Add unix.Umask (#52)

0sewa0 · wepudt · StefanHauth · web-flow · commit 58edbc0f4ee6 · 2025-04-18T14:46:29.000+02:00
Co-authored-by: wepudt &lt;werner.putschoegl@dynatrace.com&gt;
Co-authored-by: Stefan Hauth &lt;stefan.hauth@dynatrace.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,7 @@ RUN --mount=type=cache,target="/root/.cache/go-build" \
     -o ./build/_output/bin/dynatrace-bootstrapper
 
 # platform is required, otherwise the copy command will copy the wrong architecture files, don't trust GitHub Actions linting warnings
-FROM --platform=$TARGETPLATFORM public.ecr.aws/dynatrace/dynatrace-codemodules:1.307.57.20250217-152612 AS codemodules
+FROM --platform=$TARGETPLATFORM public.ecr.aws/dynatrace/dynatrace-codemodules:1.311.70.20250416-094918 AS codemodules
 
 # copy bootstrapper binary
 COPY --from=build /app/build/_output/bin /opt/dynatrace/oneagent/agent/lib64/
@@ -33,4 +33,4 @@ ENV USER_UID=1001 \
 
 USER ${USER_UID}:${USER_UID}
 
-ENTRYPOINT ["/opt/dynatrace/oneagent/agent/lib64/dynatrace-bootstrapper"]
+ENTRYPOINT ["/opt/dynatrace/oneagent/agent/lib64/dynatrace-bootstrapper"]
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	go.uber.org/zap v1.27.0
+	golang.org/x/sys v0.32.0
 )
 
 require (
diff --git a/go.sum b/go.sum
@@ -26,6 +26,8 @@ go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
 go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
diff --git a/hack/testing/helm-sample/templates/deployment.yaml b/hack/testing/helm-sample/templates/deployment.yaml
@@ -48,6 +48,17 @@ spec:
           mountPath: /mnt/input
       containers:
       - image: docker.io/php:fpm-stretch
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: false
+          runAsNonRoot: true
+          runAsUser: 101
+          runAsGroup: 99
+          seccompProfile:
+            type: RuntimeDefault
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -93,10 +104,6 @@ spec:
         - key: kubernetes.io/arch
           value: amd64
           effect: NoSchedule
-      securityContext:
-        runAsUser: 0
-        runAsGroup: 0
-        fsGroup: 2000
       terminationGracePeriodSeconds: 30
       imagePullSecrets:
         {{ .Values.image.pullSecrets }}
diff --git a/pkg/move/copy.go b/pkg/move/copy.go
@@ -4,6 +4,7 @@ import (
 	fsutils "github.com/Dynatrace/dynatrace-bootstrapper/pkg/utils/fs"
 	"github.com/go-logr/logr"
 	"github.com/spf13/afero"
+	"golang.org/x/sys/unix"
 )
 
 type copyFunc func(log logr.Logger, fs afero.Afero, from, to string) error
@@ -13,6 +14,9 @@ var _ copyFunc = SimpleCopy
 func SimpleCopy(log logr.Logger, fs afero.Afero, from, to string) error {
 	log.Info("starting to copy (simple)", "from", from, "to", to)
 
+	oldUmask := unix.Umask(0000)
+	defer unix.Umask(oldUmask)
+
 	err := fsutils.CopyFolder(log, fs, from, to)
 	if err != nil {
 		log.Error(err, "error moving folder")
diff --git a/pkg/move/technologies.go b/pkg/move/technologies.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	"github.com/spf13/afero"
+	"golang.org/x/sys/unix"
 )
 
 type Manifest struct {
@@ -40,6 +41,9 @@ func CopyByTechnology(log logr.Logger, fs afero.Afero, from string, to string, t
 		return err
 	}
 
+	oldUmask := unix.Umask(0000)
+	defer unix.Umask(oldUmask)
+
 	for _, sourceFilePath := range filteredPaths {
 		targetFilePath := filepath.Join(to, strings.Split(sourceFilePath, from)[1])
 

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ require (`
`10`	`10`	`github.com/spf13/cobra v1.9.1`
`11`	`11`	`github.com/stretchr/testify v1.10.0`
`12`	`12`	`go.uber.org/zap v1.27.0`
	`13`	`+ golang.org/x/sys v0.32.0`
`13`	`14`	`)`
`14`	`15`
`15`	`16`	`require (`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`	`"github.com/go-logr/logr"`
`10`	`10`	`"github.com/pkg/errors"`
`11`	`11`	`"github.com/spf13/afero"`
	`12`	`+ "golang.org/x/sys/unix"`
`12`	`13`	`)`
`13`	`14`
`14`	`15`	`type Manifest struct {`
`@@ -40,6 +41,9 @@ func CopyByTechnology(log logr.Logger, fs afero.Afero, from string, to string, t`
`40`	`41`	`return err`
`41`	`42`	`}`
`42`	`43`
	`44`	`+ oldUmask := unix.Umask(0000)`
	`45`	`+ defer unix.Umask(oldUmask)`
	`46`	`+`
`43`	`47`	`for _, sourceFilePath := range filteredPaths {`
`44`	`48`	`targetFilePath := filepath.Join(to, strings.Split(sourceFilePath, from)[1])`
`45`	`49`