From f6a8a8322d09d5f6012167d298dea6f0471cb82c Mon Sep 17 00:00:00 2001 From: Andrew Gauld Date: Fri, 27 Mar 2020 15:30:36 +0000 Subject: Update images to run as non-root Images updated and the new versions are: adapter.acumos:1.0.2 mod.distributorapi:1.0.1 mod.onboardingapi:2.12.1 mod.designtool-web:1.0.2 mod.genprocessor-job:1.0.1 mod.genprocessor-http:1.0.1 mod.runtime-web:1.0.2 Note: image names all start with "onap/org.onap.dcaegen2.platform." designtool-web was already running as a non-root user. The others have been changed to create user "dcaemod" and run as that user. The listen port numbers on mod.distributorapi, mod.onboardingapi, and mod.genprocessor-http are changed from 80 to 8080. URLs in designtool-web, distributorapi, and genprocessor-job are adjusted to reflect the new port numbers. Change-Id: I510122952666c21cb92f3f64552e99d50af7c355 Issue-ID: DCAEGEN2-2170 Signed-off-by: Andrew Gauld --- adapter/acumos/Changelog.md | 2 ++ adapter/acumos/Dockerfile | 7 ++++++- adapter/acumos/README.md | 2 +- adapter/acumos/aoconversion/scanner.py | 4 ++-- adapter/acumos/pom.xml | 2 +- adapter/acumos/setup.py | 2 +- mod/designtool/designtool-web/pom.xml | 3 ++- mod/designtool/designtool-web/sh/start.sh | 11 ++--------- mod/distributorapi/Changelog.md | 10 ++++++++++ mod/distributorapi/Dockerfile | 9 +++++++-- mod/distributorapi/distributor/config.py | 2 +- mod/distributorapi/distributor/http.py | 2 +- mod/distributorapi/distributor/version.py | 2 +- mod/distributorapi/pom.xml | 2 +- mod/genprocessor/nginx.conf | 2 +- mod/genprocessor/pom.xml | 12 ++++++++++-- mod/onboardingapi/ChangeLog.md | 4 ++++ mod/onboardingapi/Dockerfile | 18 ++++++++++++------ mod/onboardingapi/dcae_cli/_version.py | 2 +- mod/onboardingapi/dcae_cli/http.py | 2 +- mod/onboardingapi/pom.xml | 2 +- mod/onboardingapi/start.sh | 1 + mod/runtimeapi/runtime-web/pom.xml | 6 +++++- 23 files changed, 74 insertions(+), 35 deletions(-) create mode 100644 mod/distributorapi/Changelog.md diff --git a/adapter/acumos/Changelog.md b/adapter/acumos/Changelog.md index e900ad7..55bafa8 100644 --- a/adapter/acumos/Changelog.md +++ b/adapter/acumos/Changelog.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [1.0.2] - 3/26/2020 + * Run as non-root ## [1.0.1] - 3/20/2020 * Adjust URL paths for consistency with DCAE GEN design tool ## [1.0.0] - 11/13/2019 diff --git a/adapter/acumos/Dockerfile b/adapter/acumos/Dockerfile index 7ec9656..d1a0984 100644 --- a/adapter/acumos/Dockerfile +++ b/adapter/acumos/Dockerfile @@ -17,6 +17,8 @@ # ============LICENSE_END====================================================== FROM python:3.7 +ARG UID=1000 +ARG GID=1000 COPY setup.py /tmp/build/ COPY aoconversion/ /tmp/build/aoconversion/ RUN apt-get update && \ @@ -26,9 +28,12 @@ RUN apt-get update && \ cd /tmp/build/ && \ python setup.py install && \ cd / && \ - rm -rf /tmp/* + rm -rf /tmp/* && \ + groupadd -g $GID dcaemod && \ + useradd -s /bin/bash -u $UID -g $GID -m dcaemod EXPOSE 9000 ENV PYTHONUNBUFFERED TRUE +USER dcaemod ENTRYPOINT [ "/usr/local/bin/acumos-adapter" ] CMD [ "/run/config/config.yaml" ] diff --git a/adapter/acumos/README.md b/adapter/acumos/README.md index 55490ba..2de3845 100644 --- a/adapter/acumos/README.md +++ b/adapter/acumos/README.md @@ -56,7 +56,7 @@ This operates in 2 modes: Gateway of the ACUMOS instance. certfile - The file path for the PEM file containing the private key, etc. dockerhost - (optional) The URL for the docker host. By default, - unix:///var/run/docker.sock. + tcp://localhost:2375. dockerregistry - The host:port for the ONAP docker registry. dockeruser - The user ID for uploading images to the docker registry. dockerpass - The password for uploading images to the docker registry. diff --git a/adapter/acumos/aoconversion/scanner.py b/adapter/acumos/aoconversion/scanner.py index 41f18de..cf3ac79 100644 --- a/adapter/acumos/aoconversion/scanner.py +++ b/adapter/acumos/aoconversion/scanner.py @@ -47,7 +47,7 @@ class Config(object): Configuration parameters as attributes, make sure the required ones are there, populate defaults. """ - def __init__(self, dcaeurl, dcaeuser, onboardingurl, onboardinguser, onboardingpass, certfile, dockerregistry, dockeruser, dockerpass, acumosurl=None, interval=900, dockerhost='unix:///var/run/docker.sock', tmpdir='/var/tmp/aoadapter', certverify=True, catalogs=None, port=None, **extras): + def __init__(self, dcaeurl, dcaeuser, onboardingurl, onboardinguser, onboardingpass, certfile, dockerregistry, dockeruser, dockerpass, acumosurl=None, interval=900, dockerhost='tcp://localhost:2375', tmpdir='/var/tmp/aoadapter', certverify=True, catalogs=None, port=None, **extras): self.dcaeurl = dcaeurl self.dcaeuser = dcaeuser @@ -299,7 +299,7 @@ class Apihandler(BaseHTTPRequestHandler): else: solution = aa.jsonget('/solutions/{}', self.qparams['solutionId']) onboard(aa, callback, solution, self.qparams['revisionId']) - self.replyraw('OK', 'text/plain') + self.replyraw('OK'.encode('utf-8'), 'text/plain') return self.send_error(400) diff --git a/adapter/acumos/pom.xml b/adapter/acumos/pom.xml index 7d872ef..1ea941d 100644 --- a/adapter/acumos/pom.xml +++ b/adapter/acumos/pom.xml @@ -23,7 +23,7 @@ limitations under the License. 4.0.0 org.onap.dcaegen2.platform.adapter dcaegen2-platform-adapter-acumos - 1.0.1 + 1.0.2-SNAPSHOT UTF-8 . diff --git a/adapter/acumos/setup.py b/adapter/acumos/setup.py index 9001cd5..e833307 100644 --- a/adapter/acumos/setup.py +++ b/adapter/acumos/setup.py @@ -20,7 +20,7 @@ from setuptools import setup, find_packages setup( name="aoconversion", - version="1.0.1", + version="1.0.2", packages=find_packages(exclude=["tests.*", "tests"]), author="Tommy Carpenter, Andrew Gauld", author_email="tommy@research.att.com, agauld@att.com", diff --git a/mod/designtool/designtool-web/pom.xml b/mod/designtool/designtool-web/pom.xml index 8806964..fc24024 100644 --- a/mod/designtool/designtool-web/pom.xml +++ b/mod/designtool/designtool-web/pom.xml @@ -27,6 +27,7 @@ limitations under the License. 1.0.1-SNAPSHOT designtool-web + 1.0.2-SNAPSHOT war dcaegen2-platform-mod-designtool-web @@ -84,7 +85,7 @@ limitations under the License. org.onap.dcaegen2.platform.mod nifi-war-to-jar - ${project.version} + 1.0.1-SNAPSHOT provided diff --git a/mod/designtool/designtool-web/sh/start.sh b/mod/designtool/designtool-web/sh/start.sh index 8658983..b0393de 100755 --- a/mod/designtool/designtool-web/sh/start.sh +++ b/mod/designtool/designtool-web/sh/start.sh @@ -51,16 +51,9 @@ prop_replace 'nifi.web.proxy.context.path' "${NIFI_WEB_PROXY_CO # replace value conditionally if the property name exists otherwise append if grep -q 'nifi.dcae.jars.index.url' $nifi_props_file then - prop_replace 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http/nifi-jars/}" + prop_replace 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http:8080/nifi-jars/}" else - prop_append 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http/nifi-jars/}" -fi - -if grep -q 'nifi.ui.dcae.distibutor.api.url' $nifi_props_file -then - prop_replace 'nifi.ui.dcae.distibutor.api.url' "${NIFI_DCAE_DISTRIBUTOR_API_URL:-http://distributor-api}" -else - prop_append 'nifi.ui.dcae.distibutor.api.url' "${NIFI_DCAE_DISTRIBUTOR_API_URL:-http://distributor-api}" + prop_append 'nifi.dcae.jars.index.url' "${NIFI_DCAE_JARS_INDEX_URL:-http://genprocessor-http:8080/nifi-jars/}" fi . "${scripts_dir}/update_cluster_state_management.sh" diff --git a/mod/distributorapi/Changelog.md b/mod/distributorapi/Changelog.md new file mode 100644 index 0000000..2e0327b --- /dev/null +++ b/mod/distributorapi/Changelog.md @@ -0,0 +1,10 @@ +# Change Log +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/) +and this project adheres to [Semantic Versioning](http://semver.org/). + +## [1.0.1] - 3/26/2020 + * Run as non-root +## [1.0.0] - 11/11/2019 + * Distributor API - initial version diff --git a/mod/distributorapi/Dockerfile b/mod/distributorapi/Dockerfile index cc10c68..f82607d 100644 --- a/mod/distributorapi/Dockerfile +++ b/mod/distributorapi/Dockerfile @@ -15,9 +15,14 @@ # ============LICENSE_END========================================================= FROM python:3.7-alpine +ARG UID=1000 +ARG GID=1000 COPY . /code WORKDIR /code -RUN pip install . -EXPOSE 80 +RUN pip install . && \ + addgroup -g $GID dcaemod && \ + adduser -s /bin/bash -u $UID -G dcaemod -D dcaemod +USER dcaemod +EXPOSE 8080 ENV DISTRIBUTOR_DEBUG=0 CMD start-distributor-api diff --git a/mod/distributorapi/distributor/config.py b/mod/distributorapi/distributor/config.py index 8d2cede..d83eee1 100644 --- a/mod/distributorapi/distributor/config.py +++ b/mod/distributorapi/distributor/config.py @@ -35,4 +35,4 @@ def init(): global onboarding_api_url onboarding_api_url = _grab_env("ONBOARDING_API_URL" - , default="http://onboarding-api/onboarding") + , default="http://onboarding-api:8080/onboarding") diff --git a/mod/distributorapi/distributor/http.py b/mod/distributorapi/distributor/http.py index 963a852..f1aa2fd 100644 --- a/mod/distributorapi/distributor/http.py +++ b/mod/distributorapi/distributor/http.py @@ -253,4 +253,4 @@ def start_http_server(): if is_debug(): _app.run(debug=True) else: - _app.run(host="0.0.0.0", port=80, debug=False) + _app.run(host="0.0.0.0", port=8080, debug=False) diff --git a/mod/distributorapi/distributor/version.py b/mod/distributorapi/distributor/version.py index 57c4da3..9da6f0f 100644 --- a/mod/distributorapi/distributor/version.py +++ b/mod/distributorapi/distributor/version.py @@ -13,4 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -__version__ = "1.0.0" +__version__ = "1.0.1" diff --git a/mod/distributorapi/pom.xml b/mod/distributorapi/pom.xml index 3cfd949..45096b1 100644 --- a/mod/distributorapi/pom.xml +++ b/mod/distributorapi/pom.xml @@ -23,7 +23,7 @@ limitations under the License. org.onap.dcaegen2.platform.mod dcaegen2-platform-mod-distributorapi - 1.0.0 + 1.0.1-SNAPSHOT UTF-8 . diff --git a/mod/genprocessor/nginx.conf b/mod/genprocessor/nginx.conf index bd53c07..b6bdb24 100644 --- a/mod/genprocessor/nginx.conf +++ b/mod/genprocessor/nginx.conf @@ -1,5 +1,5 @@ server { - listen 80; + listen 8080; server_name localhost; location / { diff --git a/mod/genprocessor/pom.xml b/mod/genprocessor/pom.xml index 6afc9de..ccc1ce3 100644 --- a/mod/genprocessor/pom.xml +++ b/mod/genprocessor/pom.xml @@ -26,7 +26,7 @@ limitations under the License. org.onap.dcaegen2.platform.mod genprocessor - 1.0.0 + 1.0.1-SNAPSHOT dcaegen2-platform-mod-genprocessor UTF-8 @@ -139,6 +139,10 @@ limitations under the License. + + groupadd -g 1000 dcaemod && useradd --shell /bin/bash -u 1000 -g 1000 -m dcaemod + + dcaemod nginx @@ -161,12 +165,16 @@ limitations under the License. artifact-with-dependencies + + groupadd -g 1000 dcaemod && useradd --shell /bin/bash -u 1000 -g 1000 -m dcaemod && mkdir -p /work && chown dcaemod:dcaemod /work + /maven /work - http://onboarding-api/onboarding + http://onboarding-api:8080/onboarding 10 + dcaemod java diff --git a/mod/onboardingapi/ChangeLog.md b/mod/onboardingapi/ChangeLog.md index 21d0f0c..28578d2 100644 --- a/mod/onboardingapi/ChangeLog.md +++ b/mod/onboardingapi/ChangeLog.md @@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [2.12.1] + +* Run as non-root + ## [2.12.0] * Add HTTP support using Flask/flask-restplus diff --git a/mod/onboardingapi/Dockerfile b/mod/onboardingapi/Dockerfile index 606ca5b..2c3cd0d 100644 --- a/mod/onboardingapi/Dockerfile +++ b/mod/onboardingapi/Dockerfile @@ -1,12 +1,18 @@ FROM python:3.7-alpine -RUN apk update && \ - apk add --virtual build-deps gcc python-dev musl-dev && \ - apk add postgresql-dev bash +ARG UID=1000 +ARG GID=1000 + COPY . /code WORKDIR /code -RUN pip install . \ - && mkdir -p ~/.config/dcae-cli -EXPOSE 80 +RUN apk update && \ + apk add --virtual build-deps gcc python-dev musl-dev && \ + apk add postgresql-dev bash && \ + addgroup -g $GID dcaemod && \ + adduser -s /bin/bash -u $UID -G dcaemod -D dcaemod && \ + pip install . + +EXPOSE 8080 +USER dcaemod CMD /code/start.sh diff --git a/mod/onboardingapi/dcae_cli/_version.py b/mod/onboardingapi/dcae_cli/_version.py index e1ceca3..b61bd9a 100644 --- a/mod/onboardingapi/dcae_cli/_version.py +++ b/mod/onboardingapi/dcae_cli/_version.py @@ -19,4 +19,4 @@ # ECOMP is a trademark and service mark of AT&T Intellectual Property. # -*- coding: utf-8 -*- -__version__ = "2.12.0" +__version__ = "2.12.1" diff --git a/mod/onboardingapi/dcae_cli/http.py b/mod/onboardingapi/dcae_cli/http.py index 792cd7f..4d3ae0c 100644 --- a/mod/onboardingapi/dcae_cli/http.py +++ b/mod/onboardingapi/dcae_cli/http.py @@ -498,4 +498,4 @@ def start_http_server(catalog, debug=True): if debug: _app.run(debug=True) else: - _app.run(host="0.0.0.0", port=80, debug=False) + _app.run(host="0.0.0.0", port=8080, debug=False) diff --git a/mod/onboardingapi/pom.xml b/mod/onboardingapi/pom.xml index 588a9b2..be5e683 100644 --- a/mod/onboardingapi/pom.xml +++ b/mod/onboardingapi/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.onap.dcaegen2.platform.mod dcaegen2-platform-mod-onboardingapi dcaegen2-platform-mod-onboardingapi - 2.12.0 + 2.12.1-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/mod/onboardingapi/start.sh b/mod/onboardingapi/start.sh index 6d7d9e5..a938c98 100755 --- a/mod/onboardingapi/start.sh +++ b/mod/onboardingapi/start.sh @@ -6,6 +6,7 @@ if [ -z $PG_CONN ]; then exit 1 fi +mkdir -p ~/.config/dcae-cli if [ ! -f ~/.config/dcae-cli/config.json ]; then echo "Creating dcae-cli config" # TODO: Make this into a variable that gets fed in via docker run diff --git a/mod/runtimeapi/runtime-web/pom.xml b/mod/runtimeapi/runtime-web/pom.xml index ff08ac1..4cc5a66 100644 --- a/mod/runtimeapi/runtime-web/pom.xml +++ b/mod/runtimeapi/runtime-web/pom.xml @@ -25,7 +25,7 @@ limitations under the License. 1.0.1 runtime-web - 1.0.1 + 1.0.2-SNAPSHOT jar runtime-web MOD Runtime Web Module @@ -118,6 +118,9 @@ limitations under the License. artifact + + addgroup -g 1000 dcaemod && adduser -s /bin/bash -u 1000 -G dcaemod -D dcaemod + /maven /tmp @@ -125,6 +128,7 @@ limitations under the License. 9090 + dcaemod java -- cgit 1.2.3-korg