alpine docker image doesn't run entrypoint as root

Set USER directrive in the Dockerfile to the consul-template user
created to run consul-template.

Made this change as some organizations security policies require it. The
only reason it wasn't done this way before was to run a chown on the
(possibly) bind mounted directories and this is a bad practice anyways
(who knows who the user matches on the external system).

Only change the alpine image this way as the other 2 (scratch and light)
purposely do as little as possible so they don't even create the user.

Fixes #1321

CHANGELOG.md

@@ -1,3 +1,10 @@
+## v0.24.0 (Dec NN, 2019)
+
+BREAKING CHANGES:
+
+* Alpine Docker image no longer runs as root and so doesn't change ownership of the /consul-template/data and /consul-template/config directories to the consul-template user.
+
+
 ## v0.23.0 (Nov 13, 2019)
 
 IMPROVEMENTS:

docker/alpine/Dockerfile

@@ -46,7 +46,7 @@ RUN apk add --no-cache ca-certificates curl gnupg libcap openssl && \
     gpg --batch --verify docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS.sig docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS && \
     grep ${DOCKER_BASE_VERSION}_linux_amd64.zip docker-base_${DOCKER_BASE_VERSION}_SHA256SUMS | sha256sum -c && \
     unzip docker-base_${DOCKER_BASE_VERSION}_linux_amd64.zip && \
-    cp bin/gosu bin/dumb-init /bin && \
+    cp bin/dumb-init /bin && \
     cd /tmp && \
     rm -rf /tmp/build && \
     apk del gnupg openssl && \
@@ -55,8 +55,8 @@ RUN apk add --no-cache ca-certificates curl gnupg libcap openssl && \
 # Install consul-template
 COPY --from=builder "/consul-template" "/bin/consul-template"
 
-# The agent will be started with /consul-template/config as the configuration directory
-# so you can add additional config files in that location.
+# The agent will be started with /consul-template/config as the configuration
+# directory so you can add additional config files in that location.
 RUN mkdir -p /consul-template/data && \
     mkdir -p /consul-template/config && \
     chown -R consul-template:consul-template /consul-template
@@ -70,6 +70,7 @@ VOLUME /consul-template/data
 COPY "docker/alpine/docker-entrypoint.sh" "/bin/docker-entrypoint.sh"
 RUN chmod +x "/bin/docker-entrypoint.sh"
 ENTRYPOINT ["/bin/docker-entrypoint.sh"]
+USER consul-template:consul-template
 
 # Run consul-template by default
 CMD ["/bin/consul-template"]

docker/alpine/docker-entrypoint.sh

@@ -6,37 +6,21 @@ set -e
 # wouldn't do either of these functions so we'd leak zombies as well as do
 # unclean termination of all our sub-processes.
 
-# CONSUL_DATA_DIR is exposed as a volume for possible persistent storage.
 # CT_CONFIG_DIR isn't exposed as a volume but you can compose additional config
 # files in there if you use this image as a base, or use CT_LOCAL_CONFIG below.
-CT_DATA_DIR=/consul-template/config
 CT_CONFIG_DIR=/consul-template/config
 
-# If the user is trying to run consul-template directly with some arguments, then
-# pass them to consul-template.
-if [ "${1:0:1}" = '-' ]; then
-  set -- /bin/consul-template "$@"
-fi
+# If the user is trying to run consul-template directly with some arguments,
+# then pass them to consul-template.
+# On alpine /bin/sh is busybox which supports the bashism below.
+if [ "${1:0:1}" = '-' ]; then set -- /bin/consul-template "$@" fi
 
-# If we are running Consul, make sure it executes as the proper user.
+# Set the configuration directory
 if [ "$1" = '/bin/consul-template' ]; then
-  # If the data or config dirs are bind mounted then chown them.
-  # Note: This checks for root ownership as that's the most common case.
-  if [ "$(stat -c %u /consul-template/data)" != "$(id -u consul-template)" ]; then
-    chown consul-template:consul-template /consul-template/data
-  fi
-  if [ "$(stat -c %u /consul-template/config)" != "$(id -u consul-template)" ]; then
-    chown consul-template:consul-template /consul-template/config
-  fi
-
-  # Set the configuration directory
   shift
   set -- /bin/consul-template \
     -config="$CT_CONFIG_DIR" \
     "$@"
-
-  # Run under the right user
-  set -- gosu consul-template "$@"
 fi
 
 exec "$@"