diff --git a/Dockerfile b/Dockerfile index 466cfc713..e433d6005 100644 --- a/Dockerfile +++ b/Dockerfile @@ -87,7 +87,7 @@ COPY --from=web-builder /work/web/dist/ /web/dist/ COPY --from=web-builder /work/web/authentik/ /web/authentik/ COPY --from=website-builder /work/website/help/ /website/help/ -USER authentik +USER 1000 ENV TMPDIR /dev/shm/ ENV PYTHONUNBUFFERED 1 @@ -95,4 +95,4 @@ ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "/lifecycle/ak", "healthcheck" ] -ENTRYPOINT [ "/lifecycle/ak" ] +ENTRYPOINT [ "/usr/local/bin/dumb-init", "--", "/lifecycle/ak" ] diff --git a/lifecycle/ak b/lifecycle/ak index c304952ff..c8666e633 100755 --- a/lifecycle/ak +++ b/lifecycle/ak @@ -29,7 +29,7 @@ function check_if_root { fi # Fix permissions of backups and media chown -R authentik:authentik /media /certs - chpst -u authentik:$GROUP env HOME=/authentik $1 + exec chpst -u authentik:$GROUP env HOME=/authentik $1 } MODE_FILE="/tmp/authentik-mode" @@ -41,7 +41,7 @@ if [[ "$1" == "server" ]]; then if [[ ! -z "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || ! -z "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then python -m manage bootstrap_tasks fi - /authentik-proxy + exec /authentik-proxy elif [[ "$1" == "worker" ]]; then wait_for_db echo "worker" > $MODE_FILE @@ -56,12 +56,14 @@ elif [[ "$1" == "test" ]]; then elif [[ "$1" == "healthcheck" ]]; then mode=$(cat $MODE_FILE) if [[ $mode == "server" ]]; then - curl --user-agent "goauthentik.io lifecycle Healthcheck" -I http://localhost:9000/-/health/ready/ + exec curl --user-agent "goauthentik.io lifecycle Healthcheck" -I http://localhost:9000/-/health/ready/ elif [[ $mode == "worker" ]]; then - celery -A authentik.root.celery inspect ping -d celery@$HOSTNAME --timeout 5 -j + exec celery -A authentik.root.celery inspect ping -d celery@$HOSTNAME --timeout 5 -j fi elif [[ "$1" == "dump_config" ]]; then - python -m authentik.lib.config + exec python -m authentik.lib.config +elif [[ "$1" == "debug" ]]; then + exec sleep infinity else - python -m manage "$@" + exec python -m manage "$@" fi diff --git a/poetry.lock b/poetry.lock index e9a34e5f3..303f47e44 100644 --- a/poetry.lock +++ b/poetry.lock @@ -744,6 +744,14 @@ uritemplate = ">=2.0.0" offline = ["drf-spectacular-sidecar"] sidecar = ["drf-spectacular-sidecar"] +[[package]] +name = "dumb-init" +version = "1.2.5.post1" +description = "Simple wrapper script which proxies signals to a child" +category = "main" +optional = false +python-versions = "*" + [[package]] name = "duo-client" version = "4.4.0" @@ -2085,7 +2093,7 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"] [metadata] lock-version = "1.1" python-versions = "^3.10" -content-hash = "e2096a66167fa7ab127faa9de091b18519491c23a736b33961b2259fe85d4185" +content-hash = "acbd25177fb5880a50d29da1b0cab9ab09b67078beea12495527695c55ef2ea8" [metadata.files] aiohttp = [ @@ -2553,6 +2561,13 @@ drf-spectacular = [ {file = "drf-spectacular-0.23.1.tar.gz", hash = "sha256:d1724da1fd4ae99d66333b1c8530f3c51788d87b380f5951830bf8405f234120"}, {file = "drf_spectacular-0.23.1-py3-none-any.whl", hash = "sha256:2e42ae16717a5c3b2ae8632ac2b92f7eeb7b4fb9a941bc7879a92343e50ddeb6"}, ] +dumb-init = [ + {file = "dumb-init-1.2.5.post1.tar.gz", hash = "sha256:6510538a975e0de10658b0210ec2ad62dc3617543af5c6fbd29a3af111eae981"}, + {file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_12_x86_64.manylinux2010_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5d6b1fe9b8efcdbbdcb670efe7a55f9117251ee9648d35ffd0c487fd79515ea5"}, + {file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a516a16a7dfed012de2524eb449e31f7f583b11b938eebb3ec09fd194497293d"}, + {file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c52a20fe73a6f56501079f969775098ab83bd9c73648b9e4eb68fa1b02a9b98e"}, + {file = "dumb_init-1.2.5.post1-py2.py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:fc1e309f52c898ee00df056189f46ca3f6055a72b77015f4eefbd7c58c45290f"}, +] duo-client = [ {file = "duo_client-4.4.0-py2.py3-none-any.whl", hash = "sha256:927b7e838433b20debc8d07c2c418c2e1b650735acb9fcf214eaa3a2caf00358"}, {file = "duo_client-4.4.0.tar.gz", hash = "sha256:44e06bf730a201a1e1749215ef16d2c2682a73532eedd58d63663a8adabba3d3"}, diff --git a/pyproject.toml b/pyproject.toml index 102575997..74ca8f965 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -141,6 +141,7 @@ webauthn = "*" wsproto = "*" xmlsec = "*" twilio = "*" +dumb-init = "*" [tool.poetry.dev-dependencies] bandit = "*"