Skip to content

Commit 48be16b

Browse files
ggtoolsggtools
committed
Issue #5 make elastisearch run as a normal user.
- Add a docker-entrypoint.sh script dropping root privileges when starting up elasticsearch. The script uses `gosu` to drop the permission - Add `ENTRYPOINT`, while keeping `CMD` for clarity - Fix `update.sh` script to work with the new elastic.co site Most update is shamelessly borrowed from PostgreSQL official image
1 parent 68d7d54 commit 48be16b

7 files changed

+119
-4
lines changed

1.3/Dockerfile

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
FROM java:7-jre
22

3+
# grab gosu for easy step-down from root
4+
RUN gpg --keyserver pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
5+
RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \
6+
&& curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \
7+
&& gpg --verify /usr/local/bin/gosu.asc \
8+
&& rm /usr/local/bin/gosu.asc \
9+
&& chmod +x /usr/local/bin/gosu
10+
311
RUN apt-key adv --keyserver pool.sks-keyservers.net --recv-keys 46095ACC8548582C1A2699A9D27D666CD88E42B4
412

513
ENV ELASTICSEARCH_VERSION 1.3.9
@@ -15,7 +23,10 @@ COPY config /usr/share/elasticsearch/config
1523

1624
VOLUME /usr/share/elasticsearch/data
1725

26+
COPY docker-entrypoint.sh /
27+
28+
ENTRYPOINT ["/docker-entrypoint.sh"]
29+
1830
EXPOSE 9200 9300
1931

2032
CMD ["elasticsearch"]
21-

1.3/docker-entrypoint.sh

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
#!/bin/bash
2+
3+
set -e
4+
5+
# Add elasticsearch as command if needed
6+
if [ "${1:0:1}" = '-' ]; then
7+
set -- elasticsearch "$@"
8+
fi
9+
10+
# Drop root privileges if we are running elasticsearch
11+
if [ "$1" = 'elasticsearch' ]; then
12+
# Change the ownership of /usr/share/elasticsearch/data to elasticsearch
13+
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data
14+
exec gosu elasticsearch "$@"
15+
fi
16+
17+
# As argument is not related to elasticsearch,
18+
# then assume that user wants to run his own process,
19+
# for example a `bash` shell to explore this image
20+
exec "$@"

1.4/Dockerfile

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
FROM java:7-jre
22

3+
# grab gosu for easy step-down from root
4+
RUN gpg --keyserver pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
5+
RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \
6+
&& curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \
7+
&& gpg --verify /usr/local/bin/gosu.asc \
8+
&& rm /usr/local/bin/gosu.asc \
9+
&& chmod +x /usr/local/bin/gosu
10+
311
RUN apt-key adv --keyserver pool.sks-keyservers.net --recv-keys 46095ACC8548582C1A2699A9D27D666CD88E42B4
412

513
ENV ELASTICSEARCH_VERSION 1.4.4
@@ -15,7 +23,10 @@ COPY config /usr/share/elasticsearch/config
1523

1624
VOLUME /usr/share/elasticsearch/data
1725

26+
COPY docker-entrypoint.sh /
27+
28+
ENTRYPOINT ["/docker-entrypoint.sh"]
29+
1830
EXPOSE 9200 9300
1931

2032
CMD ["elasticsearch"]
21-

1.4/docker-entrypoint.sh

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
#!/bin/bash
2+
3+
set -e
4+
5+
# Add elasticsearch as command if needed
6+
if [ "${1:0:1}" = '-' ]; then
7+
set -- elasticsearch "$@"
8+
fi
9+
10+
# Drop root privileges if we are running elasticsearch
11+
if [ "$1" = 'elasticsearch' ]; then
12+
# Change the ownership of /usr/share/elasticsearch/data to elasticsearch
13+
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data
14+
exec gosu elasticsearch "$@"
15+
fi
16+
17+
# As argument is not related to elasticsearch,
18+
# then assume that user wants to run his own process,
19+
# for example a `bash` shell to explore this image
20+
exec "$@"

Dockerfile.template

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
FROM java:7-jre
2+
3+
# grab gosu for easy step-down from root
4+
RUN gpg --keyserver pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
5+
RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \
6+
&& curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \
7+
&& gpg --verify /usr/local/bin/gosu.asc \
8+
&& rm /usr/local/bin/gosu.asc \
9+
&& chmod +x /usr/local/bin/gosu
10+
11+
RUN apt-key adv --keyserver pool.sks-keyservers.net --recv-keys 46095ACC8548582C1A2699A9D27D666CD88E42B4
12+
13+
ENV ELASTICSEARCH_VERSION %%VERSION%%
14+
15+
RUN echo "deb http://packages.elasticsearch.org/elasticsearch/${ELASTICSEARCH_VERSION%.*}/debian stable main" > /etc/apt/sources.list.d/elasticsearch.list
16+
17+
RUN apt-get update \
18+
&& apt-get install elasticsearch=$ELASTICSEARCH_VERSION \
19+
&& rm -rf /var/lib/apt/lists/*
20+
21+
ENV PATH /usr/share/elasticsearch/bin:$PATH
22+
COPY config /usr/share/elasticsearch/config
23+
24+
VOLUME /usr/share/elasticsearch/data
25+
26+
COPY docker-entrypoint.sh /
27+
28+
ENTRYPOINT ["/docker-entrypoint.sh"]
29+
30+
EXPOSE 9200 9300
31+
32+
CMD ["elasticsearch"]

docker-entrypoint.sh

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
#!/bin/bash
2+
3+
set -e
4+
5+
# Add elasticsearch as command if needed
6+
if [ "${1:0:1}" = '-' ]; then
7+
set -- elasticsearch "$@"
8+
fi
9+
10+
# Drop root privileges if we are running elasticsearch
11+
if [ "$1" = 'elasticsearch' ]; then
12+
# Change the ownership of /usr/share/elasticsearch/data to elasticsearch
13+
chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data
14+
exec gosu elasticsearch "$@"
15+
fi
16+
17+
# As argument is not related to elasticsearch,
18+
# then assume that user wants to run his own process,
19+
# for example a `bash` shell to explore this image
20+
exec "$@"

update.sh

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,10 @@ cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
55

66
versions=( */ )
77
versions=( "${versions[@]%/}" )
8-
downloadable=$(curl -sSL 'http://www.elasticsearch.org/downloads' | sed -rn 's!.*?http://www.elasticsearch.org/downloads/[0-9]+-[0-9]+-[0-9]+/">Download v ([0-9]+\.[0-9]+\.[0-9]+)<.*!\1!gp')
8+
downloadable=$(curl -sSL 'https://www.elastic.co/downloads/past-releases' | sed -rn 's!.*?/downloads/past-releases/[0-9]+-[0-9]+-[0-9]+">Elasticsearch ([0-9]+\.[0-9]+\.[0-9]+)<.*!\1!gp')
99

1010
for version in "${versions[@]}"; do
1111
recent=$(echo "$downloadable" | grep -m 1 "$version")
12-
sed -ri -e 's/^(ENV ELASTICSEARCH_VERSION) .*/\1 '"$recent"'/' "$version/Dockerfile"
12+
sed 's/%%VERSION%%/'"$recent"'/' <Dockerfile.template >"$version/Dockerfile"
13+
cp -p docker-entrypoint.sh $version
1314
done

0 commit comments

Comments
 (0)