summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Gauld <agauld@att.com>2020-03-27 15:30:36 +0000
committerAndrew Gauld <agauld@att.com>2020-03-27 15:42:57 +0000
commitf6a8a8322d09d5f6012167d298dea6f0471cb82c (patch)
tree0b54d532635e0657db3fc05cb46e2529b92d1ee2
parent715442db4147980f3fb17a240a396a8e826f0f04 (diff)
Update images to run as non-root2.12.11.0.2
Images updated and the new versions are: adapter.acumos:1.0.2 mod.distributorapi:1.0.1 mod.onboardingapi:2.12.1 mod.designtool-web:1.0.2 mod.genprocessor-job:1.0.1 mod.genprocessor-http:1.0.1 mod.runtime-web:1.0.2 Note: image names all start with "onap/org.onap.dcaegen2.platform." designtool-web was already running as a non-root user. The others have been changed to create user "dcaemod" and run as that user. The listen port numbers on mod.distributorapi, mod.onboardingapi, and mod.genprocessor-http are changed from 80 to 8080. URLs in designtool-web, distributorapi, and genprocessor-job are adjusted to reflect the new port numbers. Change-Id: I510122952666c21cb92f3f64552e99d50af7c355 Issue-ID: DCAEGEN2-2170 Signed-off-by: Andrew Gauld <agauld@att.com>
-rw-r--r--adapter/acumos/Changelog.md2
-rw-r--r--adapter/acumos/Dockerfile7
-rw-r--r--adapter/acumos/README.md2
-rw-r--r--adapter/acumos/aoconversion/scanner.py4
-rw-r--r--adapter/acumos/pom.xml2
-rw-r--r--adapter/acumos/setup.py2
-rw-r--r--mod/designtool/designtool-web/pom.xml3
-rwxr-xr-xmod/designtool/designtool-web/sh/start.sh11
-rw-r--r--mod/distributorapi/Changelog.md10
-rw-r--r--mod/distributorapi/Dockerfile9
-rw-r--r--mod/distributorapi/distributor/config.py2
-rw-r--r--mod/distributorapi/distributor/http.py2
-rw-r--r--mod/distributorapi/distributor/version.py2
-rw-r--r--mod/distributorapi/pom.xml2
-rw-r--r--mod/genprocessor/nginx.conf2
-rw-r--r--mod/genprocessor/pom.xml12
-rw-r--r--mod/onboardingapi/ChangeLog.md4
-rw-r--r--mod/onboardingapi/Dockerfile18
-rw-r--r--mod/onboardingapi/dcae_cli/_version.py2
-rw-r--r--mod/onboardingapi/dcae_cli/http.py2
-rw-r--r--mod/onboardingapi/pom.xml2
-rwxr-xr-xmod/onboardingapi/start.sh1
-rw-r--r--mod/runtimeapi/runtime-web/pom.xml6
23 files changed, 74 insertions, 35 deletions
diff --git a/adapter/acumos/Changelog.md b/adapter/acumos/Changelog.md
index e900ad7..55bafa8 100644
--- a/adapter/acumos/Changelog.md
+++ b/adapter/acumos/Changelog.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
+## [1.0.2] - 3/26/2020
+ * Run as non-root
## [1.0.1] - 3/20/2020
* Adjust URL paths for consistency with DCAE GEN design tool
## [1.0.0] - 11/13/2019
diff --git a/adapter/acumos/Dockerfile b/adapter/acumos/Dockerfile
index 7ec9656..d1a0984 100644
--- a/adapter/acumos/Dockerfile
+++ b/adapter/acumos/Dockerfile
@@ -17,6 +17,8 @@
# ============LICENSE_END======================================================
FROM python:3.7
+ARG UID=1000
+ARG GID=1000
COPY setup.py /tmp/build/
COPY aoconversion/ /tmp/build/aoconversion/
RUN apt-get update && \
@@ -26,9 +28,12 @@ RUN apt-get update && \
cd /tmp/build/ && \
python setup.py install && \
cd / && \
- rm -rf /tmp/*
+ rm -rf /tmp/* && \
+ groupadd -g $GID dcaemod && \
+ useradd -s /bin/bash -u $UID -g $GID -m dcaemod
EXPOSE 9000
ENV PYTHONUNBUFFERED TRUE
+USER dcaemod
ENTRYPOINT [ "/usr/local/bin/acumos-adapter" ]
CMD [ "/run/config/config.yaml" ]
diff --git a/adapter/acumos/README.md b/adapter/acumos/README.md
index 55490ba..2de3845 100644
--- a/adapter/acumos/README.md
+++ b/adapter/acumos/README.md
@@ -56,7 +56,7 @@ This operates in 2 modes:
Gateway of the ACUMOS instance.
certfile - The file path for the PEM file containing the private key, etc.
dockerhost - (optional) The URL for the docker host. By default,
- unix:///var/run/docker.sock.
+ tcp://localhost:2375.
dockerregistry - The host:port for the ONAP docker registry.
dockeruser - The user ID for uploading images to the docker registry.
dockerpass - The password for uploading images to the docker registry.
diff --git a/adapter/acumos/aoconversion/scanner.py b/adapter/acumos/aoconversion/scanner.py
index 41f18de..cf3ac79 100644
--- a/adapter/acumos/aoconversion/scanner.py
+++ b/adapter/acumos/aoconversion/scanner.py
@@ -47,7 +47,7 @@ class Config(object):
Configuration parameters as attributes, make sure the required ones are there,
populate defaults.
"""
- def __init__(self, dcaeurl, dcaeuser, onboardingurl, onboardinguser, onboardingpass, certfile, dockerregistry, dockeruser, dockerpass, acumosurl=None, interval=900, dockerhost='unix:///var/run/docker.sock', tmpdir='/var/tmp/aoadapter', certverify=True, catalogs=None, port=None, **extras):
+ def __init__(self, dcaeurl, dcaeuser, onboardingurl, onboardinguser, onboardingpass, certfile, dockerregistry, dockeruser, dockerpass, acumosurl=None, interval=900, dockerhost='tcp://localhost:2375', tmpdir='/var/tmp/aoadapter', certverify=True, catalogs=None, port=None, **extras):
self.dcaeurl = dcaeurl
self.dcaeuser = dcaeuser
@@ -299,7 +299,7 @@ class Apihandler(BaseHTTPRequestHandler):
else:
solution = aa.jsonget('/solutions/{}', self.qparams['solutionId'])
onboard(aa, callback, solution, self.qparams['revisionId'])
- self.replyraw('OK', 'text/plain')
+ self.replyraw('OK'.encode('utf-8'), 'text/plain')
return
self.send_error(400)
diff --git a/adapter/acumos/pom.xml b/adapter/acumos/pom.xml
index 7d872ef..1ea941d 100644
--- a/adapter/acumos/pom.xml
+++ b/adapter/acumos/pom.xml
@@ -23,7 +23,7 @@ limitations under the License.
<modelVersion>4.0.0</modelVersion>
<groupId>org.onap.dcaegen2.platform.adapter</groupId>
<artifactId>dcaegen2-platform-adapter-acumos</artifactId>
- <version>1.0.1</version>
+ <version>1.0.2-SNAPSHOT</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<sonar.sources>.</sonar.sources>
diff --git a/adapter/acumos/setup.py b/adapter/acumos/setup.py
index 9001cd5..e833307 100644
--- a/adapter/acumos/setup.py
+++ b/adapter/acumos/setup.py
@@ -20,7 +20,7 @@ from setuptools import setup, find_packages
setup(
name="aoconversion",
- version="1.0.1",
+ version="1.0.2",
packages=find_packages(exclude=["tests.*", "tests"]),
author="Tommy Carpenter, Andrew Gauld",
author_email="tommy@research.att.com, agauld@att.com",
diff --git a/mod/designtool/designtool-web/pom.xml b/mod/designtool/designtool-web/pom.xml
index 8806964..fc24024 100644
--- a/mod/designtool/designtool-web/pom.xml
+++ b/mod/designtool/designtool-web/pom.xml
@@ -27,6 +27,7 @@ limitations under the License.
<version>1.0.1-SNAPSHOT</version>
</parent>
<artifactId>designtool-web</artifactId>
+ <version>1.0.2-SNAPSHOT</version>
<packaging>war</packaging>
<name>dcaegen2-platform-mod-designtool-web</name>
<properties>
@@ -84,7 +85,7 @@ limitations under the License.
<dependency>
<groupId>org.onap.dcaegen2.platform.mod</groupId>
<artifactId>nifi-war-to-jar</artifactId>
- <version>${project.version}</version>
+ <version>1.0.1-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
<dependency>
diff --git a/mod/designtool/designtool-web/sh/start.sh b/mod/designtool/designtool-web/sh/start.sh
index 8658983..b0393de 100755
--- a/mod/designtool/designtool-web/sh/start.sh
+++ b/mod/designtool/designtool-web/sh/start.sh
@@ -51,16 +51,9 @@ prop_replace 'nifi.web.proxy.context.path' "${NIFI_WEB_PROXY_CO
# replace value conditionally if the property name exists otherwise append
if grep -q 'nifi.dcae.jars.index.url' $nifi_props_file
then
- prop_replace 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http/nifi-jars/}"
+ prop_replace 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http:8080/nifi-jars/}"
else
- prop_append 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http/nifi-jars/}"
-fi
-
-if grep -q 'nifi.ui.dcae.distibutor.api.url' $nifi_props_file
-then
- prop_replace 'nifi.ui.dcae.distibutor.api.url' "${NIFI_DCAE_DISTRIBUTOR_API_URL:-http://distributor-api}"
-else
- prop_append 'nifi.ui.dcae.distibutor.api.url' "${NIFI_DCAE_DISTRIBUTOR_API_URL:-http://distributor-api}"
+ prop_append 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http:8080/nifi-jars/}"
fi
. "${scripts_dir}/update_cluster_state_management.sh"
diff --git a/mod/distributorapi/Changelog.md b/mod/distributorapi/Changelog.md
new file mode 100644
index 0000000..2e0327b
--- /dev/null
+++ b/mod/distributorapi/Changelog.md
@@ -0,0 +1,10 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [1.0.1] - 3/26/2020
+ * Run as non-root
+## [1.0.0] - 11/11/2019
+ * Distributor API - initial version
diff --git a/mod/distributorapi/Dockerfile b/mod/distributorapi/Dockerfile
index cc10c68..f82607d 100644
--- a/mod/distributorapi/Dockerfile
+++ b/mod/distributorapi/Dockerfile
@@ -15,9 +15,14 @@
# ============LICENSE_END=========================================================
FROM python:3.7-alpine
+ARG UID=1000
+ARG GID=1000
COPY . /code
WORKDIR /code
-RUN pip install .
-EXPOSE 80
+RUN pip install . && \
+ addgroup -g $GID dcaemod && \
+ adduser -s /bin/bash -u $UID -G dcaemod -D dcaemod
+USER dcaemod
+EXPOSE 8080
ENV DISTRIBUTOR_DEBUG=0
CMD start-distributor-api
diff --git a/mod/distributorapi/distributor/config.py b/mod/distributorapi/distributor/config.py
index 8d2cede..d83eee1 100644
--- a/mod/distributorapi/distributor/config.py
+++ b/mod/distributorapi/distributor/config.py
@@ -35,4 +35,4 @@ def init():
global onboarding_api_url
onboarding_api_url = _grab_env("ONBOARDING_API_URL"
- , default="http://onboarding-api/onboarding")
+ , default="http://onboarding-api:8080/onboarding")
diff --git a/mod/distributorapi/distributor/http.py b/mod/distributorapi/distributor/http.py
index 963a852..f1aa2fd 100644
--- a/mod/distributorapi/distributor/http.py
+++ b/mod/distributorapi/distributor/http.py
@@ -253,4 +253,4 @@ def start_http_server():
if is_debug():
_app.run(debug=True)
else:
- _app.run(host="0.0.0.0", port=80, debug=False)
+ _app.run(host="0.0.0.0", port=8080, debug=False)
diff --git a/mod/distributorapi/distributor/version.py b/mod/distributorapi/distributor/version.py
index 57c4da3..9da6f0f 100644
--- a/mod/distributorapi/distributor/version.py
+++ b/mod/distributorapi/distributor/version.py
@@ -13,4 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
-__version__ = "1.0.0"
+__version__ = "1.0.1"
diff --git a/mod/distributorapi/pom.xml b/mod/distributorapi/pom.xml
index 3cfd949..45096b1 100644
--- a/mod/distributorapi/pom.xml
+++ b/mod/distributorapi/pom.xml
@@ -23,7 +23,7 @@ limitations under the License.
<groupId>org.onap.dcaegen2.platform.mod</groupId>
<artifactId>dcaegen2-platform-mod-distributorapi</artifactId>
<!-- NOTE: Must keep this version synchronized with the version in distributor/version.py file -->
- <version>1.0.0</version>
+ <version>1.0.1-SNAPSHOT</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<sonar.sources>.</sonar.sources>
diff --git a/mod/genprocessor/nginx.conf b/mod/genprocessor/nginx.conf
index bd53c07..b6bdb24 100644
--- a/mod/genprocessor/nginx.conf
+++ b/mod/genprocessor/nginx.conf
@@ -1,5 +1,5 @@
server {
- listen 80;
+ listen 8080;
server_name localhost;
location / {
diff --git a/mod/genprocessor/pom.xml b/mod/genprocessor/pom.xml
index 6afc9de..ccc1ce3 100644
--- a/mod/genprocessor/pom.xml
+++ b/mod/genprocessor/pom.xml
@@ -26,7 +26,7 @@ limitations under the License.
</parent>
<groupId>org.onap.dcaegen2.platform.mod</groupId>
<artifactId>genprocessor</artifactId>
- <version>1.0.0</version>
+ <version>1.0.1-SNAPSHOT</version>
<name>dcaegen2-platform-mod-genprocessor</name>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -139,6 +139,10 @@ limitations under the License.
</files>
</inline>
</assembly>
+ <runCmds>
+ <runCmd>groupadd -g 1000 dcaemod &amp;&amp; useradd --shell /bin/bash -u 1000 -g 1000 -m dcaemod</runCmd>
+ </runCmds>
+ <user>dcaemod</user>
<entryPoint>
<exec>
<arg>nginx</arg>
@@ -161,12 +165,16 @@ limitations under the License.
<assembly>
<descriptorRef>artifact-with-dependencies</descriptorRef>
</assembly>
+ <runCmds>
+ <runCmd>groupadd -g 1000 dcaemod &amp;&amp; useradd --shell /bin/bash -u 1000 -g 1000 -m dcaemod &amp;&amp; mkdir -p /work &amp;&amp; chown dcaemod:dcaemod /work</runCmd>
+ </runCmds>
<workdir>/maven</workdir>
<env>
<GENPROC_WORKING_DIR>/work</GENPROC_WORKING_DIR>
- <GENPROC_ONBOARDING_API_HOST>http://onboarding-api/onboarding</GENPROC_ONBOARDING_API_HOST>
+ <GENPROC_ONBOARDING_API_HOST>http://onboarding-api:8080/onboarding</GENPROC_ONBOARDING_API_HOST>
<GENPROC_SLEEP_SEC>10</GENPROC_SLEEP_SEC>
</env>
+ <user>dcaemod</user>
<entryPoint>
<exec>
<arg>java</arg>
diff --git a/mod/onboardingapi/ChangeLog.md b/mod/onboardingapi/ChangeLog.md
index 21d0f0c..28578d2 100644
--- a/mod/onboardingapi/ChangeLog.md
+++ b/mod/onboardingapi/ChangeLog.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
+## [2.12.1]
+
+* Run as non-root
+
## [2.12.0]
* Add HTTP support using Flask/flask-restplus
diff --git a/mod/onboardingapi/Dockerfile b/mod/onboardingapi/Dockerfile
index 606ca5b..2c3cd0d 100644
--- a/mod/onboardingapi/Dockerfile
+++ b/mod/onboardingapi/Dockerfile
@@ -1,12 +1,18 @@
FROM python:3.7-alpine
-RUN apk update && \
- apk add --virtual build-deps gcc python-dev musl-dev && \
- apk add postgresql-dev bash
+ARG UID=1000
+ARG GID=1000
+
COPY . /code
WORKDIR /code
-RUN pip install . \
- && mkdir -p ~/.config/dcae-cli
-EXPOSE 80
+RUN apk update && \
+ apk add --virtual build-deps gcc python-dev musl-dev && \
+ apk add postgresql-dev bash && \
+ addgroup -g $GID dcaemod && \
+ adduser -s /bin/bash -u $UID -G dcaemod -D dcaemod && \
+ pip install .
+
+EXPOSE 8080
+USER dcaemod
CMD /code/start.sh
diff --git a/mod/onboardingapi/dcae_cli/_version.py b/mod/onboardingapi/dcae_cli/_version.py
index e1ceca3..b61bd9a 100644
--- a/mod/onboardingapi/dcae_cli/_version.py
+++ b/mod/onboardingapi/dcae_cli/_version.py
@@ -19,4 +19,4 @@
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
# -*- coding: utf-8 -*-
-__version__ = "2.12.0"
+__version__ = "2.12.1"
diff --git a/mod/onboardingapi/dcae_cli/http.py b/mod/onboardingapi/dcae_cli/http.py
index 792cd7f..4d3ae0c 100644
--- a/mod/onboardingapi/dcae_cli/http.py
+++ b/mod/onboardingapi/dcae_cli/http.py
@@ -498,4 +498,4 @@ def start_http_server(catalog, debug=True):
if debug:
_app.run(debug=True)
else:
- _app.run(host="0.0.0.0", port=80, debug=False)
+ _app.run(host="0.0.0.0", port=8080, debug=False)
diff --git a/mod/onboardingapi/pom.xml b/mod/onboardingapi/pom.xml
index 588a9b2..be5e683 100644
--- a/mod/onboardingapi/pom.xml
+++ b/mod/onboardingapi/pom.xml
@@ -22,7 +22,7 @@ limitations under the License.
<groupId>org.onap.dcaegen2.platform.mod</groupId>
<artifactId>dcaegen2-platform-mod-onboardingapi</artifactId>
<name>dcaegen2-platform-mod-onboardingapi</name>
- <version>2.12.0</version>
+ <version>2.12.1-SNAPSHOT</version>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/mod/onboardingapi/start.sh b/mod/onboardingapi/start.sh
index 6d7d9e5..a938c98 100755
--- a/mod/onboardingapi/start.sh
+++ b/mod/onboardingapi/start.sh
@@ -6,6 +6,7 @@ if [ -z $PG_CONN ]; then
exit 1
fi
+mkdir -p ~/.config/dcae-cli
if [ ! -f ~/.config/dcae-cli/config.json ]; then
echo "Creating dcae-cli config"
# TODO: Make this into a variable that gets fed in via docker run
diff --git a/mod/runtimeapi/runtime-web/pom.xml b/mod/runtimeapi/runtime-web/pom.xml
index ff08ac1..4cc5a66 100644
--- a/mod/runtimeapi/runtime-web/pom.xml
+++ b/mod/runtimeapi/runtime-web/pom.xml
@@ -25,7 +25,7 @@ limitations under the License.
<version>1.0.1</version>
</parent>
<artifactId>runtime-web</artifactId>
- <version>1.0.1</version>
+ <version>1.0.2-SNAPSHOT</version>
<packaging>jar</packaging>
<name>runtime-web</name>
<description>MOD Runtime Web Module</description>
@@ -118,6 +118,9 @@ limitations under the License.
<assembly>
<descriptorRef>artifact</descriptorRef>
</assembly>
+ <runCmds>
+ <runCmd>addgroup -g 1000 dcaemod &amp;&amp; adduser -s /bin/bash -u 1000 -G dcaemod -D dcaemod</runCmd>
+ </runCmds>
<workdir>/maven</workdir>
<volumes>
<volume>/tmp</volume>
@@ -125,6 +128,7 @@ limitations under the License.
<ports>
<port>9090</port>
</ports>
+ <user>dcaemod</user>
<entryPoint>
<exec>
<arg>java</arg>