From 30d5580cd7c2ef640ef8da800da83e25d8588e93 Mon Sep 17 00:00:00 2001 From: Razvan Dobre Date: Tue, 25 Jun 2024 20:30:28 +0300 Subject: [PATCH] Make envoy user part of the tty group instead of chown stderr/stdout (#34830) Signed-off-by: Razvan Dobre --- ci/Dockerfile-envoy | 3 ++- ci/docker-entrypoint.sh | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/Dockerfile-envoy b/ci/Dockerfile-envoy index befae3be0755..9c6256f70ffc 100644 --- a/ci/Dockerfile-envoy +++ b/ci/Dockerfile-envoy @@ -17,8 +17,9 @@ FROM ${BUILD_OS}:${BUILD_TAG} AS envoy-base ENV DEBIAN_FRONTEND=noninteractive EXPOSE 10000 CMD ["envoy", "-c", "/etc/envoy/envoy.yaml"] +# Ensure the envoy user is able to write to container logs owned by root:tty RUN mkdir -p /etc/envoy \ - && adduser --group --system envoy + && useradd --system --no-create-home -d /nonexistent --groups tty --shell /usr/sbin/nologin envoy ENTRYPOINT ["/docker-entrypoint.sh"] # NB: Adding this here means that following steps, for example updating the system packages, are run # when the version file changes. This should mean that a release version will always update. diff --git a/ci/docker-entrypoint.sh b/ci/docker-entrypoint.sh index 6337b4621cb3..5e06490588a8 100755 --- a/ci/docker-entrypoint.sh +++ b/ci/docker-entrypoint.sh @@ -24,8 +24,6 @@ if [ "$ENVOY_UID" != "0" ] && [ "$USERID" = 0 ]; then if [ -n "$ENVOY_GID" ]; then groupmod -g "$ENVOY_GID" envoy fi - # Ensure the envoy user is able to write to container logs - chown envoy:envoy /dev/stdout /dev/stderr exec su-exec envoy "${@}" else exec "${@}"