From 55dea43b2df624c5e6cc878a85e8ead657bfba8d Mon Sep 17 00:00:00 2001 From: Shrikant Sharat Kandula Date: Mon, 11 Sep 2023 12:54:50 +0530 Subject: [PATCH] chore: Place local MongoDB cluster key in `/tmp` instead of `/` (#26963) This is another step towards supporting running with readonly root FS, and only making runtime changes in the container in `/tmp` or in `/appsmith-stacks`, and nowhere else. --- Dockerfile | 2 ++ deploy/docker/fs/opt/appsmith/entrypoint.sh | 13 ++++++++----- .../opt/appsmith/templates/supervisord/mongodb.conf | 2 +- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2f44b44bad..4429f4b53f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,6 +51,8 @@ RUN rm -rf \ VOLUME [ "/appsmith-stacks" ] # ------------------------------------------------------------------------ +ENV TMP /tmp/appsmith + # Add backend server - Application Layer ARG JAR_FILE=./app/server/dist/server-*.jar ARG PLUGIN_JARS=./app/server/dist/plugins/*.jar diff --git a/deploy/docker/fs/opt/appsmith/entrypoint.sh b/deploy/docker/fs/opt/appsmith/entrypoint.sh index 495945dfda..dbdfbf8bb9 100644 --- a/deploy/docker/fs/opt/appsmith/entrypoint.sh +++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh @@ -4,6 +4,8 @@ set -e stacks_path=/appsmith-stacks +export MONGODB_TMP_KEY_PATH="$TMP/mongodb-key" # export for use in supervisor process mongodb.conf + # ip is a reserved keyword for tracking events in Mixpanel. Instead of showing the ip as is Mixpanel provides derived properties. # As we want derived props alongwith the ip address we are sharing the ip address in separate keys # https://help.mixpanel.com/hc/en-us/articles/360001355266-Event-Properties @@ -206,7 +208,7 @@ init_replica_set() { )" echo "Enabling Replica Set" mongod --dbpath "$MONGO_DB_PATH" --shutdown || true - mongod --fork --port 27017 --dbpath "$MONGO_DB_PATH" --logpath "$MONGO_LOG_PATH" --replSet mr1 --keyFile /mongodb-key --bind_ip localhost + mongod --fork --port 27017 --dbpath "$MONGO_DB_PATH" --logpath "$MONGO_LOG_PATH" --replSet mr1 --keyFile "$MONGODB_TMP_KEY_PATH" --bind_ip localhost echo "Waiting 10s for MongoDB to start with Replica Set" sleep 10 mongosh "$APPSMITH_MONGODB_URI" --eval 'rs.initiate()' @@ -229,11 +231,12 @@ init_replica_set() { } use-mongodb-key() { - # This is a little weird. We copy the MongoDB key file to `/mongodb-key`, so that we can reliably set its permissions to 600. - # What affects the reliability of this? When the host machine of this Docker container is Windows, file permissions cannot be set on files in volumes. + # We copy the MongoDB key file to `$MONGODB_TMP_KEY_PATH`, so that we can reliably set its permissions to 600. + # Why? When the host machine of this Docker container is Windows, file permissions cannot be set on files in volumes. # So the key file should be somewhere inside the container, and not in a volume. - cp -v "$1" /mongodb-key - chmod 600 /mongodb-key + mkdir -pv "$(dirname "$MONGODB_TMP_KEY_PATH")" + cp -v "$1" "$MONGODB_TMP_KEY_PATH" + chmod 600 "$MONGODB_TMP_KEY_PATH" } # Keep Let's Encrypt directory persistent diff --git a/deploy/docker/fs/opt/appsmith/templates/supervisord/mongodb.conf b/deploy/docker/fs/opt/appsmith/templates/supervisord/mongodb.conf index 9a930e7fe7..6a9fd3b13b 100644 --- a/deploy/docker/fs/opt/appsmith/templates/supervisord/mongodb.conf +++ b/deploy/docker/fs/opt/appsmith/templates/supervisord/mongodb.conf @@ -1,6 +1,6 @@ [program:mongodb] directory=/appsmith-stacks/data/mongodb -command=mongod --port 27017 --dbpath . --logpath /appsmith-stacks/logs/%(program_name)s/db.log --replSet mr1 --keyFile /mongodb-key --bind_ip localhost +command=mongod --port 27017 --dbpath . --logpath /appsmith-stacks/logs/%(program_name)s/db.log --replSet mr1 --keyFile %(ENV_MONGODB_TMP_KEY_PATH)s --bind_ip localhost priority=10 autostart=true autorestart=true