Support running as an arbitrary user (OpenShift Container Platform)

leitosama commented 12 months ago

Prerequisites

[x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
[x] I went through old GitHub issues and couldn't find anything relevant
[x] I googled the issue and didn't find anything relevant - _Found OCP Guideline to fix described issue_

Description

I'd like to contribute to OpenCTI project and close minor issue about deploying to OCP described below.

On my work we use OCP to run containers. When I was trying to deploy OpenCTI to OCP I constantly had error like EACCES: permission denied, mkdir 'logs/' in platform image logs.

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID (proof). OpenCTI platform image does not support running as an arbitrary user because of improper access mode for /opt/opencti.

I had fixed this image issue by rebuilding your image like this:

FROM opencti/platform:5.11.3

RUN chmod -R g+w /opt/opencti/

Environment

OS (where OpenCTI server runs): Red Hat CoreOS 9(OpenShift Container Platform)/Debian 11 (docker compose)
OpenCTI version: 5.11.3
OpenCTI client: non applicat
Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

Deploy OpenCTI to OCP (or emulate OCP by changing user in docker-compose.yaml and run docker-compose up -d)
```
services:
opencti:
user: "1005:0"
image: opencti/platform:5.11.3
```
Check opencti container logs

See error:

Error: EACCES: permission denied, mkdir 'logs/'
at Object.mkdirSync (node:fs:1379:3)
at /opt/opencti/build/node_modules/file-stream-rotator/FileStreamRotator.js:669:24
at Array.reduce (<anonymous>)
at mkDirForFile (/opt/opencti/build/node_modules/file-stream-rotator/FileStreamRotator.js:656:27)
at Object.u1.getStream (/opt/opencti/build/node_modules/file-stream-rotator/FileStreamRotator.js:532:5)
at new DailyRotateFile (/opt/opencti/build/node_modules/winston-daily-rotate-file/daily-rotate-file.js:80:57)
at Object.<anonymous> (/opt/opencti/build/src/config/conf.js:224:5)
at Module._compile (node:internal/modules/cjs/loader:1241:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1295:10)
at Module.load (node:internal/modules/cjs/loader:1091:32)
at Function.Module._load (node:internal/modules/cjs/loader:938:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:83:12)
at node:internal/main/run_main_module:23:47

Additional information

https://gist.github.com/leitosama/8581ca2bf7720ea08227338e13200991 -- gist with debug version of docker-compose.yaml and temporary fix (see Dockerfile)

nino-filigran commented 12 months ago

@sbocahu do you have an idea maybe?

sbocahu commented 12 months ago

@nino-filigran LGTM 👍

leitosama commented 12 months ago

@sbocahu OK, I'll append necessary changes to Dockerfile and Dockerfile_ci, test it and send PR within a few days

OpenCTI-Platform / opencti