From f6668af5c6a624dc3053a2217dacce82ad7b547a Mon Sep 17 00:00:00 2001 From: Stavros Kanarakis Date: Mon, 22 Apr 2019 18:41:18 +0300 Subject: Run BBS-ep docker container as non-root Replaced docker maven plugin to introduce Dockerfile. Corrected component blueprint to deploy BBS-ep as a service component instead of a platform one. Change-Id: If3af67eef1a9f68554ee215d24b54f9cd4b7ce80 Issue-ID: DCAEGEN2-1446 Signed-off-by: Stavros Kanarakis --- components/bbs-event-processor/.dockerignore | 5 ++ components/bbs-event-processor/Dockerfile | 21 +++++++++ .../k8s-bbs-event-processor.yaml-template | 20 ++++---- components/bbs-event-processor/pom.xml | 55 +++++++++------------- 4 files changed, 56 insertions(+), 45 deletions(-) create mode 100644 components/bbs-event-processor/.dockerignore create mode 100644 components/bbs-event-processor/Dockerfile (limited to 'components/bbs-event-processor') diff --git a/components/bbs-event-processor/.dockerignore b/components/bbs-event-processor/.dockerignore new file mode 100644 index 00000000..842d1756 --- /dev/null +++ b/components/bbs-event-processor/.dockerignore @@ -0,0 +1,5 @@ +dpo +src +target +!target/libs/* +!target/*.jar \ No newline at end of file diff --git a/components/bbs-event-processor/Dockerfile b/components/bbs-event-processor/Dockerfile new file mode 100644 index 00000000..e799bd92 --- /dev/null +++ b/components/bbs-event-processor/Dockerfile @@ -0,0 +1,21 @@ +FROM openjdk:8-jre-alpine + +ARG PROJECT_BUILD_DIR_NAME +ARG FINAL_JAR +ARG DEPENDENCIES_DIR +ARG DOCKER_ARTIFACT_DIR + +#Add a new user and group to allow container to be run as non-root +RUN addgroup -S bbs-ep && adduser -S -G bbs-ep bbs-ep + +#Copy dependencies and executable jar +WORKDIR ${DOCKER_ARTIFACT_DIR} +COPY ${PROJECT_BUILD_DIR_NAME}/${FINAL_JAR} . +#Overcome Docker limitation to put ARG inside ENTRYPOINT +RUN ln -s ${FINAL_JAR} bbs-ep.jar +COPY ${PROJECT_BUILD_DIR_NAME}/${DEPENDENCIES_DIR} ./${DEPENDENCIES_DIR} + +EXPOSE 8100 + +USER bbs-ep:bbs-ep +ENTRYPOINT ["java", "-jar", "bbs-ep.jar"] diff --git a/components/bbs-event-processor/dpo/blueprints/k8s-bbs-event-processor.yaml-template b/components/bbs-event-processor/dpo/blueprints/k8s-bbs-event-processor.yaml-template index eaf6275a..5688dbac 100644 --- a/components/bbs-event-processor/dpo/blueprints/k8s-bbs-event-processor.yaml-template +++ b/components/bbs-event-processor/dpo/blueprints/k8s-bbs-event-processor.yaml-template @@ -43,9 +43,6 @@ inputs: type: integer description: number of instances default: 1 - host_port: - description: port on Kubernetes host where bbs-event-processor API will be exposed - default: 0 pnf_reregistration_url: type: string cpe_authentication_url: @@ -110,7 +107,7 @@ inputs: default: true node_templates: bbs-event-processor: - type: dcae.nodes.ContainerizedPlatformComponent + type: dcae.nodes.ContainerizedServiceComponent properties: application_config: streams_subscribes: @@ -168,10 +165,6 @@ node_templates: application.ssl.trustStorePasswordPath: "/opt/app/bbs-event-processor/etc/cert/trust.pass" application.ssl.enableAaiCertAuth: { get_input: aai_secure_enable_cert } application.ssl.enableDmaapCertAuth: { get_input: dmaap_secure_enable_cert } - host_port: - { get_input: host_port } - container_port: - 8100 docker_config: healthcheck: endpoint: /heartbeat @@ -181,10 +174,15 @@ node_templates: image: { get_input: tag_version } replicas: {get_input: replicas} - name: 'bbs-event-processor' - dns_name: 'bbs-event-processor' + service_component_type: 'bbs-event-processor' log_info: log_directory: "/opt/app/bbs-event-processor/logs" tls_info: cert_directory: '/opt/app/bbs-event-processor/etc/cert' - use_tls: true \ No newline at end of file + use_tls: true + interfaces: + cloudify.interfaces.lifecycle: + start: + inputs: + ports: + - concat: ["8100:", "30810"] \ No newline at end of file diff --git a/components/bbs-event-processor/pom.xml b/components/bbs-event-processor/pom.xml index a4a0ffdb..3615da05 100644 --- a/components/bbs-event-processor/pom.xml +++ b/components/bbs-event-processor/pom.xml @@ -40,7 +40,6 @@ org.onap.bbs.event.processor.Application libs ${project.build.directory}/${dependency.dir.name} - /opt onap/${project.groupId}.${project.artifactId} yyyyMMdd'T'HHmmss @@ -249,8 +248,8 @@ com.spotify - docker-maven-plugin - 1.2.0 + dockerfile-maven-plugin + 1.4.10 org.apache.maven.plugins @@ -323,29 +322,17 @@ com.spotify - docker-maven-plugin + dockerfile-maven-plugin - ${onap.nexus.dockerregistry.daily} - ${docker.image.name} - - latest - - openjdk:${java.version}-jre-alpine - ${docker.artifact.dir} - - - ${dependency.dir.location} - ${dependency.dir.name} - - - ${project.build.directory} - ${project.build.finalName}.jar - - - - 8100 - - ["java", "-jar", "${project.build.finalName}.jar"] + ${project.basedir} + ${docker.image.name} + latest + + target + ${dependency.dir.name} + /opt + ${project.build.finalName}.jar + @@ -360,11 +347,11 @@ deploy tag + push - ${docker.image.name}:latest - ${onap.nexus.dockerregistry.daily}/${docker.image.name}:latest - true + ${onap.nexus.dockerregistry.daily}/${docker.image.name} + latest @@ -372,11 +359,11 @@ deploy tag + push - ${docker.image.name}:latest - ${onap.nexus.dockerregistry.daily}/${docker.image.name}:${project.version} - true + ${onap.nexus.dockerregistry.daily}/${docker.image.name} + ${project.version} @@ -384,11 +371,11 @@ deploy tag + push - ${docker.image.name}:latest - ${onap.nexus.dockerregistry.daily}/${docker.image.name}:${project.version}-${maven.build.timestamp}Z - true + ${onap.nexus.dockerregistry.daily}/${docker.image.name} + ${project.version}-${maven.build.timestamp}Z -- cgit 1.2.3-korg