Add support for runtime configuration of UID/GID for Netdata user. (#10683)

* Add support for runtime configuration of UID/GID for Netdata user.

* Consolidate layers in Docker image.

* Re-add proper username selection handling.

* Unconditionally handle the netdata group.

Instead of having it be dependent on the name of the user.

* Docs cleanup

* Only try to change accounts if daabases are writable.

packaging/docker/Dockerfile

@@ -60,24 +60,14 @@ FROM netdata/base:latest as base
 # Configure system
 ARG NETDATA_UID=201
 ARG NETDATA_GID=201
-ENV DOCKER_GRP netdata
-ENV DOCKER_USR netdata
+ARG NETDATA_USER=netdata
+
+ENV NETDATA_UID=$NETDATA_UID
+ENV NETDATA_GID=$NETDATA_GID
+ENV NETDATA_USER=$NETDATA_USER
 # If DO_NOT_TRACK is set, it will disable anonymous stats collection and reporting
 #ENV DO_NOT_TRACK=1
 
-# Copy files over
-RUN mkdir -p /opt/src /var/log/netdata && \
-    # Link log files to stdout
-    ln -sf /dev/stdout /var/log/netdata/access.log && \
-    ln -sf /dev/stdout /var/log/netdata/debug.log && \
-    ln -sf /dev/stderr /var/log/netdata/error.log && \
-    # fping from alpine apk is on a different location. Moving it.
-    ln -snf /usr/sbin/fping /usr/local/bin/fping && \
-    chmod 4755 /usr/local/bin/fping && \
-    # Add netdata user
-    addgroup -g ${NETDATA_GID} -S "${DOCKER_GRP}" && \
-    adduser -S -H -s /usr/sbin/nologin -u ${NETDATA_GID} -h /etc/netdata -G "${DOCKER_GRP}" "${DOCKER_USR}"
-
 # Long-term this should leverage BuildKit’s mount option.
 COPY --from=builder /wheels /wheels
 COPY --from=builder /app /
@@ -89,23 +79,22 @@ RUN chown -R root:root \
         /etc/netdata \
         /usr/share/netdata \
         /usr/libexec/netdata && \
-    chown -R netdata:root \
-        /usr/lib/netdata \
-        /var/cache/netdata \
-        /var/lib/netdata \
-        /var/log/netdata && \
-    chown -R netdata:netdata /var/lib/netdata/cloud.d && \
+    mkdir -p /opt/src /var/log/netdata && \
+    ln -sf /dev/stdout /var/log/netdata/access.log && \
+    ln -sf /dev/stdout /var/log/netdata/debug.log && \
+    ln -sf /dev/stderr /var/log/netdata/error.log && \
     chmod 0700 /var/lib/netdata/cloud.d && \
     chmod 0755 /usr/libexec/netdata/plugins.d/*.plugin && \
     chmod 4755 \
         /usr/libexec/netdata/plugins.d/cgroup-network \
         /usr/libexec/netdata/plugins.d/apps.plugin \
         /usr/libexec/netdata/plugins.d/freeipmi.plugin && \
-    # Group write permissions due to: https://github.com/netdata/netdata/pull/6543
     find /var/lib/netdata /var/cache/netdata -type d -exec chmod 0770 {} \; && \
     find /var/lib/netdata /var/cache/netdata -type f -exec chmod 0660 {} \; && \
     pip --no-cache-dir install /wheels/* && \
-    rm -rf /wheels
+    rm -rf /wheels && \
+    ln -snf /usr/sbin/fping /usr/local/bin/fping && \
+    chmod 4755 /usr/local/bin/fping
 
 ENV NETDATA_LISTENER_PORT 19999
 EXPOSE $NETDATA_LISTENER_PORT

packaging/docker/README.md

@@ -246,6 +246,12 @@ If you don't want to destroy and recreate your container, you can edit the Agent
 above section on [configuring Agent containers](#configure-agent-containers) to find the appropriate method based on
 how you created the container.
 
+### Custom agent UID/GID
+
+By default, Netdata in the container will run with a user ID and group ID of `201`, matching the default IDs used
+on normal installations of Netdata. In the unlikely event that you need to use a different UID or GID for netdata,
+set the `NETDATA_UID` and/or `NETDATA_GID` environment variables for the container to the desired UID/GID.
+
 ### Add or remove other volumes
 
 Some of the volumes are optional depending on how you use Netdata:

packaging/docker/run.sh

@@ -13,7 +13,6 @@ if [ ! "${DO_NOT_TRACK:-0}" -eq 0 ] || [ -n "$DO_NOT_TRACK" ]; then
   touch /etc/netdata/.opt-out-from-anonymous-statistics
 fi
 
-
 BALENA_PGID=$(ls -nd /var/run/balena.sock | awk '{print $4}')
 DOCKER_PGID=$(ls -nd /var/run/docker.sock | awk '{print $4}')
 
@@ -27,14 +26,87 @@ elif [[ $DOCKER_PGID =~ $re ]]; then
   DOCKER_HOST="/var/run/docker.sock"
   PGID=$(ls -nd /var/run/docker.sock | awk '{print $4}')
 fi
+
 export PGID
 export DOCKER_HOST
 
+create_group=
+remove_group=
+create_user=
+remove_user=
+user_in_group=
+
+if [ -n "${DOCKER_USR}" ]; then
+  NETDATA_USER="${DOCKER_USR}"
+fi
+
+if [ -w /etc/passwd ] && [ -w /etc/group ] && [ -w /etc/shadow ] && [ -w /etc/gshadow ] ; then
+  if getent group netdata > /dev/null; then
+  existing_gid="$(getent group netdata | cut -d ':' -f 3)"
+
+  if [ "${existing_gid}" != "${NETDATA_GID}" ]; then
+    echo "Netdata group ID mismatch (expected ${NETDATA_GID} but found ${existing_gid}), the existing group will be replaced."
+    remove_group=1
+    create_group=1
+  fi
+  else
+  echo "Netdata group not found, preparing to create one with GID=${NETDATA_GID}."
+  create_group=1
+  fi
+
+  if [ -n "${remove_group}" ]; then
+  delgroup netdata netdata
+  delgroup netdata || exit 1
+  fi
+
+  if [ -n "${create_group}" ]; then
+  addgroup -g "${NETDATA_GID}" -S netdata || exit 1
+  fi
+
+  if [ "${NETDATA_USER}" = "netdata" ]; then
+    if getent passwd netdata > /dev/null; then
+      existing_user="$(getent passwd netdata)"
+      existing_uid="$(echo "${existing_user}" | cut -d ':' -f 3)"
+      existing_primary_gid="$(echo "${existing_user}" | cut -d ':' -f 4)"
+
+      if [ "${existing_gid}" != "${NETDATA_UID}" ]; then
+        echo "Netdata user ID mismatch (expected ${NETDATA_UID} but found ${existing_uid}), the existing user will be replaced."
+        remove_user=1
+        create_user=1
+      fi
+
+      if [ "${existing_primary_gid}" = "${NETDATA_GID}" ]; then
+        user_in_group=1
+      else
+        echo "Netdata user is not in the correct primary group (expected ${NETDATA_GID} but found ${existing_primary_gid}), the user will be updated."
+      fi
+    else
+      echo "Netdata user not found, preparing to create one with UID=${NETDATA_UID}."
+      create_user=1
+    fi
+
+    if [ -n "${remove_user}" ]; then
+      userdel netdata || exit 1
+    fi
+
+    if [ -n "${create_user}" ]; then
+      adduser -S -H -s /usr/sbin/nologin -u "${NETDATA_UID}" -h /etc/netdata -G netdata netdata
+    elif [ -z "${user_in_group}" ]; then
+      usermod -a -G netdata netdata
+    fi
+  fi
+else
+  echo "Account databases are not writable, assuming you know what you’re doing and continuing."
+fi
+
+chown -R "${NETDATA_USER}:root" /usr/lib/netdata /var/cache/netdata /var/lib/netdata /var/log/netdata
+chown -R "${NETDATA_USER}:netdata" /var/lib/netdata/cloud.d
+
 if [ -n "${PGID}" ]; then
   echo "Creating docker group ${PGID}"
   addgroup -g "${PGID}" "docker" || echo >&2 "Could not add group docker with ID ${PGID}, its already there probably"
   echo "Assign netdata user to docker group ${PGID}"
-  usermod -a -G "${PGID}" "${DOCKER_USR}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
+  usermod -a -G "${PGID}" "${NETDATA_USER}" || echo >&2 "Could not add netdata user to group docker with ID ${PGID}"
 fi
 
 if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /var/lib/netdata/cloud.d/claimed_id ]; then
@@ -45,4 +117,4 @@ if [ -n "${NETDATA_CLAIM_URL}" ] && [ -n "${NETDATA_CLAIM_TOKEN}" ] && [ ! -f /v
                              -daemon-not-running
 fi
 
-exec /usr/sbin/netdata -u "${DOCKER_USR}" -D -s /host -p "${NETDATA_LISTENER_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@"
+exec /usr/sbin/netdata -u "${NETDATA_USER}" -D -s /host -p "${NETDATA_LISTENER_PORT}" -W set web "web files group" root -W set web "web files owner" root "$@"