Run CCSDK dockers as non-root

Update CCSDK docker images to run as non-root user by default

Change-Id: Ia07c433a0e6f041d6684f24b765f4c1733b51162
Issue-ID: CCSDK-1099
Signed-off-by: Timoney, Dan (dt5972) <dtimoney@att.com>

4 files changed, 29 insertions, 7 deletions

diff --git a/ansible-server/src/main/Dockerfile b/ansible-server/src/main/Dockerfile
index 4a9c4147..7ad66d30 100644
--- a/ansible-server/src/main/Dockerfile
+++ b/ansible-server/src/main/Dockerfile
@@ -19,12 +19,19 @@ RUN apk add --no-cache curl \
     pip install --no-cache-dir -r ansible-server/requirements.txt &&\
     apk del .build-deps
 
-COPY ansible-server ansible-server
-COPY configuration/ansible.cfg /etc/ansible/ansible.cfg
+RUN addgroup -S ansible && adduser -S ansible -G ansible
+COPY --chown=ansible:ansible ansible-server ansible-server
+COPY --chown=ansible:ansible configuration/ansible.cfg /etc/ansible/ansible.cfg
+
 
 WORKDIR /opt/ansible-server
 
 RUN mkdir /opt/onap ; ln -s /opt/ansible-server /opt/onap/ccsdk
+RUN echo > /var/log/ansible-server.log
+RUN chown ansible:ansible /var/log/ansible-server.log
+
+USER ansible:ansible
+
 
 EXPOSE 8000
 
diff --git a/dgbuilder-docker/src/main/docker/Dockerfile b/dgbuilder-docker/src/main/docker/Dockerfile
index 90ade01f..c1fd8dbd 100644
--- a/dgbuilder-docker/src/main/docker/Dockerfile
+++ b/dgbuilder-docker/src/main/docker/Dockerfile
@@ -2,12 +2,17 @@
 FROM onap/ccsdk-ubuntu-image:${project.docker.latestfulltag.version}
 MAINTAINER CCSDK  Team (onap-discuss@lists.onap.org)
 
+# Create non-root user
+RUN addgroup --system dgbuilder && adduser --system --ingroup dgbuilder dgbuilder
+
 # copy onap
-COPY opt /opt
+COPY --chown=dgbuilder:dgbuilder opt /opt
 WORKDIR /opt/onap/ccsdk/dgbuilder
 # Set the proxy if needed
 # RUN npm config set proxy http://your.proxy.com:8080
 #RUN npm install
 
 #ENTRYPOINT /bin/bash /opt/onap/ccsdk/dgbuilder/start sdnc1.0
+
+USER dgbuilder
 EXPOSE 3100
diff --git a/odlsli/odlsli-alpine/src/main/docker/Dockerfile b/odlsli/odlsli-alpine/src/main/docker/Dockerfile
index b9054670..2703a7d2 100644
--- a/odlsli/odlsli-alpine/src/main/docker/Dockerfile
+++ b/odlsli/odlsli-alpine/src/main/docker/Dockerfile
@@ -26,7 +26,7 @@ RUN sed -i -e "\|featuresRepositories|s|$|, ${CCSDK_SLI_CORE_REPO}, ${CCSDK_SLI_
 RUN sed -i -e "\|featuresBoot[^a-zA-Z]|s|$|,${ODL_BOOT_FEATURES_EXTRA}|"  $ODL_HOME/etc/org.apache.karaf.features.cfg
 
 # Create odl user
-RUN adduser -S odl
+RUN addgroup -S odl && adduser -S odl -G odl
 
 # Install ansible
 #COPY ansible-sources.list /etc/apt/sources.list.d
@@ -46,9 +46,11 @@ RUN adduser -S odl
 
 
 # copy deliverables to opt
-COPY opt /opt
-COPY org.ops4j.pax.logging.cfg /opt/opendaylight/etc/org.ops4j.pax.logging.cfg
+COPY --chown=odl:odl opt /opt
+COPY --chown=odl:odl org.ops4j.pax.logging.cfg /opt/opendaylight/etc/org.ops4j.pax.logging.cfg
 
+RUN chown -R odl:odl /opt
 
+USER odl
 ENTRYPOINT /opt/onap/ccsdk/bin/startODL.sh
 EXPOSE 8181
diff --git a/saltstack-server/src/main/docker/Dockerfile b/saltstack-server/src/main/docker/Dockerfile
index eeebef4c..3226e472 100644
--- a/saltstack-server/src/main/docker/Dockerfile
+++ b/saltstack-server/src/main/docker/Dockerfile
@@ -10,4 +10,12 @@ RUN yum clean all && \
 
 EXPOSE 4505 4506
 
-CMD /usr/bin/salt-master -d; /bin/bash
+# Create non root user
+RUN groupadd --system saltstack && useradd --system -g saltstack saltstack
+RUN chown -R saltstack /etc/salt /var/cache/salt /var/log/salt
+RUN mkdir /var/run/salt && chown saltstack:saltstack /var/run/salt
+
+USER saltstack
+
+# Run salt-master in foreground (not as a daemon)
+CMD /usr/bin/salt-master
\ No newline at end of file