Allow running as arbitrary UID for unprivileged Container Environments (OpenShift)

[rezemble]

Per default, this image cannot run with arbitrary UIDs, since permissions to /etc/icingadb are granted only to the user and not the group (see OpenShift Container Platform-specific guidelines - containers run with an arbitrary UID and GID=0)

This can be mitigated by chowning /etc/icingadb to root and granting group the same permissions as user.

for example by modifying

COPY --from=base --chown=icingadb:icingadb /empty /etc/icingadb

to instead read:

COPY --from=base --chown=icingadb:root /empty /etc/icingadb
RUN --mount=from=busybox:uclibc,dst=/usr ["/usr/bin/chmod", "-R", "g=u", "/etc/icingadb"]

(See this gist regarding busybox mount in scratch)

[oxzi]

Thanks for creating this issue and please excuse the delay. In the meantime, the Dockerfile was moved to the Icinga DB repository (this one) named Containerfile. With the last release 1.3.0, Icinga DB can be completely configured with environment variables and the YAML configuration is no longer required for container uses. Thus, your COPY instruction does no longer exist.

However, there is still a USER instruction to run the process as an icingadb user. Does this still conflict for you? I skimmed the linked OpenShift docs, but I am not quire certain.