From f32825f5f5cc5944b3108b1cf5c3e49476e72f1c Mon Sep 17 00:00:00 2001 From: Kate Hsuan Date: Fri, 27 Mar 2020 06:49:15 +0000 Subject: Avoid running as root. Issue-ID: DCAEGEN2-2171 Signed-off-by: Kate Hsuan Change-Id: If4594ee7079532ae87ed4741db3cb6a53da23f34 --- components/datalake-handler/admin/Dockerfile | 29 +++++++++++------ .../admin/nginx/dl-admin-nginx.conf | 4 +-- components/datalake-handler/admin/nginx/nginx.conf | 36 ++++++++++++++++++++++ components/datalake-handler/admin/pom.xml | 2 +- components/datalake-handler/collector/pom.xml | 2 +- components/datalake-handler/feeder/Dockerfile | 2 ++ components/datalake-handler/feeder/pom.xml | 5 +-- components/datalake-handler/pom.xml | 2 +- components/datalake-handler/version.properties | 2 +- 9 files changed, 66 insertions(+), 18 deletions(-) create mode 100644 components/datalake-handler/admin/nginx/nginx.conf (limited to 'components') diff --git a/components/datalake-handler/admin/Dockerfile b/components/datalake-handler/admin/Dockerfile index 38c50a65..2e6442ae 100644 --- a/components/datalake-handler/admin/Dockerfile +++ b/components/datalake-handler/admin/Dockerfile @@ -12,20 +12,29 @@ RUN npm install && \ FROM nginx:1.17.9 -RUN apt-get update && \ - apt-get install -y dnsmasq -RUN echo "\n\n# Docker extra config \nuser=root\naddn-hosts=/etc/hosts\n" >> /etc/dnsmasq.conf +RUN groupadd -r datalake && useradd -r -g datalake datalake COPY --from=builder /app/dist/* /usr/share/nginx/html/ COPY --from=builder /app/dl-admin-nginx.conf /etc/nginx/conf.d/default.conf +COPY --from=builder /app/nginx.conf /etc/nginx/nginx.conf -CMD echo "domain-needed" >> /etc/dnsmasq.conf && \ - echo "resolv-file=/etc/resolv.conf" >> /etc/dnsmasq.conf && \ - echo "expand-hosts" >> /etc/dnsmasq.conf && \ - echo "listen-address=127.0.0.1" >> /etc/dnsmasq.conf && \ - service dnsmasq restart && \ - echo set \$upstreamName http://dl-feeder.`grep search /etc/resolv.conf | awk {'print $2'}`:1680/datalake/v1\$1\$is_args\$args\; > /etc/nginx/upstream.conf && \ - nginx -g "daemon off;" +RUN chown -R datalake:datalake /etc/nginx +RUN chown -R datalake:datalake /var/cache/nginx + + +USER datalake + +#CMD echo "domain-needed" >> /etc/dnsmasq.conf && \ +# echo "resolv-file=/etc/resolv.conf" >> /etc/dnsmasq.conf && \ +# echo "expand-hosts" >> /etc/dnsmasq.conf && \ +# echo "listen-address=127.0.0.1" >> /etc/dnsmasq.conf && \ +# service dnsmasq restart && \ +# echo set \$upstreamName http://dl-feeder.`grep search /etc/resolv.conf | awk {'print $2'}`:1680/datalake/v1\$1\$is_args\$args\; > /etc/nginx/upstream.conf && \ +# nginx -g "daemon off;" + +CMD echo resolver `grep nameserver /etc/resolv.conf |awk {'print $2'}` valid=10s\; > /etc/nginx/resolver.conf && \ + echo set \$upstreamName http://dl-feeder.`grep search /etc/resolv.conf | awk {'print $2'}`:1680/datalake/v1\$1\$is_args\$args\; > /etc/nginx/upstream.conf && \ + nginx -g "daemon off;" #CMD ["sh", "-c", "tail -f /dev/null"] diff --git a/components/datalake-handler/admin/nginx/dl-admin-nginx.conf b/components/datalake-handler/admin/nginx/dl-admin-nginx.conf index b6caa609..4ffbdfd3 100644 --- a/components/datalake-handler/admin/nginx/dl-admin-nginx.conf +++ b/components/datalake-handler/admin/nginx/dl-admin-nginx.conf @@ -1,8 +1,8 @@ server { - listen 80; + listen 8088; root /usr/share/nginx/html; - resolver 127.0.0.1 valid=10s; + include /etc/nginx/resolver.conf; location ~/datalake/v1(.*)$ { #set $upstreamName http://dl_feeder:1680/datalake/v1$1; include /etc/nginx/upstream.conf; diff --git a/components/datalake-handler/admin/nginx/nginx.conf b/components/datalake-handler/admin/nginx/nginx.conf new file mode 100644 index 00000000..8613dff5 --- /dev/null +++ b/components/datalake-handler/admin/nginx/nginx.conf @@ -0,0 +1,36 @@ +user nginx; +worker_processes 1; + +error_log /tmp/error.log warn; +pid /tmp/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /tmp/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/components/datalake-handler/admin/pom.xml b/components/datalake-handler/admin/pom.xml index 5325ba9e..ff2044d5 100644 --- a/components/datalake-handler/admin/pom.xml +++ b/components/datalake-handler/admin/pom.xml @@ -7,7 +7,7 @@ org.onap.dcaegen2.services.components datalake-handler - 1.0.1-SNAPSHOT + 1.0.2-SNAPSHOT org.onap.dcaegen2.services.components.datalake-handler diff --git a/components/datalake-handler/collector/pom.xml b/components/datalake-handler/collector/pom.xml index a90b9dff..a9dad993 100644 --- a/components/datalake-handler/collector/pom.xml +++ b/components/datalake-handler/collector/pom.xml @@ -7,7 +7,7 @@ org.onap.dcaegen2.services.components datalake-handler - 1.0.1-SNAPSHOT + 1.0.2-SNAPSHOT org.onap.dcaegen2.services.components.datalake-handler diff --git a/components/datalake-handler/feeder/Dockerfile b/components/datalake-handler/feeder/Dockerfile index e2606352..b34834be 100644 --- a/components/datalake-handler/feeder/Dockerfile +++ b/components/datalake-handler/feeder/Dockerfile @@ -27,5 +27,7 @@ RUN apt update && \ apt install -y mariadb-client && \ apt install -y curl +USER datalake + CMD ["sh", "run.sh"] diff --git a/components/datalake-handler/feeder/pom.xml b/components/datalake-handler/feeder/pom.xml index 3297c7ea..5954b378 100644 --- a/components/datalake-handler/feeder/pom.xml +++ b/components/datalake-handler/feeder/pom.xml @@ -6,7 +6,7 @@ org.onap.dcaegen2.services.components datalake-handler - 1.0.1-SNAPSHOT + 1.0.2-SNAPSHOT org.onap.dcaegen2.services.components.datalake-handler @@ -218,7 +218,8 @@ docker --> - ${onap.nexus.dockerregistry.daily}/${docker.image.path} + ${onap.nexus.dockerregistry.daily}/${docker.image.path} + ${project.version} Dockerfile diff --git a/components/datalake-handler/pom.xml b/components/datalake-handler/pom.xml index 9b00a41e..fc4922ca 100644 --- a/components/datalake-handler/pom.xml +++ b/components/datalake-handler/pom.xml @@ -12,7 +12,7 @@ org.onap.dcaegen2.services.components datalake-handler - 1.0.1-SNAPSHOT + 1.0.2-SNAPSHOT pom dcaegen2-service-datalake-handler diff --git a/components/datalake-handler/version.properties b/components/datalake-handler/version.properties index 0f1f46a5..c13587b4 100644 --- a/components/datalake-handler/version.properties +++ b/components/datalake-handler/version.properties @@ -1,6 +1,6 @@ major=1 minor=0 -patch=1 +patch=2 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT -- cgit 1.2.3-korg