From 0973cd1d23c2917c840cf21630d8c565732bbe1b Mon Sep 17 00:00:00 2001
From: jananib <janani.b@huawei.com>
Date: Thu, 16 Apr 2020 01:10:29 +0530
Subject: Making POD run as non-root

Non-root user addition

Change-Id: I45ebc75940c020fdda79fbe454461a19df39c525
Issue-ID: CCSDK-2149
Signed-off-by: jananib <janani.b@huawei.com>
(cherry picked from commit b21a8dcb57767134eca44de57b863b457db6b88e)
---
 ms/command-executor/src/main/docker/Dockerfile | 5 ++++-
 ms/py-executor/docker/Dockerfile               | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'ms')

diff --git a/ms/command-executor/src/main/docker/Dockerfile b/ms/command-executor/src/main/docker/Dockerfile
index 70cf943f6..c38126066 100644
--- a/ms/command-executor/src/main/docker/Dockerfile
+++ b/ms/command-executor/src/main/docker/Dockerfile
@@ -5,10 +5,13 @@ RUN python -m pip install --upgrade pip
 RUN pip install grpcio==${GRPC_PYTHON_VERSION} grpcio-tools==${GRPC_PYTHON_VERSION}
 RUN pip install virtualenv==16.7.9
 
+RUN groupadd -r onap && useradd -r -g onap onap
+
 COPY start.sh /opt/app/onap/start.sh
 RUN chmod u+x /opt/app/onap/start.sh
 
 RUN mkdir -p /opt/app/onap/logs/ && touch /opt/app/onap/logs/application.log
+RUN chown onap:onap /opt -R
 
 COPY @project.build.finalName@-@assembly.id@.tar.gz /source.tar.gz
 RUN tar -xzf /source.tar.gz -C /tmp \
@@ -17,5 +20,5 @@ RUN tar -xzf /source.tar.gz -C /tmp \
  && rm -rf /tmp/@project.build.finalName@
 
 VOLUME /opt/app/onap/blueprints/deploy/
-
+USER onap
 ENTRYPOINT /opt/app/onap/start.sh
diff --git a/ms/py-executor/docker/Dockerfile b/ms/py-executor/docker/Dockerfile
index 043e15d53..bb1b0f79c 100644
--- a/ms/py-executor/docker/Dockerfile
+++ b/ms/py-executor/docker/Dockerfile
@@ -1,5 +1,7 @@
 FROM python:3.7-slim
 
+RUN groupadd -r onap && useradd -r -g onap onap
+
 RUN mkdir -p /opt/app/onap/logs/ && touch /opt/app/onap/logs/application.log
 
 COPY @project.build.finalName@-@assembly.id@.tar.gz /source.tar.gz
@@ -10,6 +12,8 @@ RUN tar -xzf /source.tar.gz -C /tmp \
 
 RUN pip install --no-cache-dir -r /opt/app/onap/python/requirements/docker.txt
 
-VOLUME /opt/app/onap/blueprints/deploy/
+RUN chown onap:onap /opt -R
 
+VOLUME /opt/app/onap/blueprints/deploy/
+USER onap
 ENTRYPOINT /opt/app/onap/python/start.sh
-- 
cgit 1.2.3-korg