PMM-8471 run nginx as non-root

admin/commands/config.go

@@ -62,14 +62,14 @@ type ConfigCommand struct {
 func (cmd *ConfigCommand) args(globals *flags.GlobalFlags) ([]string, bool) {
 	port := globals.ServerURL.Port()
 	if port == "" {
-		port = "443"
+		port = "8443"
 	}
 
 	var switchedToTLS bool
 	var res []string
 
 	if globals.ServerURL.Scheme == "http" {
-		port = "443"
+		port = "8443"
 		switchedToTLS = true
 		globals.SkipTLSCertificateCheck = true
 	}

admin/commands/config_test.go

@@ -32,11 +32,11 @@ func TestConfigCommandArgs(t *testing.T) {
 	}
 
 	t.Run("SwitchToTLS1", func(t *testing.T) {
-		u, err := url.Parse("http://127.0.0.1:80")
+		u, err := url.Parse("http://127.0.0.1:8080")
 		require.NoError(t, err)
 		args, switchedToTLS := cmd.args(&flags.GlobalFlags{ServerURL: u})
 		expected := []string{
-			"--server-address=127.0.0.1:443",
+			"--server-address=127.0.0.1:8443",
 			"--server-insecure-tls",
 			"setup", "1.2.3.4", "generic", "node1",
 		}
@@ -54,7 +54,7 @@ func TestConfigCommandArgs(t *testing.T) {
 		require.NoError(t, err)
 		args, switchedToTLS := cmd.args(&flags.GlobalFlags{ServerURL: u})
 		expected := []string{
-			"--server-address=127.0.0.1:443",
+			"--server-address=127.0.0.1:8443",
 			"--server-username=admin",
 			"--server-password=admin",
 			"--server-insecure-tls",
@@ -74,7 +74,7 @@ func TestConfigCommandArgs(t *testing.T) {
 		require.NoError(t, err)
 		args, switchedToTLS := cmd.args(&flags.GlobalFlags{ServerURL: u})
 		expected := []string{
-			"--server-address=127.0.0.1:443",
+			"--server-address=127.0.0.1:8443",
 			"--server-username=admin",
 			"--server-password=admin",
 			"--server-insecure-tls",
@@ -102,7 +102,7 @@ func TestConfigCommandArgs(t *testing.T) {
 			EnableTrace: true,
 		})
 		expected := []string{
-			"--server-address=127.0.0.1:443",
+			"--server-address=127.0.0.1:8443",
 			"--server-username=admin",
 			"--server-password=admin",
 			"--server-insecure-tls",

admin/commands/pmm/server/docker/install.go

@@ -129,8 +129,8 @@ func (c *InstallCommand) runContainer(ctx context.Context, volume *volume.Volume
 	logrus.Info("Starting PMM Server")
 
 	ports := nat.PortMap{
-		"443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
-		"80/tcp":  []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
+		"8443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
+		"8080/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
 	}
 
 	containerID, err := startPMMServer(ctx, volume, "", dockerImage, c.dockerFn, ports, c.ContainerName)

agent/Makefile

@@ -11,7 +11,7 @@ PMM_RELEASE_VERSION ?= $(shell git describe --always --dirty | cut -b2-)
 PMM_RELEASE_TIMESTAMP ?= $(shell date '+%s')
 PMM_RELEASE_FULLCOMMIT ?= $(shell git rev-parse HEAD)
 PMM_RELEASE_BRANCH ?= $(shell git describe --always --contains --all)
-PMM_DEV_SERVER_PORT ?= 443
+PMM_DEV_SERVER_PORT ?= 8443
 ifeq ($(GOBIN),)
 	GOBIN := $(shell go env GOPATH)/bin
 endif

agent/agents/supervisor/supervisor_test.go

@@ -52,7 +52,7 @@ func TestSupervisor(t *testing.T) {
 	cfgStorage := config.NewStorage(&config.Config{
 		Paths:         config.Paths{TempDir: tempDir},
 		Ports:         config.Ports{Min: 65000, Max: 65099},
-		Server:        config.Server{Address: "localhost:443"},
+		Server:        config.Server{Address: "localhost:8443"},
 		LogLinesCount: 1,
 	})
 	s := NewSupervisor(ctx, nil, cfgStorage)

agent/config/config_test.go

@@ -102,7 +102,7 @@ func TestGet(t *testing.T) {
 			ListenAddress: "127.0.0.1",
 			ListenPort:    9999,
 			Server: Server{
-				Address: "127.0.0.1:443",
+				Address: "127.0.0.1:8443",
 			},
 			Paths: Paths{
 				PathsBase:        "/usr/local/percona/pmm2",
@@ -167,7 +167,7 @@ func TestGet(t *testing.T) {
 			ListenAddress: "0.0.0.0",
 			ListenPort:    7777,
 			Server: Server{
-				Address: "127.0.0.1:443",
+				Address: "127.0.0.1:8443",
 			},
 			Paths: Paths{
 				PathsBase:        "/usr/local/percona/pmm2",
@@ -231,7 +231,7 @@ func TestGet(t *testing.T) {
 			ListenAddress: "127.0.0.1",
 			ListenPort:    7777,
 			Server: Server{
-				Address: "127.0.0.1:443",
+				Address: "127.0.0.1:8443",
 			},
 			Paths: Paths{
 				PathsBase:        "/usr/local/percona/pmm2",
@@ -303,7 +303,7 @@ func TestGet(t *testing.T) {
 			ListenAddress: "127.0.0.1",
 			ListenPort:    7777,
 			Server: Server{
-				Address: "127.0.0.1:443",
+				Address: "127.0.0.1:8443",
 			},
 			Paths: Paths{
 				PathsBase:        "/usr/local/percona/pmm2",
@@ -373,7 +373,7 @@ func TestGet(t *testing.T) {
 			ListenAddress: "127.0.0.1",
 			ListenPort:    7777,
 			Server: Server{
-				Address: "127.0.0.1:443",
+				Address: "127.0.0.1:8443",
 			},
 			Paths: Paths{
 				PathsBase:        "/base",
@@ -441,7 +441,7 @@ func TestGet(t *testing.T) {
 			ListenAddress: "127.0.0.1",
 			ListenPort:    7777,
 			Server: Server{
-				Address: "127.0.0.1:443",
+				Address: "127.0.0.1:8443",
 			},
 			Paths: Paths{
 				PathsBase:        "/base",
@@ -534,19 +534,19 @@ func TestGet(t *testing.T) {
 
 func TestFilteredURL(t *testing.T) {
 	s := &Server{
-		Address:  "1.2.3.4:443",
+		Address:  "1.2.3.4:8443",
 		Username: "username",
 	}
-	require.Equal(t, "https://[email protected]:443/", s.URL().String())
-	require.Equal(t, "https://[email protected]:443/", s.FilteredURL())
+	require.Equal(t, "https://[email protected]:8443/", s.URL().String())
+	require.Equal(t, "https://[email protected]:8443/", s.FilteredURL())
 
 	for _, password := range []string{
 		"password",
 		"$&+,/:*;=?@", // all special reserved characters from RFC plus *
 	} {
 		t.Run(password, func(t *testing.T) {
 			s.Password = password
-			assert.Equal(t, "https://username:***@1.2.3.4:443/", s.FilteredURL())
+			assert.Equal(t, "https://username:***@1.2.3.4:8443/", s.FilteredURL())
 		})
 	}
 }

agent/docker-compose.yml

@@ -6,8 +6,8 @@ services:
     image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:dev-latest}
     container_name: pmm-agent_pmm-server
     ports:
-      - "127.0.0.1:80:80"
-      - "127.0.0.1:443:443"
+      - "127.0.0.1:80:8080"
+      - "127.0.0.1:443:8443"
     environment:
       - PMM_DEBUG=1
       - PERCONA_TEST_CHECKS_INTERVAL=10s

api-tests/docker-compose.yml

@@ -6,8 +6,8 @@ services:
     image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:dev-latest}
     container_name: pmm-agent_pmm-server
     ports:
-      - 127.0.0.1:80:80
-      - 127.0.0.1:443:443
+      - 127.0.0.1:80:8080
+      - 127.0.0.1:443:8443
     environment:
       - PMM_DEBUG=1
       - PERCONA_TEST_CHECKS_INTERVAL=10s

build/ansible/pmm2/post-build-actions.yml

@@ -67,7 +67,7 @@
         --config-file=/usr/local/percona/pmm2/config/pmm-agent.yaml
         --skip-registration
         --id=pmm-server
-        --server-address=127.0.0.1:443
+        --server-address=127.0.0.1:8443
         --server-insecure-tls
 
     - name: Reread supervisord configuration EL7

build/ansible/roles/ami-ovf/tasks/main.yml

@@ -57,6 +57,8 @@
   with_items:
     - 80/tcp
     - 443/tcp
+    - 8080/tcp
+    - 8443/tcp
 
 - name: Add firewalld rule        | EL9
   when:
@@ -68,6 +70,8 @@
   with_items:
     - 80/tcp
     - 443/tcp
+    - 8080/tcp
+    - 8443/tcp
 
 - name: PMM                        | Add script which show PMM URL
   copy:

build/ansible/roles/pmm2-images/tasks/main.yml

@@ -100,7 +100,7 @@
         non_unique: true
       loop:
         - { name: pmm, gid: 1000 }
-        - { name: nginx, gid: 999 }
+        - { name: nginx, gid: 1002 }
         - { name: grafana, gid: 998 }
         - { name: clickhouse, gid: 997 }
         - { name: pmm-agent, gid: 996 }
@@ -116,7 +116,7 @@
         non_unique: true
       loop:
         - { name: pmm, uid: 1000, comment: "PMM Server", shell: "/bin/false", home: "/home/pmm", group: pmm, }
-        - { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/var/cache/nginx", group: nginx, }
+        - { name: nginx, uid: 1002, comment: "nginx user", shell: "/sbin/nologin", home: "/var/cache/nginx", group: nginx, }
         - { name: grafana, uid: 998, comment: "Grafana Dashboard", shell: "/sbin/nologin", home: "/etc/grafana", group: grafana, }
         - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
         - { name: pmm-agent, uid: 996, comment: "pmm-agent", shell: "/bin/false", home: "/usr/local/percona/", group: pmm-agent, }

build/docker/server/Dockerfile

@@ -9,7 +9,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
 LABEL org.opencontainers.image.vendor Percona
 LABEL org.opencontainers.image.version ${VERSION}
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 WORKDIR /opt
 

build/docker/server/Dockerfile.el9

@@ -14,7 +14,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
 LABEL org.opencontainers.image.vendor Percona LLC
 LABEL org.opencontainers.image.version ${VERSION}
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 WORKDIR /opt
 

docker-compose.yml

@@ -46,27 +46,23 @@ services:
       # - GF_DATABASE_CA_CERT_PATH=/tmp/certs/root.crt
       # - GF_DATABASE_CLIENT_KEY_PATH=/tmp/certs/grafana.key
       # - GF_DATABASE_CLIENT_CERT_PATH=/tmp/certs/grafana.crt
-
     extra_hosts:
       - host.docker.internal:host-gateway
       # - portal.localhost:${PORTAL_HOST:-host-gateway}
       # - check.localhost:${PORTAL_CHECK_HOST:-host-gateway}
       # - pmm.localhost:${PORTAL_PMM_HOST:-host-gateway}
       # - check-dev.percona.com:${PORTAL_PMM_HOST:-host-gateway}
-
     # for delve
     cap_add:
       - SYS_PTRACE
     security_opt:
       - seccomp:unconfined
-
     # see https://github.com/golang/go/wiki/LinuxKernelSignalVectorBug#what-to-do
     ulimits:
       memlock: 67108864
-
     ports:
-      - ${PMM_PORT_HTTP:-80}:80
-      - ${PMM_PORT_HTTPS:-443}:443
+      - ${PMM_PORT_HTTP:-80}:8080
+      - ${PMM_PORT_HTTPS:-443}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-2345}:2345
       # PG
@@ -125,6 +121,7 @@ services:
       - "--influxListenAddr=:8089"
     networks:
       - ${NETWORK:-default}
+
   pmm-managed-server-ch:
     profiles:
       - pmm-external-dbs
@@ -155,27 +152,24 @@ services:
       # - PMM_DEBUG=1
       - PMM_VM_URL=${PMM_VM_URL:-http://victoriametrics:8428/}
       - PMM_DEBUG=1
-
     extra_hosts:
       - host.docker.internal:host-gateway
       # - portal.localhost:${PORTAL_HOST:-host-gateway}
       # - check.localhost:${PORTAL_CHECK_HOST:-host-gateway}
       # - pmm.localhost:${PORTAL_PMM_HOST:-host-gateway}
       # - check-dev.percona.com:${PORTAL_PMM_HOST:-host-gateway}
-
     # for delve
     cap_add:
       - SYS_PTRACE
     security_opt:
       - seccomp:unconfined
-
     # see https://github.com/golang/go/wiki/LinuxKernelSignalVectorBug#what-to-do
     ulimits:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-80}:80
-      - ${PMM_PORT_HTTPS:-443}:443
+      - ${PMM_PORT_HTTP:-80}:8080
+      - ${PMM_PORT_HTTPS:-443}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-2345}:2345
     volumes:

get-pmm.sh

@@ -237,7 +237,7 @@ start_pmm() {
     run_docker 'stop pmm-server' || :
     run_docker "rename pmm-server $pmm_archive\n"
   fi
-  run_pmm="run -d -p $port:443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
+  run_pmm="run -d -p $port:8443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
 
   run_docker "$run_pmm 1> /dev/null"
   msg "Created PMM Server: $container_name"

managed/services/supervisord/pmm_config.go

@@ -148,6 +148,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = nginx
 autorestart = true
 autostart = true
 startretries = 10

qan-api2/docker-compose.yaml

@@ -6,8 +6,8 @@ services:
     container_name: pmm-server
     image: perconalab/pmm-server:dev-latest
     ports:
-      - 80:80
-      - 443:443
+      - 80:8080
+      - 443:8443
       - 19000:9000
       - 9933:9933
     restart: always

update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf

@@ -28,8 +28,8 @@
   }
 
   server {
-    listen 80;
-    listen 443 ssl http2;
+    listen 8080;
+    listen 8443 ssl http2;
     server_name _;
     server_tokens off;