diff options
| author |   Kanagaraj Manickam <mkr1481@gamil.com> | 2020-03-17 11:27:39 +0530 |
|---|---|---|
| committer |   Kanagaraj Manickam k00365106 <kanagaraj.manickam@huawei.com> | 2020-03-17 11:27:39 +0530 |
| commit | 9327c267576da71a249b5bbcb4b1fed104b170f1 (patch) | |
| tree | 4ad69bbc6f79188bfc39cedfac39e22548d622d4 /deployment/docker/src/main/docker | |
| parent | 9f0a1b5d1c8b6d529d3cdc374f8b79d56d878b7e (diff) | |
Make non-root user
Issue-ID: CLI-255
Change-Id: Idc3e7d57ee3ab118d0ca134c171fabdfdfd071a0
Signed-off-by: Kanagaraj Manickam k00365106 <kanagaraj.manickam@huawei.com>
Diffstat (limited to 'deployment/docker/src/main/docker')
| -rw-r--r-- | deployment/docker/src/main/docker/Dockerfile | 45 |
1 files changed, 26 insertions, 19 deletions
diff --git a/deployment/docker/src/main/docker/Dockerfile b/deployment/docker/src/main/docker/Dockerfile index d66919ad..a3497fff 100644 --- a/deployment/docker/src/main/docker/Dockerfile +++ b/deployment/docker/src/main/docker/Dockerfile @@ -14,6 +14,14 @@ FROM openjdk:11.0.5-jre-slim +RUN apt-get update && apt-get install -y sudo + +RUN groupadd -r ocomp && useradd -m --no-log-init -r -g ocomp ocomp && \ + usermod -aG sudo ocomp && echo "ocomp ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ + chmod -R 777 /usr/local/ + +USER ocomp + ENV OPEN_CLI_HOME=/opt/oclip \ OPEN_CLI_DEBUG=false \ OPEN_CLI_DEBUG_PORT=5005 \ @@ -25,38 +33,37 @@ ENV OPEN_CLI_HOME=/opt/oclip \ ADD ./STAGE $OPEN_CLI_HOME WORKDIR $OPEN_CLI_HOME -RUN apt-get update && apt-get install -y lighttpd git curl pandoc vim && \ +RUN sudo apt-get install -y lighttpd git curl pandoc vim && \ cd /tmp && curl -O https://storage.googleapis.com/golang/go1.9.linux-amd64.tar.gz && \ tar -xvf go1.9.linux-amd64.tar.gz && mkdir -p /tmp/gotty && \ GOPATH=/tmp/gotty /tmp/go/bin/go get github.com/yudai/gotty && \ - mv /tmp/gotty/bin/gotty /usr/sbin/ && \ - pandoc -t plain $OPEN_CLI_HOME/docs/README.md > $OPEN_CLI_HOME/docs/oclip-readme.txt && \ - apt-get purge -y pandoc && apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/go /tmp/gotty /tmp/* /var/tmp/* && \ + mv /tmp/gotty/bin/gotty /usr/local/bin/ && \ + sudo chown -R ocomp:ocomp $OPEN_CLI_HOME && pandoc -t plain $OPEN_CLI_HOME/docs/README.md > $OPEN_CLI_HOME/docs/oclip-readme.txt && \ + sudo apt-get purge -y pandoc && sudo apt-get autoremove -y && sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/* /tmp/go /tmp/gotty /tmp/* /var/tmp/* && \ chmod +x $OPEN_CLI_HOME/bin/oclip.sh && \ chmod +x $OPEN_CLI_HOME/bin/oclip-rcli.sh && \ chmod +x $OPEN_CLI_HOME/bin/oclip-grpc-server.sh && \ - ln $OPEN_CLI_HOME/bin/oclip.sh /usr/sbin/oclip && \ - ln $OPEN_CLI_HOME/bin/oclip.sh /usr/sbin/onap && \ - ln $OPEN_CLI_HOME/bin/oclip-grpc-server.sh /usr/sbin/oclip-grpc && \ - ln $OPEN_CLI_HOME/bin/oclip-rcli.sh /usr/sbin/oclipr && \ + ln $OPEN_CLI_HOME/bin/oclip.sh /usr/local/bin/oclip && \ + ln $OPEN_CLI_HOME/bin/oclip.sh /usr/local/bin/onap && \ + ln $OPEN_CLI_HOME/bin/oclip-grpc-server.sh /usr/local/bin/oclip-grpc && \ if [ ! -d $OPEN_CLI_HOME/data ]; then mkdir $OPEN_CLI_HOME/data; fi && \ if [ ! -d $OPEN_CLI_HOME/open-cli-schema ]; then mkdir $OPEN_CLI_HOME/open-cli-schema; fi && \ - if [ ! -f /var/log/lighttpd/access.log ]; then touch /var/log/lighttpd/access.log; fi && \ - cp /etc/lighttpd/conf-available/10-accesslog.conf /etc/lighttpd/conf-enabled/ && \ - cp $OPEN_CLI_HOME/http/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf && \ - if [ ! -d /var/www-data/servers/open-cli/ ]; then mkdir -p /var/www-data/servers/open-cli/; fi && \ - cp $OPEN_CLI_HOME/http/web/*.* /var/www-data/servers/open-cli/ && \ - cp $OPEN_CLI_HOME/http/lighttpd/10-proxy.conf /etc/lighttpd/conf-enabled/ && \ - cp $OPEN_CLI_HOME/installer/cli-*.zip /var/www-data/servers/open-cli/oclip.zip && \ + sudo touch /var/log/lighttpd/access.log && \ + sudo cp /etc/lighttpd/conf-available/10-accesslog.conf /etc/lighttpd/conf-enabled/ && \ + sudo cp $OPEN_CLI_HOME/http/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf && \ + sudo mkdir -p /var/www-data/servers/open-cli/ && \ + sudo cp $OPEN_CLI_HOME/http/web/*.* /var/www-data/servers/open-cli/ && \ + sudo cp $OPEN_CLI_HOME/http/lighttpd/10-proxy.conf /etc/lighttpd/conf-enabled/ && \ + sudo cp $OPEN_CLI_HOME/installer/cli-*.zip /var/www-data/servers/open-cli/oclip.zip && \ cp $OPEN_CLI_HOME/http/web/ocomp.crt ~/.gotty.crt && \ cp $OPEN_CLI_HOME/http/web/ocomp.key ~/.gotty.key && \ - cat $OPEN_CLI_HOME/http/web/ocomp.key $OPEN_CLI_HOME/http/web/ocomp.crt > /etc/lighttpd/ocomp.pem + sudo cp $OPEN_CLI_HOME/http/web/ocomp.pem /etc/lighttpd/ocomp.pem #openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.ocomp.key -out ~/.ocomp.crt -subj "/C=IN/ST=KA/L=BLR/O=CLI/CN=onap" EXPOSE 80 EXPOSE 8080 EXPOSE 50051 -ENTRYPOINT if [ "$OPEN_CLI_MODE" = "daemon" ]; then service lighttpd start; gotty -t --permit-write --reconnect oclip; \ - elif [ "$OPEN_CLI_MODE" = "ocs-web" ]; then echo "****** OCLIP Web Command Server ******"; service lighttpd start; \ +ENTRYPOINT if [ "$OPEN_CLI_MODE" = "daemon" ]; then sudo service lighttpd start; gotty -t --permit-write --reconnect oclip; \ + elif [ "$OPEN_CLI_MODE" = "ocs-web" ]; then echo "****** OCLIP Web Command Server ******"; sudo service lighttpd start; \ elif [ "$OPEN_CLI_MODE" = "ocs-grpc" ]; then echo "****** OCLIP gRPC Command Server ******"; oclip-grpc; \ - elif [ "$OPEN_CLI_MODE" = "occ" ]; then echo "****** OCLIP Web Command Console (OCC) ******"; gotty --permit-write --reconnect oclip; \ + elif [ "$OPEN_CLI_MODE" = "occ" ]; then echo "****** OCLIP Web Command Console (OCC) ******"; gotty -t --permit-write --reconnect oclip; \ else echo "****** OCLIP Command Shell******"; oclip -v && /bin/bash; fi |