Better support running the Docker entrypoint code as a non-root user. (#15118)

* Better support running our Docker images without root in the container. Users can override what user ID is used inside of a container when creating the container. We don’t technically properly support this, but we should also ideally not _break_ such usage either as there are legitimate use-cases for it. This moves code that will only work when run as root inside the container inside a conditional in our entrypoint script so that it doesn’t break things otherwise. * Update Docker documentation. * Include all group manipulations in the EUID == 0 case.
2025-04-07 14:55:41 +00:00 · 2024-01-19 07:00:02 -05:00 · 2024-01-19 07:00:02 -05:00 · 12c986d745
commit 12c986d745
parent e5de17af61
2 changed files with 67 additions and 54 deletions
--- a/packaging/docker/README.md
+++ b/packaging/docker/README.md
@ -12,6 +12,16 @@ import TabItem from '@theme/TabItem';

 # Install Netdata with Docker

+## Limitations running the Agent in Docker
+
+We do not officially support running our Docker images with the Docker CLI `--user` option or the Docker Compose
+`user:` parameter. Such usage will usually still work, but some features will not be available when run this
+way. Note that the agent will drop privileges appropriately inside the container during startup, meaning that even
+when run without these options almost nothing in the container will actually run with an effective UID of 0.
+
+Our POWER8+ Docker images do not support our FreeIPMI collector. This is a technical limitation in FreeIPMI itself,
+and unfortunately not something we can realistically work around.
+
 ## Create a new Netdata Agent container

 You can create a new Agent container using either `docker run` or `docker-compose`. After using any method, you can
--- a/packaging/docker/run.sh
+++ b/packaging/docker/run.sh
@ -14,38 +14,6 @@ if [ ! -w / ] && [ "${EUID}" -eq 0 ]; then
  echo >&2 "WARNING: For more information, see https://learn.netdata.cloud/docs/agent/claim#known-issues-on-older-hosts-with-seccomp-enabled"
 fi

-if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
-  [ -n "$DISABLE_TELEMETRY" ] ||
-  [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] ||
-  [ -n "$DO_NOT_TRACK" ]; then
-  touch /etc/netdata/.opt-out-from-anonymous-statistics
-fi
-
-chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors."
-
-BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true)
-DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true)
-
-re='^[0-9]+$'
-if [[ $BALENA_PGID =~ $re ]]; then
-  echo "Netdata detected balena-engine.sock"
-  DOCKER_HOST='/var/run/balena-engine.sock'
-  PGID="$BALENA_PGID"
-elif [[ $DOCKER_PGID =~ $re ]]; then
-  echo "Netdata detected docker.sock"
-  DOCKER_HOST="/var/run/docker.sock"
-  PGID="$DOCKER_PGID"
-fi
-export PGID
-export DOCKER_HOST
-
-if [ -n "${PGID}" ]; then
-  echo "Creating docker group ${PGID}"
-  addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
-  echo "Assign netdata user to docker group ${PGID}"
-  usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
-fi
-
 # Needed to read Proxmox VMs and (LXC) containers configuration files (name resolution + CPU and memory limits)
 function add_netdata_to_proxmox_conf_files_group() {
  group_guid="$(stat -c %g /host/etc/pve 2>/dev/null || true)"
@ -68,10 +36,65 @@ function add_netdata_to_proxmox_conf_files_group() {
  fi
 }

-if [ -d "/host/etc/pve" ]; then
-  add_netdata_to_proxmox_conf_files_group || true
+if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
+  [ -n "$DISABLE_TELEMETRY" ] ||
+  [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] ||
+  [ -n "$DO_NOT_TRACK" ]; then
+  touch /etc/netdata/.opt-out-from-anonymous-statistics
 fi

+chmod o+rX / 2>/dev/null || echo "Unable to change permissions without errors."
+
+if [ "${EUID}" -eq 0 ]; then
+  if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
+    echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
+    echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
+    echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
+  fi
+
+  if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
+    echo "Fetching APT repository metadata."
+    if ! apt-get update; then
+      echo "Failed to fetch APT repository metadata."
+    else
+      echo "Installing supplementary packages."
+      export DEBIAN_FRONTEND="noninteractive"
+      # shellcheck disable=SC2086
+      if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
+        echo "Failed to install supplementary packages."
+      fi
+    fi
+  fi
+
+  BALENA_PGID=$(stat -c %g /var/run/balena.sock 2>/dev/null || true)
+  DOCKER_PGID=$(stat -c %g /var/run/docker.sock 2>/dev/null || true)
+
+  re='^[0-9]+$'
+  if [[ $BALENA_PGID =~ $re ]]; then
+    echo "Netdata detected balena-engine.sock"
+    DOCKER_HOST='/var/run/balena-engine.sock'
+    PGID="$BALENA_PGID"
+  elif [[ $DOCKER_PGID =~ $re ]]; then
+    echo "Netdata detected docker.sock"
+    DOCKER_HOST="/var/run/docker.sock"
+    PGID="$DOCKER_PGID"
+  fi
+  export PGID
+  export DOCKER_HOST
+
+  if [ -n "${PGID}" ]; then
+    echo "Creating docker group ${PGID}"
+    addgroup --gid "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
+    echo "Assign netdata user to docker group ${PGID}"
+    usermod --append --groups "docker" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
+  fi
+
+  if [ -d "/host/etc/pve" ]; then
+    add_netdata_to_proxmox_conf_files_group || true
+  fi
+else
+  echo >&2 "WARNING: Entrypoint started as non-root user. This is not officially supported and some features may not be available."
+fi

 if mountpoint -q /etc/netdata; then
  echo "Copying stock configuration to /etc/netdata"
@ -97,24 +120,4 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v
                             -daemon-not-running
 fi

-if [ -n "${NETDATA_EXTRA_APK_PACKAGES}" ]; then
-  echo >&2 "WARNING: Netdata’s Docker images have switched from Alpine to Debian as a base platform. Supplementary package support is now handled through the NETDATA_EXTRA_DEB_PACKAGES variable instead of NETDATA_EXTRA_APK_PACKAGES."
-  echo >&2 "WARNING: The container will still run, but supplementary packages listed in NETDATA_EXTRA_APK_PACKAGES will not be installed."
-  echo >&2 "WARNING: To remove these messages, either undefine NETDATA_EXTRA_APK_PACKAGES, or define it to an empty string."
-fi
-
-if [ -n "${NETDATA_EXTRA_DEB_PACKAGES}" ]; then
-  echo "Fetching APT repository metadata."
-  if ! apt-get update; then
-    echo "Failed to fetch APT repository metadata."
-  else
-    echo "Installing supplementary packages."
-    export DEBIAN_FRONTEND="noninteractive"
-    # shellcheck disable=SC2086
-    if ! apt-get install -y --no-install-recommends ${NETDATA_EXTRA_DEB_PACKAGES}; then
-      echo "Failed to install supplementary packages."
-    fi
-  fi
-fi
-
 exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" "$@"