Allow Dockerfile-workers to run as non-root.

Without root, supervisord cannot assume other users, so remove any changing of users.
matrix-org · Nov 25, 2021 · 67e20f2 · 67e20f2
1 parent 05d4115
commit 67e20f2
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers
@@ -11,6 +11,12 @@ RUN rm /etc/nginx/sites-enabled/default
 # Copy Synapse worker, nginx and supervisord configuration template files
 COPY ./docker/conf-workers/* /conf/
 
+# Set permissions for GID=0 to be able to interact with configuration files and data
+# Allows container to be deployed in OpenShift without UID 0
+# https://docs.openshift.com/container-platform/4.7/openshift_images/create-images.html#images-create-guide-openshift_create-images
+RUN chgrp -R 0 /etc/nginx /etc/redis /etc/supervisor /var/log /run /var/lib/redis /var/lib/nginx && \
+    chmod -R g+rw /etc/nginx /etc/redis /etc/supervisor /var/log /run /var/lib/redis /var/lib/nginx
+
 # Expose nginx listener port
 EXPOSE 8080/tcp
 

diff --git a/docker/conf-workers/supervisord.conf.j2 b/docker/conf-workers/supervisord.conf.j2
@@ -3,7 +3,6 @@
 # that have been selected.
 [supervisord]
 nodaemon=true
-user=root
 
 [program:nginx]
 command=/usr/sbin/nginx -g "daemon off;"
@@ -12,7 +11,6 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-username=www-data
 autorestart=true
 
 [program:redis]
@@ -22,7 +20,6 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-username=redis
 autorestart=true
 
 [program:synapse_main]
@@ -38,4 +35,4 @@ autorestart=unexpected
 exitcodes=0
 
 # Additional process blocks
-{{ worker_config }}
+{{ worker_config }}