simono41/prometheus_wireguard_exporter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Docker non root running user using sudoers and sudo (#49)

Browse source 
Docker container runs with a non root user which has sudo access to run `wg` only. Fixes #27
This commit is contained in:
Quentin McGaw 2020-10-13 08:07:40 -04:00 committed by GitHub
parent 3c27991831
commit 98d6a4df6d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Dockerfile
View file

@ -23,6 +23,12 @@ RUN cargo install --target ${ARCH}-unknown-linux-musl --path .
FROM alpine:${ALPINE_VERSION} FROM alpine:${ALPINE_VERSION}
EXPOSE 9586/tcp EXPOSE 9586/tcp
RUN apk add --update -q --no-cache wireguard-tools-wg RUN adduser prometheus-wireguard-exporter -s /bin/sh -D -u 1000 1000 && \
COPY --from=build /usr/local/cargo/bin/prometheus_wireguard_exporter /usr/local/bin/prometheus_wireguard_exporter mkdir -p /etc/sudoers.d && \
echo prometheus-wireguard-exporter ALL=\(root\) NOPASSWD:/usr/bin/wg show * dump > /etc/sudoers.d/prometheus-wireguard-exporter && \
chmod 0440 /etc/sudoers.d/prometheus-wireguard-exporter
RUN apk add --update -q --no-cache wireguard-tools-wg sudo
USER prometheus-wireguard-exporter
ENTRYPOINT [ "prometheus_wireguard_exporter" ] ENTRYPOINT [ "prometheus_wireguard_exporter" ]
CMD [ "-a" ]
COPY --from=build --chown=prometheus-wireguard-exporter /usr/local/cargo/bin/prometheus_wireguard_exporter /usr/local/bin/prometheus_wireguard_exporter