summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChrisC <christophe.closset@intl.att.com>2020-03-17 14:23:42 +0100
committerChrisC <christophe.closset@intl.att.com>2020-03-24 13:37:37 +0100
commit48bcfb9d4b03ac3e2e6915f7bdf72599c8794d43 (patch)
treef0d2d8d6946ea76d6f54533538dff131c8a70cef
parent083a7eb21620467ae1f7d5ba9341e12f75f9cc41 (diff)
AAF non-root
update AAF service dockerfiles to run as user AAF, reusing existing script infra Issue-ID: AAF-1102 Signed-off-by: ChrisC <christophe.closset@intl.att.com>, JulienBe <jb3179x@att.com> Change-Id: I2d9feef65a98d4545e407825533cd1741f891b45
-rw-r--r--auth/auth-cass/cass_init/cmd.sh13
-rw-r--r--auth/auth-cass/cass_init/restore.sh2
-rw-r--r--auth/auth-cass/docker/Dockerfile.cass13
-rw-r--r--auth/auth-cass/docker/dbuild.sh4
-rw-r--r--auth/auth-cass/docker/dcqlsh.sh2
-rw-r--r--auth/docker/Dockerfile.agent2
-rw-r--r--auth/docker/Dockerfile.config2
-rw-r--r--auth/docker/Dockerfile.core2
-rw-r--r--auth/docker/Dockerfile.hello2
-rw-r--r--auth/helm/aaf-hello/templates/aaf-hello.yaml12
-rw-r--r--auth/helm/aaf/templates/aaf-cass.yaml17
-rw-r--r--auth/helm/aaf/templates/aaf-cm.yaml16
-rw-r--r--auth/helm/aaf/templates/aaf-fs.yaml16
-rw-r--r--auth/helm/aaf/templates/aaf-gui.yaml16
-rw-r--r--auth/helm/aaf/templates/aaf-locate.yaml16
-rw-r--r--auth/helm/aaf/templates/aaf-oauth.yaml16
-rw-r--r--auth/helm/aaf/templates/aaf-service.yaml16
17 files changed, 149 insertions, 18 deletions
diff --git a/auth/auth-cass/cass_init/cmd.sh b/auth/auth-cass/cass_init/cmd.sh
index 7569440f..f605a472 100644
--- a/auth/auth-cass/cass_init/cmd.sh
+++ b/auth/auth-cass/cass_init/cmd.sh
@@ -24,6 +24,7 @@
DIR="/opt/app/aaf/status"
INSTALLED_VERSION=/var/lib/cassandra/AAF_VERSION
AAF_INIT_DATA=/var/lib/cassandra/AAF_INIT_DATA
+CQLSH=${CQLSH:=/opt/cassandra/bin/cqlsh}
if [ ! -e /aaf_cmd ]; then
ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd
@@ -71,7 +72,7 @@ function wait_start {
function wait_cql {
status wait for keyspace to be initialized
for CNT in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
- if [ -n "$(cqlsh -e 'describe keyspaces' | grep authz)" ]; then
+ if [ -n "$($CQLSH -e 'describe keyspaces' | grep authz)" ]; then
break
else
echo "Waiting for Keyspaces to be loaded... Sleep 10"
@@ -96,11 +97,11 @@ function wait_ready {
function install_cql {
wait_start cassandra responsive
# Now, make sure data exists
- if [ ! -e $INSTALLED_VERSION ] && [ -n "$(cqlsh -e 'describe keyspaces' | grep authz)" ]; then
- cqlsh --request-timeout=60 -e 'DROP KEYSPACE authz'
+ if [ ! -e $INSTALLED_VERSION ] && [ -n "$($CQLSH -e 'describe keyspaces' | grep authz)" ]; then
+ $CQLSH --request-timeout=60 -e 'DROP KEYSPACE authz'
fi
- if [ -z "`cqlsh --request-timeout 60 -e 'describe keyspaces' | grep authz`" ]; then
+ if [ -z "$($CQLSH --request-timeout 60 -e 'describe keyspaces' | grep authz)" ]; then
status install
echo "Initializing Cassandra DB"
echo "Docker Installed Basic Cassandra on aaf.cass. Executing the following "
@@ -109,10 +110,10 @@ function install_cql {
echo " cd /opt/app/aaf/cass_init"
cd /opt/app/aaf/cass_init
echo " cqlsh -f keyspace.cql"
- cqlsh --request-timeout=100 -f keyspace.cql
+ $CQLSH --request-timeout=100 -f keyspace.cql
status keyspace installed
echo " cqlsh -f init.cql"
- cqlsh --request-timeout=100 -f init.cql
+ $CQLSH --request-timeout=100 -f init.cql
status data initialized
echo ""
echo "The following will give you a temporary identity with which to start working, or emergency"
diff --git a/auth/auth-cass/cass_init/restore.sh b/auth/auth-cass/cass_init/restore.sh
index abc6a7cc..ba2c49eb 100644
--- a/auth/auth-cass/cass_init/restore.sh
+++ b/auth/auth-cass/cass_init/restore.sh
@@ -4,7 +4,7 @@
echo `date`
ENV=DOCKER
-CQLSH="cqlsh -k authz"
+CQLSH="${CQLSH:=/opt/cassandra/bin/cqlsh} -k authz"
cd dats
if [ "$*" = "" ]; then
diff --git a/auth/auth-cass/docker/Dockerfile.cass b/auth/auth-cass/docker/Dockerfile.cass
index 0f12d8c8..5d9c3db9 100644
--- a/auth/auth-cass/docker/Dockerfile.cass
+++ b/auth/auth-cass/docker/Dockerfile.cass
@@ -32,11 +32,16 @@ COPY aaf-auth-batch-*-full.jar /opt/app/aaf/cass_init/
COPY cass_data/*.dat /opt/app/aaf/cass_init/dats/
COPY sample.identities.dat /opt/app/aaf/cass_init/data/identites.dat
-RUN mkdir -p /opt/app/aaf/status && chmod 777 /opt/app/aaf/status && \
- addgroup ${USER} && adduser --no-create-home --ingroup ${USER} --disabled-password --gecos "" --shell /bin/bash ${USER} && \
- chown -R ${USER}:${USER} /opt/app/aaf/cass_init
-
+RUN mkdir -p /opt/app/aaf/status &&\
+ chmod 777 /opt/app/aaf/status && \
+ addgroup ${DUSER} && adduser --ingroup cassandra --disabled-password --gecos "" --shell /bin/bash ${DUSER} && \
+ chown -R ${DUSER}:cassandra /opt/app/aaf/cass_init &&\
+ chown -R ${DUSER}:cassandra /etc/cassandra &&\
+ mkdir -p /var/lib/cassandra/data && chown -R ${DUSER}:cassandra /var/lib/cassandra &&\
+ chown -R ${DUSER}:cassandra /var/log/cassandra &&\
+ ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd && chmod a+x /aaf_cmd
+USER ${DUSER}
ENTRYPOINT ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh"]
CMD ["start"]
# Default is to start up with CQL setup only
diff --git a/auth/auth-cass/docker/dbuild.sh b/auth/auth-cass/docker/dbuild.sh
index 7e2ac7c5..6a1ae1c1 100644
--- a/auth/auth-cass/docker/dbuild.sh
+++ b/auth/auth-cass/docker/dbuild.sh
@@ -25,7 +25,7 @@ if [ -e ../../docker/d.props ]; then
. ../../docker/d.props
fi
DOCKER=${DOCKER:-docker}
-
+
function SCP() {
SANS=${1/-SNAPSHOT/}
echo $1 = $SANS
@@ -52,7 +52,7 @@ echo "$0: DOCKER_PULL_REGISTRY=${DOCKER_REGISTRY}"
DIR=$(pwd)
cd ..
sed -e 's/${AAF_VERSION}/'${VERSION/-SNAPSHOT/}'/g' \
- -e 's/${USER}/'${USER}'/g' \
+ -e 's/${DUSER}/'${DUSER}'/g' \
-e 's/${REGISTRY}/'${DOCKER_PULL_REGISTRY}'/g' \
$DIR/Dockerfile.cass > Dockerfile
cd ..
diff --git a/auth/auth-cass/docker/dcqlsh.sh b/auth/auth-cass/docker/dcqlsh.sh
index 2518eb90..c8708d75 100644
--- a/auth/auth-cass/docker/dcqlsh.sh
+++ b/auth/auth-cass/docker/dcqlsh.sh
@@ -22,5 +22,5 @@
if [ -e ../../docker/d.props ]; then
. ../../docker/d.props
fi
-${DOCKER:=docker} exec -it aaf-cass /usr/bin/cqlsh -k authz
+${DOCKER:=docker} exec -it aaf-cass ${CQLSH:=/usr/bin/cqlsh} -k authz
diff --git a/auth/docker/Dockerfile.agent b/auth/docker/Dockerfile.agent
index ec5f24ea..e974dc49 100644
--- a/auth/docker/Dockerfile.agent
+++ b/auth/docker/Dockerfile.agent
@@ -31,5 +31,5 @@ COPY bin/aaf-cadi-servlet-sample-*-sample.jar /opt/app/aaf_config/bin/
COPY cert/*trust*.b64 /opt/app/aaf_config/cert/
RUN chmod 755 /opt/app/aaf_config/bin/* &&\
if [ -n "${DUSER}" ]; then chown -R ${DUSER}:${DUSER} /opt/app/aaf_config; fi
-
+USER ${DUSER}
CMD []
diff --git a/auth/docker/Dockerfile.config b/auth/docker/Dockerfile.config
index 4bb7a940..b2263ecc 100644
--- a/auth/docker/Dockerfile.config
+++ b/auth/docker/Dockerfile.config
@@ -39,5 +39,5 @@ COPY bin/aaf-auth-batch-${JAR_VERSION}-full.jar /opt/app/aaf_config/bin/
RUN mkdir -p /opt/app/osaaf &&\
chmod 755 /opt/app/aaf_config/bin/*.sh &&\
if [ -n "${DUSER}" ]; then chown ${DUSER}:${DUSER} /opt/app/osaaf && chown -R ${DUSER}:${DUSER} /opt/app/aaf_config; fi
-
+USER ${DUSER}
CMD ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"]
diff --git a/auth/docker/Dockerfile.core b/auth/docker/Dockerfile.core
index 5c66c8ca..4179c5e7 100644
--- a/auth/docker/Dockerfile.core
+++ b/auth/docker/Dockerfile.core
@@ -37,4 +37,4 @@ RUN mkdir -p /opt/app/osaaf &&\
&& chown ${DUSER}:${DUSER} /opt/app/osaaf \
&& chown -R ${DUSER}:${DUSER} /opt/app/aaf;\
fi
-
+USER ${DUSER}
diff --git a/auth/docker/Dockerfile.hello b/auth/docker/Dockerfile.hello
index 4b12a6f1..82d9a9f5 100644
--- a/auth/docker/Dockerfile.hello
+++ b/auth/docker/Dockerfile.hello
@@ -37,5 +37,5 @@ RUN mkdir -p /opt/app/osaaf &&\
&& chown ${DUSER}:${DUSER} /opt/app/osaaf \
&& chown -R ${DUSER}:${DUSER} /opt/app/aaf;\
fi
-
+USER ${DUSER}
CMD []
diff --git a/auth/helm/aaf-hello/templates/aaf-hello.yaml b/auth/helm/aaf-hello/templates/aaf-hello.yaml
index 3ff9a576..a79f39ed 100644
--- a/auth/helm/aaf-hello/templates/aaf-hello.yaml
+++ b/auth/helm/aaf-hello/templates/aaf-hello.yaml
@@ -56,6 +56,18 @@ spec:
persistentVolumeClaim:
claimName: aaf-hello-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/osaaf
+ name: aaf-hello-vol
- name: aaf-hello-config
image: "{{ .Values.image.repository }}{{ .Values.service.agentImage }}"
imagePullPolicy: IfNotPresent
diff --git a/auth/helm/aaf/templates/aaf-cass.yaml b/auth/helm/aaf/templates/aaf-cass.yaml
index f795dfe5..ace21817 100644
--- a/auth/helm/aaf/templates/aaf-cass.yaml
+++ b/auth/helm/aaf/templates/aaf-cass.yaml
@@ -68,6 +68,23 @@ spec:
- name: aaf-status-vol
persistentVolumeClaim:
claimName: aaf-status-pvc
+ initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /var/lib/cassandra
+ chown -R 1000:1000 /var/lib/cassandra
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
+ - mountPath: /var/lib/cassandra
+ name: aaf-cass-vol
containers:
###
### AAF-CASS
diff --git a/auth/helm/aaf/templates/aaf-cm.yaml b/auth/helm/aaf/templates/aaf-cm.yaml
index ebb49835..e64da6cc 100644
--- a/auth/helm/aaf/templates/aaf-cm.yaml
+++ b/auth/helm/aaf/templates/aaf-cm.yaml
@@ -59,6 +59,22 @@ spec:
persistentVolumeClaim:
claimName: aaf-status-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
+ - mountPath: /opt/app/osaaf
+ name: aaf-config-vol
- name: aaf-config-container
image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
imagePullPolicy: IfNotPresent
diff --git a/auth/helm/aaf/templates/aaf-fs.yaml b/auth/helm/aaf/templates/aaf-fs.yaml
index 479447de..e3973af0 100644
--- a/auth/helm/aaf/templates/aaf-fs.yaml
+++ b/auth/helm/aaf/templates/aaf-fs.yaml
@@ -59,6 +59,22 @@ spec:
persistentVolumeClaim:
claimName: aaf-status-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/osaaf
+ name: aaf-config-vol
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
- name: aaf-config-container
image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
imagePullPolicy: IfNotPresent
diff --git a/auth/helm/aaf/templates/aaf-gui.yaml b/auth/helm/aaf/templates/aaf-gui.yaml
index 14c42599..93c1473f 100644
--- a/auth/helm/aaf/templates/aaf-gui.yaml
+++ b/auth/helm/aaf/templates/aaf-gui.yaml
@@ -60,6 +60,22 @@ spec:
persistentVolumeClaim:
claimName: aaf-status-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/osaaf
+ name: aaf-config-vol
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
- name: aaf-config-container
image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
imagePullPolicy: IfNotPresent
diff --git a/auth/helm/aaf/templates/aaf-locate.yaml b/auth/helm/aaf/templates/aaf-locate.yaml
index d4f2bf66..57ba43d0 100644
--- a/auth/helm/aaf/templates/aaf-locate.yaml
+++ b/auth/helm/aaf/templates/aaf-locate.yaml
@@ -59,6 +59,22 @@ spec:
persistentVolumeClaim:
claimName: aaf-status-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
+ - mountPath: /opt/app/osaaf
+ name: aaf-config-vol
- name: aaf-config-container
image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
imagePullPolicy: IfNotPresent
diff --git a/auth/helm/aaf/templates/aaf-oauth.yaml b/auth/helm/aaf/templates/aaf-oauth.yaml
index 4d5ac75a..ab21e3ab 100644
--- a/auth/helm/aaf/templates/aaf-oauth.yaml
+++ b/auth/helm/aaf/templates/aaf-oauth.yaml
@@ -59,6 +59,22 @@ spec:
persistentVolumeClaim:
claimName: aaf-status-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
+ - mountPath: /opt/app/osaaf
+ name: aaf-config-vol
- name: aaf-config-container
image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
imagePullPolicy: IfNotPresent
diff --git a/auth/helm/aaf/templates/aaf-service.yaml b/auth/helm/aaf/templates/aaf-service.yaml
index 96efa75c..f4772d67 100644
--- a/auth/helm/aaf/templates/aaf-service.yaml
+++ b/auth/helm/aaf/templates/aaf-service.yaml
@@ -58,6 +58,22 @@ spec:
persistentVolumeClaim:
claimName: aaf-status-pvc
initContainers:
+ - command:
+ - /bin/sh
+ - -c
+ - |
+ chmod -R 775 /opt/app/aaf/status
+ chown -R 1000:1000 /opt/app/aaf/status
+ chmod -R 775 /opt/app/osaaf
+ chown -R 1000:1000 /opt/app/osaaf
+ image: busybox:1.28
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: init-sysctl
+ volumeMounts:
+ - mountPath: /opt/app/aaf/status
+ name: aaf-status-vol
+ - mountPath: /opt/app/osaaf
+ name: aaf-config-vol
- name: aaf-config-container
image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
imagePullPolicy: IfNotPresent