From cee4b4cb464446b1d98dea8e49af5ef858d87aed Mon Sep 17 00:00:00 2001
From: Kanagaraj Manickam <mkr1481@gamil.com>
Date: Thu, 19 Mar 2020 15:40:52 +0530
Subject: non-root docker support

Issue-ID: VNFSDK-565

Change-Id: I231f28cef791bb1ccbffd407bcd25604a7d18bcc
Signed-off-by: Kanagaraj Manickam k00365106 <kanagaraj.manickam@huawei.com>
---
 .../docker-refrepo/src/main/docker/Dockerfile      | 26 +++++---
 .../src/main/docker/docker-entrypoint.sh           |  5 +-
 .../docker-refrepo/src/main/docker/install-vtp.sh  | 18 +++---
 .../docker-refrepo/src/main/docker/instance-run.sh |  5 +-
 .../docker-refrepo/src/main/docker/nginx.conf      | 70 +++++++++++-----------
 .../docker-refrepo/src/main/docker/vtp-tc.sh       | 13 ++--
 6 files changed, 69 insertions(+), 68 deletions(-)

(limited to 'vnfmarket-be/deployment/docker/docker-refrepo')

diff --git a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/Dockerfile b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/Dockerfile
index 7475399a..612aecd0 100644
--- a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/Dockerfile
+++ b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/Dockerfile
@@ -26,26 +26,19 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get -y install python-software-properties
 RUN DEBIAN_FRONTEND=noninteractive apt-get -y install software-properties-common sudo
 
 RUN add-apt-repository ppa:openjdk-r/ppa -y && \
-
     # update data from repositories
     apt-get update --fix-missing -y && \
-
     # upgrade OS
     apt-get -y dist-upgrade && \
-
     # Make info file about this build
     printf "Build of java:openjdk-8-jre-headless, date: %s\n"  `date -u +"%Y-%m-%dT%H:%M:%SZ"` > /service/java && \
-
     # install application
     apt-get install -y --no-install-recommends openjdk-8-jre-headless && \
-
     # fix default setting
     ln -s java-8-openjdk-amd64  /usr/lib/jvm/default-jvm && \
-
     # remove apt cache from image
     apt-get clean all
 
-
 # Set up tomcat
 RUN wget -q https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.30/bin/apache-tomcat-8.5.30.tar.gz && tar --strip-components=1 -xf apache-tomcat-8.5.30.tar.gz && rm -f apache-tomcat-8.5.30.tar.gz && rm -rf webapps && mkdir -p webapps/ROOT
 RUN echo 'export CATALINA_OPTS="$CATALINA_OPTS -Xms64m -Xmx256m -XX:MaxPermSize=64m"' > /service/bin/setenv.sh
@@ -122,8 +115,23 @@ RUN chmod a+x /service/vtp-tc.sh
 RUN /service/install-vtp.sh
 EXPOSE 50051
 
-ENTRYPOINT /service/docker-entrypoint.sh
-RUN chmod a+x /service/docker-entrypoint.sh
+RUN groupadd -r vnfadmin && useradd -m --no-log-init -r -g vnfadmin vnfadmin && \
+    usermod -aG sudo vnfadmin && echo "vnfadmin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
+    chmod -R 777 /usr/local/
+
+USER vnfadmin
+
+RUN RUN umask 000 && sudo chmod +x /service/bin/*.sh /service/*.sh && \
+    mkdir -p /service/logs && mkdir -p /var/log/nginx/ && \
+    sudo chown -R vnfadmin:vnfadmin /var/log/nginx/ && \
+    sudo chown -R vnfadmin:vnfadmin /service/ /opt/vtp /var/log && \
+    sudo chmod -R +w /service/ /opt/vtp /var/log && \
+    sudo touch /run/nginx.pid && sudo chown -R vnfadmin:vnfadmin /run/nginx.pid && \
+    chmod +w /run/nginx.pid  && sudo chown -R vnfadmin:vnfadmin /var/log/nginx/ && \
+    sudo usermod -aG www-data vnfadmin && sudo chmod -R a+w /var/lib/nginx
+
+
+#ENTRYPOINT /service/docker-entrypoint.sh
 ENTRYPOINT ["/service/docker-entrypoint.sh"]
 
 
diff --git a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/docker-entrypoint.sh b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/docker-entrypoint.sh
index c7941209..3bb1414c 100755
--- a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/docker-entrypoint.sh
+++ b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/docker-entrypoint.sh
@@ -20,6 +20,8 @@
 # vnf-sdk-marketplace/target/docker-entrypoint.sh
 #
 
+umask 000 && sudo chmod +x /service/bin/*.sh /service/*.sh && mkdir -p /service/logs && mkdir -p /var/log/nginx/ && sudo chown -R vnfadmin:vnfadmin /var/log/nginx/ /service/ /opt/vtp /var/log && sudo chmod -R +w /service/ /opt/vtp /var/log && sudo touch /run/nginx.pid && sudo chown -R vnfadmin:vnfadmin /run/nginx.pid && chmod +w /run/nginx.pid  && sudo chown -R vnfadmin:vnfadmin /var/log/nginx/ && sudo usermod -aG www-data vnfadmin && sudo chmod -R a+w /var/lib/nginx
+
 if [ -z "$SERVICE_IP" ]; then
     export SERVICE_IP=`hostname -i`
 fi
@@ -44,7 +46,7 @@ if [ ! -e init.log ]; then
     # Perform workarounds due to defects in release binary
     ./instance-workaround.sh
 
-  
+
 
     # microservice-specific one-time initialization
     ./instance-init.sh
@@ -54,4 +56,3 @@ fi
 
 # Start the microservice
 ./instance-run.sh
-
diff --git a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/install-vtp.sh b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/install-vtp.sh
index 005ce53c..713b28c2 100644
--- a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/install-vtp.sh
+++ b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/install-vtp.sh
@@ -18,13 +18,13 @@
 export _PWD=`pwd`
 
 echo ################ Check for java
-apt-get install -y wget unzip
+sudo apt-get install -y wget unzip
 
 #check for java
 java -version
 if [ $? == 127 ]
 then
-    apt-get install -y openjdk-8-jre
+    sudo apt-get install -y openjdk-8-jre
 fi
 
 echo ################ Install OCLIP
@@ -53,17 +53,17 @@ do
    mv ${cmd}_ ${cmd}
 done
 
-chmod +x ./bin/oclip.sh
-chmod +x ./bin/oclip-rcli.sh
-chmod +x ./bin/oclip-grpc-server.sh
+sudo chmod +x ./bin/oclip.sh
+sudo chmod +x ./bin/oclip-rcli.sh
+sudo chmod +x ./bin/oclip-grpc-server.sh
 
 echo export OPEN_CLI_HOME=/opt/vtp > $OPEN_CLI_HOME/bin/vtp.sh
 echo  $OPEN_CLI_HOME/bin/oclip-grpc-server.sh>> $OPEN_CLI_HOME/bin/vtp.sh
-chmod +x $OPEN_CLI_HOME/bin/vtp.sh
+sudo chmod +x $OPEN_CLI_HOME/bin/vtp.sh
 
-ln -sf $OPEN_CLI_HOME/bin/oclip.sh /usr/bin/oclip
-ln -sf $OPEN_CLI_HOME/bin/oclip-rcli.sh /usr/bin/vtp-cli
-ln -sf $OPEN_CLI_HOME/bin/oclip-grpc-server.sh /usr/bin/vtp-tc
+ln -sf $OPEN_CLI_HOME/bin/oclip.sh /usr/local/bin/oclip
+ln -sf $OPEN_CLI_HOME/bin/oclip-rcli.sh /usr/local/bin/vtp-cli
+ln -sf $OPEN_CLI_HOME/bin/oclip-grpc-server.sh /usr/local/bin/vtp-tc
 
 echo ################ Deploy sample csar validation test case
 CSARVALIDATOR_LATEST_BINARY="https://nexus.onap.org/service/local/artifact/maven/redirect?r=releases&g=org.onap.vnfsdk.validation&a=csarvalidation-deployment&e=zip&v=LATEST"
diff --git a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/instance-run.sh b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/instance-run.sh
index 5e3f9bda..1f0d14d0 100755
--- a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/instance-run.sh
+++ b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/instance-run.sh
@@ -16,12 +16,11 @@
 #
 
 #Start VTP service
-service vtp-tc start
+./vtp-tc.sh start
 
 # Start tomcat service
 ./bin/start.sh
 
-
 service nginx start
 # Show log files
 echo Waiting for log file...
@@ -30,5 +29,3 @@ while [ ! -f /service/logs/* ]; do
 done
 echo /service/logs/*
 tail -F /service/logs/*
-
-
diff --git a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/nginx.conf b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/nginx.conf
index 7f223de7..ef50c595 100644
--- a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/nginx.conf
+++ b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/nginx.conf
@@ -3,48 +3,48 @@ daemon off;
 #pid /run/nginx.pid;
 
 events {
-	worker_connections 500;
-	# multi_accept on;
+    worker_connections 500;
+    # multi_accept on;
 }
 http {
-  
-	##
-	# Basic Settings
-	##
 
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
 
         #Comment or disable the access_log once tested to avoid runtime logs
 #        access_log            /var/log/nginx/access.log format gzip;
         access_log            off;
         error_log            /var/log/nginx/error.log;
 
-	server {
- 		listen *:8703 ssl;
-		server_name
-		ssl on;
-		ssl_certificate           /etc/nginx/ssl/cert.crt;
-		ssl_certificate_key       /etc/nginx/ssl/cert.key;
-		ssl_session_cache  builtin:1000  shared:SSL:80m;
-		ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
-		ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
-		ssl_prefer_server_ciphers on;
- 		ssl_session_timeout 10m;
-		keepalive_timeout   70;
-
-		location / {
-			      proxy_set_header        Host $host;
-			      proxy_set_header        X-Real-IP $remote_addr;
-			      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-			      proxy_set_header        X-Forwarded-Proto $scheme;
-
-			      proxy_pass          http://localhost:8702;
-			      proxy_read_timeout  90;
-			      proxy_redirect      off;
-		}
-	}
+    server {
+         listen *:8703 ssl;
+        server_name
+        ssl on;
+        ssl_certificate           /etc/nginx/ssl/cert.crt;
+        ssl_certificate_key       /etc/nginx/ssl/cert.key;
+        ssl_session_cache  builtin:1000  shared:SSL:80m;
+        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
+        ssl_prefer_server_ciphers on;
+         ssl_session_timeout 10m;
+        keepalive_timeout   70;
+
+        location / {
+                  proxy_set_header        Host $host;
+                  proxy_set_header        X-Real-IP $remote_addr;
+                  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+                  proxy_set_header        X-Forwarded-Proto $scheme;
+
+                  proxy_pass          http://localhost:8702;
+                  proxy_read_timeout  90;
+                  proxy_redirect      off;
+        }
+    }
 }
diff --git a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/vtp-tc.sh b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/vtp-tc.sh
index 38f50c42..29b3562d 100644
--- a/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/vtp-tc.sh
+++ b/vnfmarket-be/deployment/docker/docker-refrepo/src/main/docker/vtp-tc.sh
@@ -26,13 +26,12 @@
 
 dir="/opt"
 cmd="/opt/vtp/bin/vtp.sh"
-user="root"
 
 name=`basename $0`
-pid_file="/var/run/$name.pid"
+pid_file="/var/log/$name.pid"
 stdout_log="/var/log/$name.log"
 stderr_log="/var/log/$name.err"
-
+export JAVA_HOME=/usr/lib/jvm/default-jvm
 get_pid() {
     cat "$pid_file"
 }
@@ -48,11 +47,7 @@ case "$1" in
     else
         echo "Starting $name"
         cd "$dir"
-        if [ -z "$user" ]; then
-            sudo $cmd >> "$stdout_log" 2>> "$stderr_log" &
-        else
-            sudo -u "$user" $cmd >> "$stdout_log" 2>> "$stderr_log" &
-        fi
+        $cmd >> "$stdout_log" 2>> "$stderr_log" &
         echo $! > "$pid_file"
         if ! is_running; then
             echo "Unable to start, see $stdout_log and $stderr_log"
@@ -63,7 +58,7 @@ case "$1" in
     stop)
     if is_running; then
         echo -n "Stopping $name.."
-        kill `get_pid`
+        sudo kill `get_pid`
         for i in {1..10}
         do
             if ! is_running; then
-- 
cgit 1.2.3-korg