Group ownership in Docker image prevents running on OpenShift

[agc93]

Request Type

Bug / Feature Request
sort of both, realistically

Work Environment

Question	Answer
OS version (server)	Docker (Debian 8.6)
OS version (client)	Fedora 26
TheHive version / git hash
Package Type	Docker

Problem Description

In the Dockerfile generated during the build, the permissions on /opt/thehive are specifically set to the daemon user on line 8:

RUN ["chown", "-R", "daemon:daemon", "."]

Currently, this prevents running this image on OpenShift since it uses randomised high UIDs to run the container.

This could be fixed by changing the directory to use the root (or 0) group, retaining the daemon user's ownership. That is:

RUN ["chown", "-R", "daemon:root", "."]

From what I can tell, this would not break any existing use cases but would allow it to run on OpenShift platforms unmodified.

Let me know if this change would be acceptable and I can open a PR.

Steps to Reproduce

1. Run certbdf/thehive image in OpenShift
2. Wait for pod to crash (and go into backoff)
3. Check logs to see permission denied errors

To test resolution:

1. Create new Dockerfile as follows:

FROM certbdf/thehive:latest
USER root
RUN chgrp -R 0 /opt
USER daemon

2. Build image, push to registry, run in new project
3. Pod should now start and TheHive can be accessed from OpenShift service

Possible Solutions

Change ownership on /opt/thehive directory to daemon:root

Complementary information

The same problem/change applies to Cortex as well, but I want to make sure this change would be accepted before I open an issue/PR there as well.

[To-om]

I've fixed file ownership but it seems that ElasticSearch image has the same problem. So it fails on OpenShift.

Please tell us if you successfully run TheHive on OpenShift (with ElasticSearch).

[agc93]

Thanks for the quick fix @To-om !

I had it working yesterday using a custom image (just using your image with the required chown/chmod commands RUN'd in to it), but now that I've switched back to your image, I'm getting errors between TheHive and Elasticsearch:

ElasticSearch cluster is unreachable

java.lang.IllegalStateException: Received message from unsupported version: [5.0.0] minimal compatible version is: [2.0.0]

Has something else changed at the same time?

[To-om]

The latest version of the docker image uses TheHive 2.13 which need ElasticSearch 5.x.

You can try the docker image certbdf/thehive:2.12.1-2

[agc93]

Awesome, thanks! Will the docker/thehive/docker-compose.yml file be updated for 2.13 when it's released? I'm not too familiar with Elastic so couldn't get the elasticsearch:5 image running properly..

[To-om]

I forgot to update this file, I'll do it.
The updated docker-compose.yml is in TheHive docker guide

[To-om]

docker-compose file has been tested and updated.