Merge 006b203 into 2a67218

amidaware · Jan 17, 2022 · 7651933 · 7651933
2 parents 2a67218 + 006b203
commit 7651933
Show file tree

Hide file tree

Showing 11 changed files with 77 additions and 34 deletions.
diff --git a/docker/containers/tactical-frontend/dockerfile b/docker/containers/tactical-frontend/dockerfile
@@ -15,16 +15,26 @@ RUN echo "DOCKER_BUILD=1" > .env
 RUN sed -i '/<\/head>/i <script src="\/env-config.js"><\/script>' src/index.template.html
 RUN npm run build
 
-FROM nginx:stable-alpine
+FROM nginxinc/nginx-unprivileged:stable-alpine
 
 ENV PUBLIC_DIR /usr/share/nginx/html
 
+USER root
+
+RUN deluser --remove-home nginx \
+  && addgroup -S nginx -g 1000 \
+  && adduser -S -G nginx -u 1000 nginx
+
 RUN apk add --no-cache bash
+
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 
 COPY --from=builder /home/node/app/dist/ ${PUBLIC_DIR}
+RUN chown -R nginx:nginx /etc/nginx && chown -R nginx:nginx ${PUBLIC_DIR}
 
 COPY docker/containers/tactical-frontend/entrypoint.sh /docker-entrypoint.d/
 RUN chmod +x /docker-entrypoint.d/entrypoint.sh
 
-EXPOSE 80
+USER nginx
+
+EXPOSE 8080
diff --git a/docker/containers/tactical-frontend/entrypoint.sh b/docker/containers/tactical-frontend/entrypoint.sh
@@ -12,7 +12,7 @@ echo "window._env_ = {PROD_URL: \"https://${API_HOST}\"}" >> ${PUBLIC_DIR}/env-c
 
 nginx_config="$(cat << EOF
 server {
-  listen 80;
+  listen 8080;
   charset utf-8;
 
   location / {
@@ -21,9 +21,6 @@ server {
     add_header Cache-Control "no-store, no-cache, must-revalidate";
     add_header Pragma "no-cache";
   }
-
-  error_log /var/log/nginx/app-error.log;
-  access_log /var/log/nginx/app-access.log;
 }
 EOF
 )"

diff --git a/docker/containers/tactical-meshcentral/dockerfile b/docker/containers/tactical-meshcentral/dockerfile
@@ -13,9 +13,13 @@ COPY api/tacticalrmm/tacticalrmm/settings.py /tmp/settings.py
 RUN grep -o 'MESH_VER.*' /tmp/settings.py | cut -d'"' -f 2 > /tmp/MESH_VER && \
     npm install meshcentral@$(cat /tmp/MESH_VER)
 
+RUN chown -R node:node /home/node
+
 COPY docker/containers/tactical-meshcentral/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
-EXPOSE 80 443
+EXPOSE 8080 4443
+
+USER node
 
 ENTRYPOINT [ "/entrypoint.sh" ] 
diff --git a/docker/containers/tactical-meshcentral/entrypoint.sh b/docker/containers/tactical-meshcentral/entrypoint.sh
@@ -18,9 +18,6 @@ set -e
 : "${SMTP_PASS:=mesh-smtp-pass}"
 : "${SMTP_TLS:=false}"
 
-mkdir -p /home/node/app/meshcentral-data
-mkdir -p ${TACTICAL_DIR}/tmp
-
 if [ ! -f "/home/node/app/meshcentral-data/config.json" ] || [[ "${MESH_PERSISTENT_CONFIG}" -eq 0 ]]; then
 
 encoded_uri=$(node -p "encodeURI('mongodb://${MONGODB_USER}:${MONGODB_PASSWORD}@${MONGODB_HOST}:${MONGODB_PORT}')")
@@ -31,10 +28,10 @@ mesh_config="$(cat << EOF
     "mongodb": "${encoded_uri}",
     "Cert": "${MESH_HOST}",
     "TLSOffload": "${NGINX_HOST_IP}",
-    "RedirPort": 80,
+    "RedirPort": 8080,
     "WANonly": true,
     "Minify": 1,
-    "Port": 443,
+    "Port": 4443,
     "AllowLoginToken": true,
     "AllowFraming": true,
     "_AgentPing": 60,
@@ -57,7 +54,7 @@ mesh_config="$(cat << EOF
       "NewAccounts": false,
       "mstsc": true,
       "GeoLocation": true,
-      "CertUrl": "https://${NGINX_HOST_IP}:443",
+      "CertUrl": "https://${NGINX_HOST_IP}:4443",
       "agentConfig": [ "webSocketMaskOverride=${WS_MASK_OVERRIDE}" ]
     }
   },
@@ -91,7 +88,7 @@ if [ ! -f "${TACTICAL_DIR}/tmp/mesh_token" ]; then
 fi
 
 # wait for nginx container
-until (echo > /dev/tcp/"${NGINX_HOST_IP}"/443) &> /dev/null; do
+until (echo > /dev/tcp/"${NGINX_HOST_IP}"/4443) &> /dev/null; do
   echo "waiting for nginx to start..."
   sleep 5
 done

diff --git a/docker/containers/tactical-nats/dockerfile b/docker/containers/tactical-nats/dockerfile
@@ -10,9 +10,20 @@ SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 COPY natsapi/bin/nats-api /usr/local/bin/
 RUN chmod +x /usr/local/bin/nats-api
 
+RUN touch /usr/local/bin/config_watcher.sh
+RUN chown 1000:1000 /usr/local/bin/config_watcher.sh
+
+
+RUN mkdir -p /var/log/supervisor
+RUN mkdir -p /etc/supervisor/conf.d
+RUN touch /etc/supervisor/conf.d/supervisor.conf
+RUN chown 1000:1000 /etc/supervisor/conf.d/supervisor.conf
+
 COPY docker/containers/tactical-nats/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 
 ENTRYPOINT [ "/entrypoint.sh" ]
 
+USER 1000
+
 EXPOSE 4222
diff --git a/docker/containers/tactical-nats/entrypoint.sh b/docker/containers/tactical-nats/entrypoint.sh
@@ -40,12 +40,11 @@ EOF
 echo "${config_watcher}" > /usr/local/bin/config_watcher.sh
 chmod +x /usr/local/bin/config_watcher.sh
 
-mkdir -p /var/log/supervisor
-mkdir -p /etc/supervisor/conf.d
-
 supervisor_config="$(cat << EOF
 [supervisord]
 nodaemon=true
+logfile=/tmp/supervisord.log
+pidfile=/tmp/supervisord.pid
 [include]
 files = /etc/supervisor/conf.d/*.conf
 

diff --git a/docker/containers/tactical-nginx/dockerfile b/docker/containers/tactical-nginx/dockerfile
@@ -1,12 +1,22 @@
-FROM nginx:stable-alpine
+FROM nginxinc/nginx-unprivileged:stable-alpine
 
 ENV TACTICAL_DIR /opt/tactical
 
+USER root
+
+RUN deluser --remove-home nginx \
+  && addgroup -S nginx -g 1000 \
+  && adduser -S -G nginx -u 1000 nginx
+
 RUN apk add --no-cache openssl bash
 
+RUN chown -R nginx:nginx /etc/nginx
+
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 
 COPY docker/containers/tactical-nginx/entrypoint.sh /docker-entrypoint.d/
 RUN chmod +x /docker-entrypoint.d/entrypoint.sh
 
-EXPOSE 443 80
+USER nginx
+
+EXPOSE 4443 8080
diff --git a/docker/containers/tactical-nginx/entrypoint.sh b/docker/containers/tactical-nginx/entrypoint.sh
@@ -3,8 +3,8 @@
 set -e
 
 : "${WORKER_CONNECTIONS:=2048}"
-: "${APP_PORT:=80}"
-: "${API_PORT:=80}"
+: "${APP_PORT:=8080}"
+: "${API_PORT:=8080}"
 : "${NGINX_RESOLVER:=127.0.0.11}"
 : "${BACKEND_SERVICE:=tactical-backend}"
 : "${FRONTEND_SERVICE:=tactical-frontend}"
@@ -15,8 +15,6 @@ set -e
 : "${CERT_PRIV_PATH:=${TACTICAL_DIR}/certs/privkey.pem}"
 : "${CERT_PUB_PATH:=${TACTICAL_DIR}/certs/fullchain.pem}"
 
-mkdir -p "${TACTICAL_DIR}/certs"
-
 # remove default config
 rm -f /etc/nginx/conf.d/default.conf
 
@@ -101,15 +99,15 @@ server  {
 
     client_max_body_size 300M;
 
-    listen 443 ssl;
+    listen 4443 ssl;
     ssl_certificate ${CERT_PUB_PATH};
     ssl_certificate_key ${CERT_PRIV_PATH};
     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
     
 }
 
 server {
-    listen 80;
+    listen 8080;
     server_name ${API_HOST};
     return 301 https://\$server_name\$request_uri;
 }
@@ -138,7 +136,7 @@ server  {
         proxy_set_header X-Forwarded-Port  \$server_port;
     }
 
-    listen 443 ssl;
+    listen 4443 ssl;
     ssl_certificate ${CERT_PUB_PATH};
     ssl_certificate_key ${CERT_PRIV_PATH};
     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
@@ -147,7 +145,7 @@ server  {
 
 server {
 
-    listen 80;
+    listen 8080;
     server_name ${APP_HOST};
     return 301 https://\$server_name\$request_uri;
 }
@@ -156,7 +154,7 @@ server {
 server {
     resolver ${NGINX_RESOLVER} valid=30s;
 
-    listen 443 ssl;
+    listen 4443 ssl;
     proxy_send_timeout 330s;
     proxy_read_timeout 330s;
     server_name ${MESH_HOST};
@@ -168,7 +166,7 @@ server {
 
     location / {
         #Using variable to disable start checks
-        set \$meshcentral http://${MESH_SERVICE}:443;
+        set \$meshcentral http://${MESH_SERVICE}:4443;
 
         proxy_pass \$meshcentral;
         proxy_http_version 1.1;
@@ -187,7 +185,7 @@ server {
 server {
     resolver ${NGINX_RESOLVER} valid=30s;
 
-    listen 80;
+    listen 8080;
     server_name ${MESH_HOST};
     return 301 https://\$server_name\$request_uri;
 }

diff --git a/docker/containers/tactical/dockerfile b/docker/containers/tactical/dockerfile
@@ -57,4 +57,4 @@ ENTRYPOINT ["/entrypoint.sh"]
 
 WORKDIR ${TACTICAL_DIR}/api
 
-EXPOSE 80 443 8383
+EXPOSE 8080 4443 8383
diff --git a/docker/containers/tactical/entrypoint.sh b/docker/containers/tactical/entrypoint.sh
@@ -10,7 +10,7 @@ set -e
 : "${POSTGRES_PASS:=tactical}"
 : "${POSTGRES_DB:=tacticalrmm}"
 : "${MESH_SERVICE:=tactical-meshcentral}"
-: "${MESH_WS_URL:=ws://${MESH_SERVICE}:443}"
+: "${MESH_WS_URL:=ws://${MESH_SERVICE}:4443}"
 : "${MESH_USER:=meshcentral}"
 : "${MESH_PASS:=meshcentralpass}"
 : "${MESH_HOST:=tactical-meshcentral}"
@@ -37,7 +37,13 @@ if [ "$1" = 'tactical-init' ]; then
   # copy container data to volume
   rsync -a --no-perms --no-owner --delete --exclude "tmp/*" --exclude "certs/*" --exclude="api/tacticalrmm/private/*" "${TACTICAL_TMP_DIR}/" "${TACTICAL_DIR}/"
 
+  mkdir -p /meshcentral-data
   mkdir -p ${TACTICAL_DIR}/tmp
+  touch /meshcentral-data/.initialized && chown -R 1000:1000 /meshcentral-data
+  touch ${TACTICAL_DIR}/tmp/.initialized && chown -R 1000:1000 ${TACTICAL_DIR}
+  mkdir -p ${TACTICAL_DIR}/certs && chown -R 1000:1000 ${TACTICAL_DIR}/certs
+  mkdir -p /mongo/data/db
+  touch /mongo/data/db/.initialized && chown -R 1000:1000 /mongo/data/db
   mkdir -p ${TACTICAL_DIR}/api/tacticalrmm/private/exe
   mkdir -p ${TACTICAL_DIR}/api/tacticalrmm/private/log
   touch ${TACTICAL_DIR}/api/tacticalrmm/private/log/django_debug.log
@@ -47,7 +53,7 @@ if [ "$1" = 'tactical-init' ]; then
     sleep 5
   done
 
-  until (echo > /dev/tcp/"${MESH_SERVICE}"/443) &> /dev/null; do
+  until (echo > /dev/tcp/"${MESH_SERVICE}"/4443) &> /dev/null; do
     echo "waiting for meshcentral container to be ready..."
     sleep 5
   done
@@ -112,7 +118,7 @@ master = true
 processes = 8
 threads = 2
 enable-threads = true
-socket = 0.0.0.0:80
+socket = 0.0.0.0:8080
 chmod-socket = 660
 buffer-size = 65535
 vacuum = true

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -68,11 +68,14 @@ services:
       - proxy
     volumes:
       - tactical_data:/opt/tactical
+      - mesh_data:/meshcentral-data
+      - mongo_data:/mongo/data/db
 
   # nats
   tactical-nats:
     container_name: trmm-nats
     image: ${IMAGE_REPO}tactical-nats:${VERSION}
+    user: 1000:1000
     restart: always
     environment:
       API_HOST: ${API_HOST}
@@ -90,6 +93,7 @@ services:
   tactical-meshcentral:
     container_name: trmm-meshcentral
     image: ${IMAGE_REPO}tactical-meshcentral:${VERSION}
+    user: 1000:1000
     restart: always
     environment:
       MESH_HOST: ${MESH_HOST}
@@ -113,6 +117,7 @@ services:
   tactical-mongodb:
     container_name: trmm-mongodb
     image: mongo:4.4
+    user: 1000:1000
     restart: always
     environment:
       MONGO_INITDB_ROOT_USERNAME: ${MONGODB_USER}
@@ -127,6 +132,7 @@ services:
   tactical-frontend:
     container_name: trmm-frontend
     image: ${IMAGE_REPO}tactical-frontend:${VERSION}
+    user: 1000:1000
     restart: always
     networks:
       - proxy
@@ -137,6 +143,7 @@ services:
   tactical-backend:
     container_name: trmm-backend
     image: ${IMAGE_REPO}tactical:${VERSION}
+    user: 1000:1000
     command: [ "tactical-backend" ]
     restart: always
     networks:
@@ -152,6 +159,7 @@ services:
   tactical-websockets:
     container_name: trmm-websockets
     image: ${IMAGE_REPO}tactical:${VERSION}
+    user: 1000:1000
     command: [ "tactical-websockets" ]
     restart: always
     networks:
@@ -168,6 +176,7 @@ services:
   tactical-nginx:
     container_name: trmm-nginx
     image: ${IMAGE_REPO}tactical-nginx:${VERSION}
+    user: 1000:1000
     restart: always
     environment:
       APP_HOST: ${APP_HOST}
@@ -188,6 +197,7 @@ services:
   tactical-celery:
     container_name: trmm-celery
     image: ${IMAGE_REPO}tactical:${VERSION}
+    user: 1000:1000
     command: [ "tactical-celery" ]
     restart: always
     networks:
@@ -204,6 +214,7 @@ services:
   tactical-celerybeat:
     container_name: trmm-celerybeat
     image: ${IMAGE_REPO}tactical:${VERSION}
+    user: 1000:1000
     command: [ "tactical-celerybeat" ]
     restart: always
     networks: