fix: Container workflow creates files as root even when the commands …

…are executed by a non-root user
NetApp · Jan 9, 2024 · 406a4e3 · 406a4e3
1 parent 8b892ca
commit 406a4e3
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 10 deletions.
diff --git a/cmd/tools/generate/generate.go b/cmd/tools/generate/generate.go
@@ -212,6 +212,7 @@ func generateDocker(kind int) {
 	}
 
 	color.DetectConsole("")
+
 	out, err = os.Create(opts.outputPath)
 	if err != nil {
 		logErrAndExit(err)
@@ -342,14 +343,14 @@ func copyFiles(srcPath, destPath string) error {
 	}
 	// requires specific permissions
 	dirsPermissions := map[string]os.FileMode{
-		"container":  0755,
-		"prometheus": 0755,
+		"container": 0755,
+		"grafana":   0755,
 	}
 	// requires specific permissions
-	filePermissions := map[string]os.FileMode{
+	filePermissionsInDir := map[string]os.FileMode{
 		"container":  0644,
 		"prometheus": 0644,
-		"grafana":    0640,
+		"grafana":    0644,
 	}
 
 	return filepath.Walk(srcPath, func(path string, info os.FileInfo, err error) error {
@@ -369,11 +370,30 @@ func copyFiles(srcPath, destPath string) error {
 			if dirsToExclude[info.Name()] {
 				return filepath.SkipDir
 			}
-			// Check if the directory is in the dirsPermissions map
-			if perm, ok := dirsPermissions[info.Name()]; ok {
-				return os.MkdirAll(dest, perm)
+			// Check if the current directory or any of its parent directories are in dirsPermissions
+			dirCreated := false
+			for dir, perm := range dirsPermissions {
+				if strings.HasPrefix(relPath, dir) {
+					err = os.MkdirAll(dest, perm)
+					if err != nil {
+						return err
+					}
+					dirCreated = true
+					break
+				}
+			}
+			if !dirCreated {
+				err = os.MkdirAll(dest, 0750)
+				if err != nil {
+					return err
+				}
 			}
-			return os.MkdirAll(dest, 0750)
+			err = changeOwner(dest)
+			if err != nil {
+				return err
+			}
+
+			return nil
 		}
 
 		// Skip excluded files
@@ -382,7 +402,7 @@ func copyFiles(srcPath, destPath string) error {
 		}
 
 		// Check if the file is under a directory in the filePermissions map
-		for dir, perm := range filePermissions {
+		for dir, perm := range filePermissionsInDir {
 			if strings.HasPrefix(relPath, dir) {
 				return copyFile(path, dest, perm)
 			}
@@ -405,7 +425,40 @@ func copyFile(srcPath, destPath string, perm os.FileMode) error {
 	defer silentClose(destFile)
 
 	_, err = io.Copy(destFile, srcFile)
-	return err
+	if err != nil {
+		return err
+	}
+
+	err = changeOwner(destPath)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func changeOwner(path string) error {
+	// Get the UID and GID from the environment variables
+	uidStr := os.Getenv("UID")
+	gidStr := os.Getenv("GID")
+
+	// If the UID and GID are set, change the owner and group of the file
+	if uidStr != "" && gidStr != "" {
+		uid, err := strconv.Atoi(uidStr)
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(gidStr)
+		if err != nil {
+			return err
+		}
+		err = os.Chown(path, uid, gid)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
 
 func asComposePath(path string) string {

diff --git a/docs/install/containerd.md b/docs/install/containerd.md
@@ -46,6 +46,7 @@ Create your `harvest-compose.yml` file like this:
 
 ```sh
 docker run --rm \
+  --env UID=$(id -u) --env GID=$(id -g) \
   --entrypoint "bin/harvest" \
   --volume "$(pwd):/opt/temp" \
   --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \

diff --git a/docs/install/containers.md b/docs/install/containers.md
@@ -69,6 +69,7 @@ Pollers:
 
 ```sh
 docker run --rm \
+  --env UID=$(id -u) --env GID=$(id -g) \
   --entrypoint "bin/harvest" \
   --volume "$(pwd):/opt/temp" \
   --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \
@@ -84,6 +85,7 @@ By default, the above command uses the harvest configuration file(`harvest.yml`)
     ```sh
     HYML="/opt/custom_harvest.yml"; \
     docker run --rm \
+    --env UID=$(id -u) --env GID=$(id -g) \
     --entrypoint "bin/harvest" \
     --volume "$(pwd):/opt/temp" \
     --volume "${HYML}:${HYML}" \
@@ -198,6 +200,7 @@ To upgrade Harvest:
 
         ```sh
         docker run --rm \
+          --env UID=$(id -u) --env GID=$(id -g) \
           --entrypoint "bin/harvest" \
           --volume "$(pwd):/opt/temp" \
           --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \

diff --git a/docs/install/harvest-containers.md b/docs/install/harvest-containers.md
@@ -41,6 +41,7 @@ Pollers:
 
 ```sh
 docker run --rm \
+  --env UID=$(id -u) --env GID=$(id -g) \
   --entrypoint "bin/harvest" \
   --volume "$(pwd):/opt/temp" \
   --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \
@@ -98,6 +99,7 @@ To upgrade Harvest:
 
         ```sh
         docker run --rm \
+          --env UID=$(id -u) --env GID=$(id -g) \
           --entrypoint "bin/harvest" \
           --volume "$(pwd):/opt/temp" \
           --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \

diff --git a/docs/install/k8.md b/docs/install/k8.md
@@ -18,6 +18,7 @@ To run Harvest resources in Kubernetes, please execute the following commands:
 
 ```
 docker run --rm \
+  --env UID=$(id -u) --env GID=$(id -g) \
   --entrypoint "bin/harvest" \
   --volume "$(pwd):/opt/temp" \
   --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \
@@ -407,6 +408,7 @@ Please note the following assumptions for the steps below:
 
 ```
 docker run --rm \
+  --env UID=$(id -u) --env GID=$(id -g) \
   --entrypoint "bin/harvest" \
   --volume "$(pwd):/opt/temp" \
   --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \

diff --git a/docs/install/podman.md b/docs/install/podman.md
@@ -83,6 +83,7 @@ With these changes, the [standard Harvest compose instructions](containers.md#do
 
     ```sh
     docker run --rm \
+      --env UID=$(id -u) --env GID=$(id -g) \
       --entrypoint "bin/harvest" \
       --volume "$(pwd):/opt/temp" \
       --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \