Don't run sidecar app as root user, fixes #291

bitpoke · May 6, 2019 · 98fa100 · 98fa100
1 parent 227495b
commit 98fa100
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 3 deletions.
diff --git a/Dockerfile.sidecar b/Dockerfile.sidecar
@@ -32,6 +32,10 @@ RUN wget -nv https://github.com/ncw/rclone/releases/download/v1.46/rclone-v1.46-
 # Copy the mysql-operator-sidecar into it's own image
 FROM debian:stretch-slim as sidecar
 
+RUN groupadd -g 999 mysql
+RUN useradd -u 999 -r -g 999 -s /sbin/nologin \
+    -c "Default Application User" mysql
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         apt-transport-https ca-certificates wget \
@@ -50,6 +54,8 @@ RUN apt-get update \
     && wget https://github.com/maxbube/mydumper/archive/v0.9.5.tar.gz -O /usr/share/src/mydumper-v0.9.5.tar.gz
 
 
+USER mysql
+
 COPY ./hack/docker/sidecar-entrypoint.sh /usr/local/bin/sidecar-entrypoint.sh
 COPY --from=builder /go/src/github.com/presslabs/mysql-operator/mysql-operator-sidecar /usr/local/bin/mysql-operator-sidecar
 COPY --from=rclone /usr/local/bin/rclone /usr/local/bin/rclone

diff --git a/hack/development/Dockerfile.sidecar b/hack/development/Dockerfile.sidecar
@@ -1,6 +1,11 @@
 # Copy the mysql-operator-sidecar into it's own image
+# NOTE: this image is for development only
 FROM debian:stretch-slim as sidecar
 
+RUN groupadd -g 999 mysql
+RUN useradd -u 999 -r -g 999 -s /sbin/nologin \
+    -c "Default Application User" mysql
+
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         apt-transport-https ca-certificates wget \
@@ -23,6 +28,8 @@ RUN apt-get update \
     && rm -rf rclone-*-linux-amd64 rclone-current-linux-amd64.zip \
     && chmod 755 /usr/local/bin/rclone
 
+USER mysql
+
 # set expiration time for dev images
 # https://support.coreos.com/hc/en-us/articles/115001384693-Tag-Expiration
 LABEL quay.expires-after=2d

diff --git a/hack/docker/sidecar-entrypoint.sh b/hack/docker/sidecar-entrypoint.sh
@@ -2,7 +2,7 @@
 set -e
 
 echo "Create rclone.conf file."
-cat <<EOF > /etc/rclone.conf
+cat <<EOF > /tmp/rclone.conf
 [s3]
 type = s3
 env_auth = false

diff --git a/pkg/controller/mysqlcluster/internal/syncer/statefullset.go b/pkg/controller/mysqlcluster/internal/syncer/statefullset.go
@@ -126,7 +126,8 @@ func (s *sfsSyncer) ensurePodSpec() core.PodSpec {
 		ImagePullSecrets: s.cluster.Spec.PodSpec.ImagePullSecrets,
 		SecurityContext: &core.PodSecurityContext{
 			// mount volumes with mysql gid
-			FSGroup: &fsGroup,
+			FSGroup:   &fsGroup,
+			RunAsUser: &fsGroup,
 		},
 	}
 }

diff --git a/pkg/sidecar/server.go b/pkg/sidecar/server.go
@@ -91,7 +91,8 @@ func (s *server) backupHandler(w http.ResponseWriter, r *http.Request) {
 	xtrabackup := exec.Command("xtrabackup", "--backup", "--slave-info", "--stream=xbstream",
 		fmt.Sprintf("--tables-exclude=%s.%s", toolsDbName, toolsInitTableName),
 		"--host=127.0.0.1", fmt.Sprintf("--user=%s", s.cfg.ReplicationUser),
-		fmt.Sprintf("--password=%s", s.cfg.ReplicationPassword))
+		fmt.Sprintf("--password=%s", s.cfg.ReplicationPassword),
+		"--target-dir=/tmp/xtrabackup_backupfiles/")
 
 	xtrabackup.Stderr = os.Stderr