Because of opendistro-for-elasticsearch/opendistro-build#703, elastic…

…search container can now be run as non-root. This commit uses Malcolm's normal "drop privileges" pattern so that by the time the docker entrypoint for the ODFE container is called we are already a non-root user.
mmguero-dev · Apr 8, 2021 · f0a4aa8 · f0a4aa8
1 parent e2ca5e4
commit f0a4aa8
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/Dockerfiles/elasticsearch.Dockerfile b/Dockerfiles/elasticsearch.Dockerfile
@@ -33,13 +33,18 @@ RUN yum install -y openssl && \
   /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_security && \
   echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0' > /usr/share/elasticsearch/config/elasticsearch.yml && \
   chown -R $PUSER:$PGROUP /usr/share/elasticsearch/config/elasticsearch.yml && \
-  sed -i "s/\b1000\b/\${PUID:-${DEFAULT_UID}}/g" /usr/local/bin/docker-entrypoint.sh && \
   sed -i '/[^#].*\/usr\/share\/elasticsearch\/bin\/elasticsearch.*/i /usr/local/bin/jdk-cacerts-auto-import.sh || true' /usr/local/bin/docker-entrypoint.sh
 
 # just used for initial keystore creation
 ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
 ADD shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/
 
+USER root
+
+ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"]
+
+CMD ["/usr/local/bin/docker-entrypoint.sh"]
+
 # to be populated at build-time:
 ARG BUILD_DATE
 ARG MALCOLM_VERSION