/docker-base to pull in order
-# to provide HashiCorp-built versions of basic utilities like dumb-init and gosu.
-ENV DOCKER_BASE_VERSION=0.0.4
+ENV VAULT_VERSION=0.9.1
 
 # Create a vault user and group first so the IDs get set the same way,
 # even as the rest of this may change over time.
@@ -14,17 +10,10 @@ RUN addgroup vault && \
     adduser -S -G vault vault
 
 # Set up certificates, our base tools, and Vault.
-RUN apk add --no-cache ca-certificates gnupg openssl libcap && \
+RUN apk add --no-cache ca-certificates gnupg openssl libcap su-exec dumb-init && \
     gpg --keyserver pgp.mit.edu --recv-keys 91A6E7F85D05C65630BEF18951852D87348FFC4C && \
     mkdir -p /tmp/build && \
     cd /tmp/build && \
-    wget https://releases.hashicorp.com/docker-base/${DOCKER_BASE_VERSION}/docker-base_${DOCKER_BASE_VERSION}_linux_amd64.zip && \
-    wget https://releases.hashicorp.com/docker-base/${DOCKER_BASE_VERSION}/docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS && \
-    wget https://releases.hashicorp.com/docker-base/${DOCKER_BASE_VERSION}/docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS.sig && \
-    gpg --batch --verify docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS.sig docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS && \
-    grep ${DOCKER_BASE_VERSION}_linux_amd64.zip docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS | sha256sum -c && \
-    unzip docker-base_${DOCKER_BASE_VERSION}_linux_amd64.zip && \
-    cp bin/gosu bin/dumb-init /bin && \
     wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
     wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS && \
     wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig && \
diff --git a/vault_latest/docker-entrypoint.sh b/vault_latest/docker-entrypoint.sh
index 244e5e8..a16d01a 100755
--- a/vault_latest/docker-entrypoint.sh
+++ b/vault_latest/docker-entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/dumb-init /bin/sh
+#!/usr/bin/dumb-init /bin/sh
 set -e
 
 # Note above that we run dumb-init as PID 1 in order to reap zombie processes
@@ -91,7 +91,9 @@ if [ "$1" = 'vault' ]; then
         fi
     fi
 
-    set -- gosu vault "$@"
+    if [ "$(id -u)" = '0' ]; then
+      set -- su-exec vault "$@"
+    fi
 fi
 
 exec "$@"

@tianon
Copy link
Member

tianon commented Dec 21, 2017

LGTM

Build test of #3832; fbd421d; amd64 (vault):

$ bashbrew build vault:0.9.1
warning: insecure protocol git:// detected: git://github.com/hashicorp/docker-vault
Building bashbrew/cache:d784e054c57bafb22f50598c0460dd8149acbd098adff49503b92a4b921eb452 (vault:0.9.1)
Tagging vault:0.9.1
Tagging vault:latest

$ test/run.sh vault:0.9.1
testing vault:0.9.1
	'utc' [1/4]...passed
	'cve-2014--shellshock' [2/4]...passed
	'no-hard-coded-passwords' [3/4]...passed
	'override-cmd' [4/4]...passed

@tianon tianon merged commit 2370fab into docker-library:master Dec 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants