Skip to content

Make /alertmanager group-writable in Dockerfile #4469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sysadmind merged 2 commits into from
Aug 13, 2025
Merged

Make /alertmanager group-writable in Dockerfile #4469

sysadmind merged 2 commits into from
Aug 13, 2025
+2 −1

Conversation

@VaibhavOza1997
Copy link
Contributor

@VaibhavOza1997 VaibhavOza1997 commented Jul 10, 2025

This change makes the /alertmanager directory group-writable in the Dockerfile.

It follows the precedent set in prometheus/prometheus#16073 to support running the Alertmanager container as an arbitrary user. This aligns with best practices for container security and facilitates use cases where the container is run without root privileges.

Fixes: #4436

@VaibhavOza1997
Making /alertmanager group-writable in Dockerfile to allow running as…
1a6bc57 
… arbitrary user

Signed-off-by: Vaibhav Oza <vboz1311@gmail.com>
@VaibhavOza1997 VaibhavOza1997 force-pushed the fix/group-writable-alertmanager branch from b50ba22 to 1a6bc57 Compare July 10, 2025 01:17
@VaibhavOza1997
Copy link
Contributor Author

VaibhavOza1997 commented Jul 10, 2025

Hi maintainers 👋,

This is my first contribution to the project. This PR makes the /alertmanager directory group-writable in the Dockerfile, following the precedent from prometheus/prometheus#16073. This change allows running Alertmanager containers as arbitrary non-root users.

All feedback is very welcome. Thank you for your time and for maintaining this awesome project!

Best regards,
Vaibhav Oza

@TheMeier
Copy link
Contributor

TheMeier commented Jul 10, 2025

hmm usually you use mounted volumes for that also best practice is to run production workload with read-only for the container fs. So doesn't seem to make much sense to me

@VaibhavOza1997
Copy link
Contributor Author

VaibhavOza1997 commented Jul 10, 2025

Thank you for the quick feedback!

That makes sense. I see your point about using mounted volumes and keeping the container filesystem read-only in production. The motivation for this change came from issue #4436, where making /alertmanager group-writable was suggested to support running the container as an arbitrary user without needing to adjust volume permissions externally. I’m happy to close this PR if you think this approach doesn’t align with the project’s best practices. Just wanted to try to help based on the open issue. 😊

@sysadmind sysadmind merged commit 3e5da42 into prometheus:main Aug 13, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sysadmind sysadmind sysadmind approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make /alertmanager group-writable in dockerfile

3 participants

@VaibhavOza1997 @TheMeier @sysadmind