Allow the Docker image to be run with a random user id

dev-tools/packaging/package_test.go

@@ -186,8 +186,13 @@ func checkDocker(t *testing.T, file string) {
 	checkDockerEntryPoint(t, p, info)
 	checkDockerLabels(t, p, info, file)
 	checkDockerUser(t, p, info, *rootUserContainer)
-	checkConfigPermissionsWithMode(t, p, os.FileMode(0640))
-	checkManifestPermissionsWithMode(t, p, os.FileMode(0640))
+
+	// The configuration file in the Docker image is expected to be readable and writable by any user who belongs to
+	// the root group. This is done in order to allow the docker image to run on secured Kubernetes environment where
+	// the user ID used to run a container can't be known in advance.
+	checkConfigPermissionsWithMode(t, p, os.FileMode(0660))
+	checkManifestPermissionsWithMode(t, p, os.FileMode(0660))
+
 	checkModulesPresent(t, "", p)
 	checkModulesDPresent(t, "", p)
 }

dev-tools/packaging/templates/docker/Dockerfile.tmpl

@@ -30,10 +30,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint
 RUN groupadd --gid 1000 {{ .BeatName }}
 
 RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
-    chown -R root:{{ .BeatName }} {{ $beatHome }} && \
-    find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \
-    find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \
-    chmod 0750 {{ $beatBinary }} && \
+    chown -R root:root {{ $beatHome }} && \
+    find {{ $beatHome }} -type d -exec chmod 0770 {} \; && \
+    find {{ $beatHome }} -type f -exec chmod 0660 {} \; && \
+    chmod 0770 {{ $beatBinary }} && \
 {{- if .linux_capabilities }}
     setcap {{ .linux_capabilities }} {{ $beatBinary }} && \
 {{- end }}
@@ -43,7 +43,7 @@ RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \
     chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs
 
 {{- if ne .user "root" }}
-RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }}
+RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }}
 {{- end }}
 USER {{ .user }}