@@ -191,6 +191,44 @@ RUN apk update \
191191# install puppet gem as library into jruby loadpath
192192&& puppetserver gem install --no-document openvox
193193
194+ # explicitly set HOME: random UIDs will cause HOME to be "/" generally
195+ ENV HOME=${data_dir}/puppetserver
196+
197+ # use system confdir to make it easier to manage permissions and paths
198+ # the conf in that dir should also contain other dirs that are being used for interpolation
199+ # to make sure we use the same dirs as if the server was started as root
200+ RUN mkdir -p ${HOME}/.puppetlabs/etc/puppet && \
201+ cat > ${HOME}/.puppetlabs/etc/puppet/puppet.conf <<'EOF'
202+ [main]
203+ confdir = /etc/puppetlabs/puppet/
204+ EOF
205+
206+ # mirror user permissions to group, set group to root, and set gid bit on dirs
207+ RUN for d in \
208+ /etc/puppetlabs \
209+ /var/log/puppetlabs \
210+ /var/run/puppetlabs \
211+ /opt/puppetlabs/var \
212+ /opt/puppetlabs/cache \
213+ ${data_dir} \
214+ ; do \
215+ mkdir -p "$d"; \
216+ chgrp -R 0 "$d"; \
217+ chmod -R g=u "$d"; \
218+ find "$d" -type d -exec chmod g+s {} +; \
219+ done
220+
221+ # the foreground starting script has this check before running the server:
222+ # [ "$EUID" = "$(id -u ${USER})" ]
223+ # simply calling `id -u` results in the UID of the current user and the check will pass
224+ RUN sed -i 's/^ *USER="puppet"/USER=""/' /etc/default/puppetserver
225+ # `puppetserver setup` forces symlinking the "old" cadir to the "new" one for puppet 6 compatibility
226+ # reasons. this won't work because after creating a link ruby tries to call chown
227+ RUN sed -i '/Puppetserver::Ca::Utils::Config\.symlink_to_old_cadir/ s/^/# /' \
228+ /usr/lib/ruby/gems/3.4.0/gems/openvoxserver-ca-3.0.0/lib/puppetserver/ca/action/setup.rb
229+
230+ USER puppet:0
231+
194232# k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
195233HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]
196234
0 commit comments