From 455f234fbe65c6ddad23e0f3599eac0ed1e528d4 Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Date: Tue, 19 May 2020 19:03:14 +0200
Subject: [PATCH] Allow the Docker image to be run with a random user id
 (#12905) (#18634)

Modify docker images so files required by beats are owned
by group root, this follows Openshifts recommendations to
run containerized applications with custom user ids.

(cherry picked from commit 9dbdc1579f350d3beaff156b78a365e3a200e2cd)

Co-authored-by: Michael Morello <michael.morello@elastic.co>
---
 CHANGELOG.next.asciidoc                              |  1 +
 dev-tools/packaging/package_test.go                  |  9 +++++++--
 dev-tools/packaging/templates/docker/Dockerfile.tmpl | 10 +++++-----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 07541710ed7..f35b9328249 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -303,6 +303,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add Kerberos support to Elasticsearch output. {pull}17927[17927]
 - Add support for fixed length extraction in `dissect` processor. {pull}17191[17191]
 - Update RPM packages contained in Beat Docker images. {issue}17035[17035]
+- Change ownership of files in docker images so they can be used in secured environments. {pull}12905[12905]
 
 *Auditbeat*
 
diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go
index 96173cde880..9e5c8f4e597 100644
--- a/dev-tools/packaging/package_test.go
+++ b/dev-tools/packaging/package_test.go
@@ -186,8 +186,13 @@ func checkDocker(t *testing.T, file string) {
 	checkDockerEntryPoint(t, p, info)
 	checkDockerLabels(t, p, info, file)
 	checkDockerUser(t, p, info, *rootUserContainer)
-	checkConfigPermissionsWithMode(t, p, os.FileMode(0640))
-	checkManifestPermissionsWithMode(t, p, os.FileMode(0640))
+
+	// The configuration file in the Docker image is expected to be readable and writable by any user who belongs to
+	// the root group. This is done in order to allow the docker image to run on secured Kubernetes environment where
+	// the user ID used to run a container can't be known in advance.
+	checkConfigPermissionsWithMode(t, p, os.FileMode(0660))
+	checkManifestPermissionsWithMode(t, p, os.FileMode(0660))
+
 	checkModulesPresent(t, "", p)
 	checkModulesDPresent(t, "", p)
 }
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
index 1123bb14f7b..0d6cfa90b4c 100644
--- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl
+++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl
@@ -30,10 +30,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint
 RUN groupadd --gid 1000 {{ .BeatName }}
 
 RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
-    chown -R root:{{ .BeatName }} {{ $beatHome }} && \
-    find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \
-    find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \
-    chmod 0750 {{ $beatBinary }} && \
+    chown -R root:root {{ $beatHome }} && \
+    find {{ $beatHome }} -type d -exec chmod 0770 {} \; && \
+    find {{ $beatHome }} -type f -exec chmod 0660 {} \; && \
+    chmod 0770 {{ $beatBinary }} && \
 {{- if .linux_capabilities }}
     setcap {{ .linux_capabilities }} {{ $beatBinary }} && \
 {{- end }}
@@ -43,7 +43,7 @@ RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
     chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs
 
 {{- if ne .user "root" }}
-RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }}
+RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
 {{- end }}
 USER {{ .user }}