Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Copy SSL certificate files when run as root (while they're most likely to be readable by our user) #285

Merged
merged 1 commit into from
Oct 26, 2018
Merged

Copy SSL certificate files when run as root (while they're most likely to be readable by our user) #285

merged 1 commit into from
Oct 26, 2018

Conversation

tianon
Copy link
Member

@tianon tianon commented Oct 25, 2018

Closes #283

This adjusts our step-down-from-root code to also copy any relevant SSL certificate files and chown/chmod them appropriately so that our new user can read them (since the ones provided by the container user likely are difficult to provide with appropriate permissions for the rabbitmq user).

yosifkit
yosifkit reviewed Oct 25, 2018
View reviewed changes
3.6-rc/alpine/docker-entrypoint.sh Outdated
[ -n "$val" ] || continue
case "$conf" in
*_ssl_*file | ssl_*file )
if [ -f "$val" ]; then
Copy link
Member

@yosifkit yosifkit Oct 25, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to only move it if the rabbitmq user does not have access?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i.e., it could already be owned by user 999 or be accessible by a group that we are in (--group-add) or even world readable. 😲 As far as I can tell from the documentation, it shouldn't care how it can read it as long as it can (and access the directory): "have the appropriate permissions".

  1. https://www.rabbitmq.com/ssl.html#enabling-tls-paths
  2. https://www.rabbitmq.com/troubleshooting-ssl.html#verify-file-permissions

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really good point -- we should verify access and throw a warning too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated!

@yosifkit yosifkit merged commit 5223e50 into docker-library:master Oct 26, 2018
@yosifkit yosifkit deleted the copy-ssl branch October 26, 2018 20:17
tianon added a commit to infosiftr/stackbrew that referenced this pull request Oct 26, 2018
@tianon
Update docker-library images
05d9be9 
- `gcc`: 6.5.0
- `mariadb`: 5.5.62
- `openjdk`: debian `8u181-b13-2~deb9u1`
- `rabbitmq`: copy SSL certificates with a warning if necessary (docker-library/rabbitmq#285)
- `ruby`: bundler 1.17.1
@tianon tianon mentioned this pull request Oct 26, 2018
Merged
autophagy pushed a commit to crate/official-images that referenced this pull request Dec 12, 2018
@tianon @autophagy
Update docker-library images
533e889 
- `gcc`: 6.5.0
- `mariadb`: 5.5.62
- `openjdk`: debian `8u181-b13-2~deb9u1`
- `rabbitmq`: copy SSL certificates with a warning if necessary (docker-library/rabbitmq#285)
- `ruby`: bundler 1.17.1
@prisma2user prisma2user mentioned this pull request Oct 31, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yosifkit yosifkit yosifkit left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tianon @yosifkit