diff options
author | Timoney, Dan (dt5972) <dtimoney@att.com> | 2019-02-21 14:57:34 -0500 |
---|---|---|
committer | Timoney, Dan (dt5972) <dtimoney@att.com> | 2019-02-21 14:57:34 -0500 |
commit | 38e175fa6762c27b85df450002e6458d9b0a41d6 (patch) | |
tree | ffee3f46477dd521269f9a010d6c59ce71508b97 | |
parent | a794b4f8e543361e237f70aeae6bca2347f8dfee (diff) |
Run CCSDK dockers as non-root
Update CCSDK docker images to run as non-root user by default
Change-Id: Ia07c433a0e6f041d6684f24b765f4c1733b51162
Issue-ID: CCSDK-1099
Signed-off-by: Timoney, Dan (dt5972) <dtimoney@att.com>
-rw-r--r-- | ansible-server/src/main/Dockerfile | 11 | ||||
-rw-r--r-- | dgbuilder-docker/src/main/docker/Dockerfile | 7 | ||||
-rw-r--r-- | odlsli/odlsli-alpine/src/main/docker/Dockerfile | 8 | ||||
-rw-r--r-- | saltstack-server/src/main/docker/Dockerfile | 10 |
4 files changed, 29 insertions, 7 deletions
diff --git a/ansible-server/src/main/Dockerfile b/ansible-server/src/main/Dockerfile index 4a9c4147..7ad66d30 100644 --- a/ansible-server/src/main/Dockerfile +++ b/ansible-server/src/main/Dockerfile @@ -19,12 +19,19 @@ RUN apk add --no-cache curl \ pip install --no-cache-dir -r ansible-server/requirements.txt &&\ apk del .build-deps -COPY ansible-server ansible-server -COPY configuration/ansible.cfg /etc/ansible/ansible.cfg +RUN addgroup -S ansible && adduser -S ansible -G ansible +COPY --chown=ansible:ansible ansible-server ansible-server +COPY --chown=ansible:ansible configuration/ansible.cfg /etc/ansible/ansible.cfg + WORKDIR /opt/ansible-server RUN mkdir /opt/onap ; ln -s /opt/ansible-server /opt/onap/ccsdk +RUN echo > /var/log/ansible-server.log +RUN chown ansible:ansible /var/log/ansible-server.log + +USER ansible:ansible + EXPOSE 8000 diff --git a/dgbuilder-docker/src/main/docker/Dockerfile b/dgbuilder-docker/src/main/docker/Dockerfile index 90ade01f..c1fd8dbd 100644 --- a/dgbuilder-docker/src/main/docker/Dockerfile +++ b/dgbuilder-docker/src/main/docker/Dockerfile @@ -2,12 +2,17 @@ FROM onap/ccsdk-ubuntu-image:${project.docker.latestfulltag.version} MAINTAINER CCSDK Team (onap-discuss@lists.onap.org) +# Create non-root user +RUN addgroup --system dgbuilder && adduser --system --ingroup dgbuilder dgbuilder + # copy onap -COPY opt /opt +COPY --chown=dgbuilder:dgbuilder opt /opt WORKDIR /opt/onap/ccsdk/dgbuilder # Set the proxy if needed # RUN npm config set proxy http://your.proxy.com:8080 #RUN npm install #ENTRYPOINT /bin/bash /opt/onap/ccsdk/dgbuilder/start sdnc1.0 + +USER dgbuilder EXPOSE 3100 diff --git a/odlsli/odlsli-alpine/src/main/docker/Dockerfile b/odlsli/odlsli-alpine/src/main/docker/Dockerfile index b9054670..2703a7d2 100644 --- a/odlsli/odlsli-alpine/src/main/docker/Dockerfile +++ b/odlsli/odlsli-alpine/src/main/docker/Dockerfile @@ -26,7 +26,7 @@ RUN sed -i -e "\|featuresRepositories|s|$|, ${CCSDK_SLI_CORE_REPO}, ${CCSDK_SLI_ RUN sed -i -e "\|featuresBoot[^a-zA-Z]|s|$|,${ODL_BOOT_FEATURES_EXTRA}|" $ODL_HOME/etc/org.apache.karaf.features.cfg # Create odl user -RUN adduser -S odl +RUN addgroup -S odl && adduser -S odl -G odl # Install ansible #COPY ansible-sources.list /etc/apt/sources.list.d @@ -46,9 +46,11 @@ RUN adduser -S odl # copy deliverables to opt -COPY opt /opt -COPY org.ops4j.pax.logging.cfg /opt/opendaylight/etc/org.ops4j.pax.logging.cfg +COPY --chown=odl:odl opt /opt +COPY --chown=odl:odl org.ops4j.pax.logging.cfg /opt/opendaylight/etc/org.ops4j.pax.logging.cfg +RUN chown -R odl:odl /opt +USER odl ENTRYPOINT /opt/onap/ccsdk/bin/startODL.sh EXPOSE 8181 diff --git a/saltstack-server/src/main/docker/Dockerfile b/saltstack-server/src/main/docker/Dockerfile index eeebef4c..3226e472 100644 --- a/saltstack-server/src/main/docker/Dockerfile +++ b/saltstack-server/src/main/docker/Dockerfile @@ -10,4 +10,12 @@ RUN yum clean all && \ EXPOSE 4505 4506 -CMD /usr/bin/salt-master -d; /bin/bash +# Create non root user +RUN groupadd --system saltstack && useradd --system -g saltstack saltstack +RUN chown -R saltstack /etc/salt /var/cache/salt /var/log/salt +RUN mkdir /var/run/salt && chown saltstack:saltstack /var/run/salt + +USER saltstack + +# Run salt-master in foreground (not as a daemon) +CMD /usr/bin/salt-master
\ No newline at end of file |