diff options
| author |   MichaelMorris <michael.morris@est.tech> | 2020-03-15 16:59:42 +0000 |
|---|---|---|
| committer | MichaelMorris <michael.morris@est.tech> | 2020-03-15 16:59:51 +0000 |
| commit | 70325cecbc0830d5f42c64d277273134263164fb (patch) | |
| tree | 9c5713c42d7be6172c16a30279c08fcdb471f3f9 | |
| parent | 1f77750bca5c68b6d635dd463e4db991dcd10f01 (diff) | |
Run pods as non-root user
Change-Id: Ia95d58b0dbf498c4d6295e42c1c430de6493c11b
Issue-ID: SDC-2798
Signed-off-by: MichaelMorris <michael.morris@est.tech>
| -rw-r--r-- | docker/docker_be/Dockerfile | 14 | ||||
| -rw-r--r-- | docker/docker_be/startup.sh | 2 | ||||
| -rw-r--r-- | docker/docker_tools/Dockerfile | 14 | ||||
| -rw-r--r-- | docker/docker_tools/startup.sh | 4 | ||||
| -rwxr-xr-x | docker/scripts/docker_run.sh | 8 |
5 files changed, 23 insertions, 19 deletions
diff --git a/docker/docker_be/Dockerfile b/docker/docker_be/Dockerfile index c9eccf6..6821956 100644 --- a/docker/docker_be/Dockerfile +++ b/docker/docker_be/Dockerfile @@ -1,8 +1,8 @@ -FROM onap/base_sdc-jetty:1.4.1 +FROM onap/base_sdc-jetty:1.6.0 -COPY chef-solo /root/chef-solo/ +COPY --chown=jetty:jetty chef-solo ${JETTY_BASE}/chef-solo/ -COPY chef-repo/cookbooks /root/chef-solo/cookbooks/ +COPY --chown=jetty:jetty chef-repo/cookbooks ${JETTY_BASE}/chef-solo/cookbooks/ ADD --chown=jetty:jetty target/dcae.war ${JETTY_BASE}/webapps/ @@ -10,8 +10,10 @@ USER root RUN apk add --no-cache python -COPY startup.sh /root/ +USER jetty -RUN chmod 770 /root/startup.sh +COPY --chown=jetty:jetty startup.sh ${JETTY_BASE}/ -ENTRYPOINT [ "/root/startup.sh" ] +RUN chmod 770 ${JETTY_BASE}/startup.sh + +ENTRYPOINT ${JETTY_BASE}/startup.sh diff --git a/docker/docker_be/startup.sh b/docker/docker_be/startup.sh index 3a2814f..fc56b2c 100644 --- a/docker/docker_be/startup.sh +++ b/docker/docker_be/startup.sh @@ -7,7 +7,7 @@ JAVA_OPTIONS=" ${JAVA_OPTIONS} -Dconfig.home=${JETTY_BASE}/config \ -Djavax.net.ssl.trustStorePassword=].][xgtze]hBhz*wy]}m#lf* \ -Djetty.console-capture.dir=${JETTY_BASE}/logs" -cd /root/chef-solo +cd /var/lib/jetty/chef-solo chef-solo -c solo.rb -E ${ENVNAME} status=$? diff --git a/docker/docker_tools/Dockerfile b/docker/docker_tools/Dockerfile index d80d62b..f63a9ca 100644 --- a/docker/docker_tools/Dockerfile +++ b/docker/docker_tools/Dockerfile @@ -1,8 +1,8 @@ -FROM onap/base_sdc-jetty:1.4.1 +FROM onap/base_sdc-jetty:1.6.0 -COPY chef-solo /root/chef-solo/ +COPY --chown=jetty:jetty chef-solo ${JETTY_BASE}/chef-solo/ -COPY chef-repo/cookbooks /root/chef-solo/cookbooks/ +COPY --chown=jetty:jetty chef-repo/cookbooks ${JETTY_BASE}/chef-solo/cookbooks/ ADD --chown=jetty:jetty target/dcaedt_tools-*.jar ${JETTY_BASE}/webapps/dcaedt_tools.jar @@ -10,8 +10,10 @@ USER root RUN apk add --no-cache python -COPY startup.sh /root/ +USER jetty -RUN chmod 770 /root/startup.sh +COPY --chown=jetty:jetty startup.sh ${JETTY_BASE}/ -ENTRYPOINT [ "/root/startup.sh" ] +RUN chmod 770 ${JETTY_BASE}/startup.sh + +ENTRYPOINT ${JETTY_BASE}/startup.sh diff --git a/docker/docker_tools/startup.sh b/docker/docker_tools/startup.sh index 24e4347..d3422e3 100644 --- a/docker/docker_tools/startup.sh +++ b/docker/docker_tools/startup.sh @@ -6,7 +6,7 @@ JAVA_OPTIONS=" ${JAVA_OPTIONS} -Dconfig.home=${JETTY_BASE}/config \ -Djavax.net.ssl.trustStore=${JETTY_BASE}/etc/org.onap.sdc.trust.jks \ -Djavax.net.ssl.trustStorePassword=].][xgtze]hBhz*wy]}m#lf*" -cd /root/chef-solo +cd /var/lib/jetty/chef-solo chef-solo -c solo.rb -E ${ENVNAME} status=$? @@ -18,4 +18,4 @@ fi cd ${JETTY_BASE}/webapps java ${JAVA_OPTIONS} -jar dcaedt_tools.jar ../conf/environment.json ../conf/config.json -exec "$@";
\ No newline at end of file +exec "$@"; diff --git a/docker/scripts/docker_run.sh b/docker/scripts/docker_run.sh index ceba2e4..6ee36e3 100755 --- a/docker/scripts/docker_run.sh +++ b/docker/scripts/docker_run.sh @@ -267,7 +267,7 @@ function dcae-be { if [ ${LOCAL} == false ]; then docker pull "${PREFIX}/${DOCKER_NAME}:${RELEASE}" fi - docker run ${DOCKER_RUN_MODE_FG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" --log-driver=json-file --log-opt max-size=100m --log-opt max-file=10 --ulimit memlock=-1:-1 --ulimit nofile=4096:100000 ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/DCAE-BE/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/root/chef-solo/environments" --publish 8444:8444 --publish 8082:8082 "${PREFIX}/${DOCKER_NAME}:${RELEASE}" /bin/sh + docker run ${DOCKER_RUN_MODE_FG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" --log-driver=json-file --log-opt max-size=100m --log-opt max-file=10 --ulimit memlock=-1:-1 --ulimit nofile=4096:100000 ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/DCAE-BE/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/var/lib/jetty/chef-solo/environments" --publish 8444:8444 --publish 8082:8082 "${PREFIX}/${DOCKER_NAME}:${RELEASE}" /bin/sh command_exit_status $? ${DOCKER_NAME} echo "please wait while ${DOCKER_NAME^^} is starting....." monitor_docker ${DOCKER_NAME} @@ -282,7 +282,7 @@ function dcae-tools { if [ ${LOCAL} == false ]; then docker pull "${PREFIX}/${DOCKER_NAME}:${RELEASE}" fi - docker run ${DOCKER_RUN_MODE_BG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/BE/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/root/chef-solo/environments" "${PREFIX}/${DOCKER_NAME}:${RELEASE}" + docker run ${DOCKER_RUN_MODE_BG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/BE/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/var/lib/jetty/chef-solo/environments" "${PREFIX}/${DOCKER_NAME}:${RELEASE}" command_exit_status $? ${DOCKER_NAME} echo "please wait while ${DOCKER_NAME^^} is starting....." monitor_docker ${DOCKER_NAME} @@ -297,7 +297,7 @@ function dcae-fe { if [ ${LOCAL} == false ]; then docker pull "${PREFIX}/${DOCKER_NAME}:${RELEASE}" fi - docker run ${DOCKER_RUN_MODE_FG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" --log-driver=json-file --log-opt max-size=100m --log-opt max-file=10 --ulimit memlock=-1:-1 --ulimit nofile=4096:100000 ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/DCAE-FE/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/root/chef-solo/environments" --publish 9444:9444 --publish 8183:8183 "${PREFIX}/${DOCKER_NAME}:${RELEASE}" /bin/sh + docker run ${DOCKER_RUN_MODE_FG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" --log-driver=json-file --log-opt max-size=100m --log-opt max-file=10 --ulimit memlock=-1:-1 --ulimit nofile=4096:100000 ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/DCAE-FE/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/var/lib/jetty/chef-solo/environments" --publish 9444:9444 --publish 8183:8183 "${PREFIX}/${DOCKER_NAME}:${RELEASE}" /bin/sh command_exit_status $? ${DOCKER_NAME} echo "please wait while ${DOCKER_NAME^^} is starting....." monitor_docker ${DOCKER_NAME} @@ -311,7 +311,7 @@ function dcae-dt { if [ ${LOCAL} == false ]; then docker pull "${PREFIX}/${DOCKER_NAME}:${RELEASE}" fi - docker run ${DOCKER_RUN_MODE_FG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" --log-driver=json-file --log-opt max-size=100m --log-opt max-file=10 --ulimit memlock=-1:-1 --ulimit nofile=4096:100000 ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/DCAE-DT/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/root/chef-solo/environments/" --publish 9446:9446 --publish 8186:8186 "${PREFIX}/${DOCKER_NAME}:${RELEASE}" /bin/sh + docker run ${DOCKER_RUN_MODE_FG} --name ${DOCKER_NAME} --env HOST_IP="${IP}" --env ENVNAME="${DEP_ENV}" --env JAVA_OPTIONS="${JAVA_OPTIONS}" --log-driver=json-file --log-opt max-size=100m --log-opt max-file=10 --ulimit memlock=-1:-1 --ulimit nofile=4096:100000 ${LOCAL_TIME_MOUNT_CMD} --volume "${WORKSPACE}/data/logs/DCAE-DT/:/var/lib/jetty/logs" --volume "${WORKSPACE}/data/environments:/var/lib/jetty/chef-solo/environments/" --publish 9446:9446 --publish 8186:8186 "${PREFIX}/${DOCKER_NAME}:${RELEASE}" /bin/sh command_exit_status $? ${DOCKER_NAME} echo "please wait while ${DOCKER_NAME^^} is starting....." monitor_docker ${DOCKER_NAME} |