From 7fb0c314500c4983c539123071ffd807a581fc93 Mon Sep 17 00:00:00 2001
From: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
Date: Wed, 5 Mar 2025 15:38:33 +1100
Subject: [PATCH] 2025-03-05 Chronograf - old-menu branch - PR 2 of 2

[PR 781](https://github.com/influxdata/influxdata-docker/pull/781) was
submitted on 2025-01-21 but is has now been over 40 days without any
response. It isn't clear whether it is simply taking the time it needs
to take, or if this is a signal that it will never be processed.

The basic problem occurs with Docker "bind mounts" which are the
convention for IOTstack containers. If Chronograf launches from a
clean slate, Docker will create `./volumes/chronograf` with root
ownership. Although the container *launches* as root, it does not
take the opportunity to enforce its ownership conventions prior to
downgrading its privileges to that of (internal) user `chronograf`
(ID=999). The result is the container can't write to its persistent
store, crashes and goes into a restart loop.

This PR provides an augmented entry point script which sets ownership
correctly prior to launching the `chronograf` process.

This PR applies the patch for IOTstack users via a local Dockerfile.

It can be unwound if/when PR781 is processed.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
---
 .templates/chronograf/Dockerfile    |  8 ++++++++
 .templates/chronograf/entrypoint.sh | 25 +++++++++++++++++++++++++
 .templates/chronograf/service.yml   |  5 +++--
 3 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 .templates/chronograf/Dockerfile
 create mode 100755 .templates/chronograf/entrypoint.sh

diff --git a/.templates/chronograf/Dockerfile b/.templates/chronograf/Dockerfile
new file mode 100644
index 00000000..b43fab97
--- /dev/null
+++ b/.templates/chronograf/Dockerfile
@@ -0,0 +1,8 @@
+FROM chronograf:alpine
+
+# see https://github.com/influxdata/influxdata-docker/pull/781
+# this patch can be withdrawn if/when PR781 is applied.
+
+COPY entrypoint.sh /entrypoint.sh
+
+# EOF
diff --git a/.templates/chronograf/entrypoint.sh b/.templates/chronograf/entrypoint.sh
new file mode 100755
index 00000000..3c486916
--- /dev/null
+++ b/.templates/chronograf/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+set -e
+
+if [ "${1:0:1}" = '-' ]; then
+    set -- chronograf "$@"
+fi
+
+if [ "$1" = 'chronograf' ]; then
+  export BOLT_PATH=${BOLT_PATH:-/var/lib/chronograf/chronograf-v1.db}
+fi
+
+if [ $(id -u) -eq 0 ] ; then
+  if [ "${CHRONOGRAF_AS_ROOT}" != "true" ] ; then
+    chown -Rc chronograf:chronograf /var/lib/chronograf
+    exec su-exec chronograf "$@"
+  fi
+  chown -Rc root:root /var/lib/chronograf
+else
+  if [ ! -w /var/lib/chronograf ] ; then
+    echo "You need to change ownership on chronograf's persistent store. Run:"
+    echo "  sudo chown -R $(id -u):$(id -u) /path/to/persistent/store"
+  fi
+fi
+
+exec "$@"
diff --git a/.templates/chronograf/service.yml b/.templates/chronograf/service.yml
index dc40e4de..7a0ec01a 100644
--- a/.templates/chronograf/service.yml
+++ b/.templates/chronograf/service.yml
@@ -1,6 +1,7 @@
   chronograf:
     container_name: chronograf
-    image: chronograf:latest
+    build:
+      context: ./.templates/chronograf/.
     restart: unless-stopped
     environment:
       - TZ=${TZ:-Etc/UTC}
@@ -10,6 +11,7 @@
       # - INFLUXDB_PASSWORD=
       # - INFLUXDB_ORG=
       # - KAPACITOR_URL=http://kapacitor:9092
+      # - CHRONOGRAF_AS_ROOT=true
     ports:
       - "8888:8888"
     volumes:
@@ -17,4 +19,3 @@
     depends_on:
       - influxdb
       # - kapacitor
-