pre-define a fixed UID/GID for squid (!1) · Merge requests · sciencebox / docker-images / frontier-squid

Ryan Taylor requested to merge rptaylor/frontier-squid:rptaylor-master-patch-10290 into master Jul 19, 2022

@ebocchi This will help with https://github.com/sciencebox/charts/issues/61 Currently the squid user in the container image, coming from the RPM installation, is

bash-4.2$ id
uid=998(squid) gid=997(squid) groups=997(squid),1(bin)

with directory ownerships:

bash-4.2$ ls -ld /var/run/squid/ /var/cache/squid/   /var/log/squid/
drwxrwsrwx. 2 root  bin   6 Jul 19 23:27 /var/cache/squid/
drwxr-xr-x. 2 squid squid 6 Feb 24 12:23 /var/log/squid/
drwxr-xr-x. 2 squid squid 6 Jun  4  2021 /var/run/squid/

(The bin group is incidental, because fsGroup is not defined so it defaults to 1.)

However 998, 997 is not guaranteed to be stable over time; the yum update or the upstream centos image could bring changes with more or fewer system accounts (e.g. chrony is 999,998) which would cause the squid UID/GID to change in the future in a newer container image. This can be avoided by simply creating an arbitrary squid user/group (5000, but could be anything) before the RPM installation; the same is done by the OSG squid image.

rpm -q frontier-squid-4.17-1.1.x86_64.rpm --scripts shows that the frontier-squid RPM only makes the squid account if it is not already there; this way we can guarantee that 5000 will always be the correct UID, GID of squid.

Edited Jul 20, 2022 by Ryan Taylor

pre-define a fixed UID/GID for squid

Merge request reports