Skip to content

Update docker image to run as non-root #2265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zalegrala merged 11 commits into from
Apr 4, 2024
Merged

Update docker image to run as non-root #2265

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
bd40ef9
Update Tempo image to run as non-root
zalegrala Mar 27, 2023
ade6deb
Change ownership of /var/tempo
zalegrala Mar 27, 2023
fb32d0e
Breadcrumbs for ingester filesystem permissions
zalegrala Mar 27, 2023
074fab1
Create the directory we attempt to chown
zalegrala Mar 28, 2023
b1b6ee6
Include initcontainer and adjust statefulset security for new UID
zalegrala Mar 15, 2024
16c0d16
Compile jsonnet
zalegrala Mar 15, 2024
ce904c9
Drop securityContext since the chown handles the permissions
zalegrala Mar 15, 2024
d102622
Adjust test path for ownership
zalegrala Mar 19, 2024
eefae10
Update changelog to note breaking change
zalegrala Apr 2, 2024
036803f
Drop extra object and include additional hardcode
zalegrala Apr 3, 2024
a16e52d
Improve language for CHANGELOG
zalegrala Apr 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
* [ENHANCEMENT] Add querier metrics for requests executed [#3524](https://github.com/grafana/tempo/pull/3524) (@electron0zero)
* [FEATURE] Added gRPC streaming endpoints for all tag queries. [#3460](https://github.com/grafana/tempo/pull/3460) (@joe-elliott)
* [CHANGE] Align metrics query time ranges to the step parameter [#3490](https://github.com/grafana/tempo/pull/3490) (@mdisibio)
* [CHANGE] Change the UID and GID of the `tempo` user to avoid root [#2265](https://github.com/grafana/tempo/pull/2265) (@zalegrala)
Comment thread
zalegrala marked this conversation as resolved.
**BREAKING CHANGE** Ownership of /var/tempo is changing. Specifically the
ingester and metrics-generator statefulsets may need to be `chown`'d in order
to come up properly. A jsonnet example of an init container is included with
the PR.
* [ENHANCEMENT] Add string interning to TraceQL queries [#3411](https://github.com/grafana/tempo/pull/3411) (@mapno)
* [ENHANCEMENT] Add new (unsafe) query hints for metrics queries [#3396](https://github.com/grafana/tempo/pull/3396) (@mdisibio)
* [ENHANCEMENT] Add nestedSetLeft/Right/Parent instrinsics to TraceQL. [#3497](https://github.com/grafana/tempo/pull/3497) (@joe-elliott)
Expand Down
9 changes: 9 additions & 0 deletions cmd/tempo/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,13 @@ FROM alpine:3.19 as certs
RUN apk --update add ca-certificates
ARG TARGETARCH
COPY bin/linux/tempo-${TARGETARCH} /tempo

RUN addgroup -g 10001 -S tempo && \
adduser -u 10001 -S tempo -G tempo

RUN mkdir -p /var/tempo && \
chown -R tempo:tempo /var/tempo

USER 10001:10001

ENTRYPOINT ["/tempo"]
2 changes: 1 addition & 1 deletion integration/e2e/config-all-in-one-local.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,4 @@ overrides:
client:
backend: local
local:
path: /var/tempo_overrides
path: /var/tempo/overrides
2 changes: 1 addition & 1 deletion integration/e2e/config-multi-tenant-local.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,4 @@ overrides:
client:
backend: local
local:
path: /var/tempo_overrides
path: /var/tempo/overrides
35 changes: 35 additions & 0 deletions operations/jsonnet/microservices/common.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,27 @@
{

local k = import 'k.libsonnet',
local kausal = import 'ksonnet-util/kausal.libsonnet',

local container = k.core.v1.container,
local volumeMount = k.core.v1.volumeMount,
local statefulset = k.apps.v1.statefulSet,

tempo_chown_container(data_volume, uid)::
Comment thread
zalegrala marked this conversation as resolved.
Outdated
container.new('chown-' + data_volume, $._images.tempo) +
container.withCommand('chown') +
container.withArgs([
'-R',
uid,
Comment thread
zalegrala marked this conversation as resolved.
Outdated
'/var/tempo',
]) +
container.withVolumeMounts([
volumeMount.new(data_volume, '/var/tempo'),
]) +
container.securityContext.withRunAsUser(0) +
container.securityContext.withRunAsGroup(0) +
{},

util+:: {
local k = import 'ksonnet-util/kausal.libsonnet',
local container = k.core.v1.container,
Expand Down Expand Up @@ -62,5 +85,17 @@
},
},
},

withInitChown():: {
tempo_metrics_generator_statefulset+:
statefulset.spec.template.spec.withInitContainers([
self.tempo_metrics_generator_chown_container,
]),

tempo_ingester_statefulset+:
statefulset.spec.template.spec.withInitContainers([
self.tempo_ingester_chown_container,
]),
},
},
}
2 changes: 2 additions & 0 deletions operations/jsonnet/microservices/generator.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
+ pvc.mixin.metadata.withLabels({ app: target_name })
+ pvc.mixin.metadata.withNamespace($._config.namespace),

tempo_metrics_generator_chown_container:: $.tempo_chown_container(tempo_data_volume, '10001'),

tempo_metrics_generator_container::
container.new(target_name, $._images.tempo) +
container.withPorts($.tempo_metrics_generator_ports) +
Expand Down
6 changes: 5 additions & 1 deletion operations/jsonnet/microservices/ingester.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@
+ pvc.mixin.metadata.withLabels({ app: target_name })
+ pvc.mixin.metadata.withNamespace($._config.namespace),


tempo_ingester_chown_container:: $.tempo_chown_container(tempo_data_volume, '10001'),

tempo_ingester_container::
container.new(target_name, $._images.tempo) +
container.withPorts($.tempo_ingester_ports) +
Expand Down Expand Up @@ -67,7 +70,8 @@
statefulset.mixin.spec.withPodManagementPolicy('Parallel') +
statefulset.mixin.spec.template.spec.withTerminationGracePeriodSeconds(1200) +
$.util.podPriority('high') +
(if with_anti_affinity then $.util.antiAffinity else {}),
(if with_anti_affinity then $.util.antiAffinity else {})
,

tempo_ingester_statefulset: $.newIngesterStatefulSet(target_name, self.tempo_ingester_container) + statefulset.mixin.spec.withReplicas($._config.ingester.replicas),

Expand Down