From 591efd5a653b3257aa8926de4e4ae65e0365cfee Mon Sep 17 00:00:00 2001
From: rjshrjndrn <rjshrjndrn@gmail.com>
Date: Wed, 20 Jul 2022 17:18:04 +0000
Subject: [PATCH] chore(docker): Run non root users for containers

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>
---
 api/Dockerfile                                           | 3 +++
 api/Dockerfile.alerts                                    | 2 ++
 api/Dockerfile.bundle                                    | 2 ++
 backend/Dockerfile                                       | 2 ++
 ee/api/Dockerfile                                        | 3 +++
 ee/api/Dockerfile.alerts                                 | 3 +++
 ee/api/Dockerfile.crons                                  | 3 +++
 ee/utilities/Dockerfile                                  | 2 ++
 frontend/Dockerfile                                      | 8 ++++++++
 peers/Dockerfile                                         | 2 ++
 scripts/helmcharts/init.sh                               | 8 ++++++--
 scripts/helmcharts/openreplay/charts/sink/values.yaml    | 6 +++++-
 scripts/helmcharts/openreplay/charts/storage/values.yaml | 6 +++++-
 utilities/Dockerfile                                     | 2 ++
 14 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/api/Dockerfile b/api/Dockerfile
index b92e909e4..0d949e25e 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -22,5 +22,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/.
 
+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
diff --git a/api/Dockerfile.alerts b/api/Dockerfile.alerts
index 5830966b3..c4614b3c1 100644
--- a/api/Dockerfile.alerts
+++ b/api/Dockerfile.alerts
@@ -16,5 +16,7 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh
 
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
diff --git a/api/Dockerfile.bundle b/api/Dockerfile.bundle
index 2f58635f2..b047f6d6c 100644
--- a/api/Dockerfile.bundle
+++ b/api/Dockerfile.bundle
@@ -23,5 +23,7 @@ ARG envarg
 ENV ENTERPRISE_BUILD ${envarg}
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/tini", "--"]
 CMD ./entrypoint.sh
diff --git a/backend/Dockerfile b/backend/Dockerfile
index 132fef1b0..648d82bea 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -69,4 +69,6 @@ RUN if [ "$SERVICE_NAME" = "http" ]; then \
 
 
 COPY --from=build /root/service /root/service
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT /root/service
diff --git a/ee/api/Dockerfile b/ee/api/Dockerfile
index 1c5be7f36..2500d2bfb 100644
--- a/ee/api/Dockerfile
+++ b/ee/api/Dockerfile
@@ -20,5 +20,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv /work_tmp/node_modules sourcemap-reader/.
 
+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
diff --git a/ee/api/Dockerfile.alerts b/ee/api/Dockerfile.alerts
index a3bee2a28..785b0a5f9 100644
--- a/ee/api/Dockerfile.alerts
+++ b/ee/api/Dockerfile.alerts
@@ -16,5 +16,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv app_alerts.py app.py && mv entrypoint_alerts.sh entrypoint.sh
 
+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
diff --git a/ee/api/Dockerfile.crons b/ee/api/Dockerfile.crons
index e29b4440f..0647c6fc6 100644
--- a/ee/api/Dockerfile.crons
+++ b/ee/api/Dockerfile.crons
@@ -18,5 +18,8 @@ WORKDIR /work
 COPY . .
 RUN mv env.default .env && mv entrypoint_crons.sh entrypoint.sh
 
+RUN adduser -u 1001 openreplay -D
+USER 1001
+
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ./entrypoint.sh
diff --git a/ee/utilities/Dockerfile b/ee/utilities/Dockerfile
index 3c9d2f600..f01c7d71c 100644
--- a/ee/utilities/Dockerfile
+++ b/ee/utilities/Dockerfile
@@ -12,5 +12,7 @@ COPY package.json .
 COPY package-lock.json .
 RUN npm install
 COPY . .
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD npm start
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index b87d5c172..2ab0312ab 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -17,3 +17,11 @@ LABEL maintainer=Rajesh<rajesh@openreplay.com>
 RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
 COPY --from=builder /work/public /var/www/openreplay
 COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+RUN chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d && \
+    touch /var/run/nginx.pid && \
+    chown -R nginx:nginx /var/run/nginx.pid
+
+USER nginx
diff --git a/peers/Dockerfile b/peers/Dockerfile
index 98475f750..b05fdee3a 100644
--- a/peers/Dockerfile
+++ b/peers/Dockerfile
@@ -10,5 +10,7 @@ COPY package.json .
 COPY package-lock.json .
 RUN npm install
 COPY . .
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD npm start
diff --git a/scripts/helmcharts/init.sh b/scripts/helmcharts/init.sh
index 078a60583..5fe454f90 100644
--- a/scripts/helmcharts/init.sh
+++ b/scripts/helmcharts/init.sh
@@ -107,8 +107,12 @@ sed_i_wrapper -i "s/secretKey: \"changeMeMinioPassword\"/secretKey: \"$(randomPa
 sed_i_wrapper -i "s/jwt_secret: \"SetARandomStringHere\"/jwt_secret: \"$(randomPass)\"/g" vars.yaml
 sed_i_wrapper -i "s/domainName: \"\"/domainName: \"${DOMAIN_NAME}\"/g" vars.yaml
 
+info "Setting proper permission for shared folder"
+sudo mkdir -p /openreplay/storage/nfs
+sudo chown -R 1001:1001 /openreplay/storage/nfs
+
 ## Installing OpenReplay
-info "Installing databases"
+info "installing databases"
 helm upgrade --install databases ./databases -n db --create-namespace --wait -f ./vars.yaml --atomic
-info "Installing application"
+info "installing application"
 helm upgrade --install openreplay ./openreplay -n app --create-namespace --wait -f ./vars.yaml --atomic
diff --git a/scripts/helmcharts/openreplay/charts/sink/values.yaml b/scripts/helmcharts/openreplay/charts/sink/values.yaml
index 11df1d4e7..a37ecfa41 100644
--- a/scripts/helmcharts/openreplay/charts/sink/values.yaml
+++ b/scripts/helmcharts/openreplay/charts/sink/values.yaml
@@ -25,7 +25,11 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 1001
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
   # fsGroup: 2000
 
 securityContext: {}
diff --git a/scripts/helmcharts/openreplay/charts/storage/values.yaml b/scripts/helmcharts/openreplay/charts/storage/values.yaml
index 5adbf189f..b73c2cf1e 100644
--- a/scripts/helmcharts/openreplay/charts/storage/values.yaml
+++ b/scripts/helmcharts/openreplay/charts/storage/values.yaml
@@ -25,7 +25,11 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 1001
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
   # fsGroup: 2000
 
 securityContext: {}
diff --git a/utilities/Dockerfile b/utilities/Dockerfile
index cb9d081f1..cbf217339 100644
--- a/utilities/Dockerfile
+++ b/utilities/Dockerfile
@@ -12,5 +12,7 @@ COPY package.json .
 COPY package-lock.json .
 RUN npm install
 COPY . .
+RUN adduser -u 1001 openreplay -D
+USER 1001
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD npm start