Making POD run as non-root

Non-root user addition

Change-Id: I45ebc75940c020fdda79fbe454461a19df39c525
Issue-ID: CCSDK-2149
Signed-off-by: jananib <janani.b@huawei.com>

diff --git a/ms/command-executor/src/main/docker/Dockerfile b/ms/command-executor/src/main/docker/Dockerfile
index 70cf943..c381260 100644 (file)
--- a/ms/command-executor/src/main/docker/Dockerfile
+++ b/ms/command-executor/src/main/docker/Dockerfile
@@ -5,10 +5,13 @@ RUN python -m pip install --upgrade pip
 RUN pip install grpcio==${GRPC_PYTHON_VERSION} grpcio-tools==${GRPC_PYTHON_VERSION}
 RUN pip install virtualenv==16.7.9
 
+RUN groupadd -r onap && useradd -r -g onap onap
+
 COPY start.sh /opt/app/onap/start.sh
 RUN chmod u+x /opt/app/onap/start.sh
 
 RUN mkdir -p /opt/app/onap/logs/ && touch /opt/app/onap/logs/application.log
+RUN chown onap:onap /opt -R
 
 COPY @project.build.finalName@-@assembly.id@.tar.gz /source.tar.gz
 RUN tar -xzf /source.tar.gz -C /tmp \
@@ -17,5 +20,5 @@ RUN tar -xzf /source.tar.gz -C /tmp \
  && rm -rf /tmp/@project.build.finalName@
 
 VOLUME /opt/app/onap/blueprints/deploy/
-
+USER onap
 ENTRYPOINT /opt/app/onap/start.sh

diff --git a/ms/py-executor/docker/Dockerfile b/ms/py-executor/docker/Dockerfile
index 043e15d..bb1b0f7 100644 (file)
--- a/ms/py-executor/docker/Dockerfile
+++ b/ms/py-executor/docker/Dockerfile
@@ -1,5 +1,7 @@
 FROM python:3.7-slim
 
+RUN groupadd -r onap && useradd -r -g onap onap
+
 RUN mkdir -p /opt/app/onap/logs/ && touch /opt/app/onap/logs/application.log
 
 COPY @project.build.finalName@-@assembly.id@.tar.gz /source.tar.gz
@@ -10,6 +12,8 @@ RUN tar -xzf /source.tar.gz -C /tmp \
 
 RUN pip install --no-cache-dir -r /opt/app/onap/python/requirements/docker.txt
 
-VOLUME /opt/app/onap/blueprints/deploy/
+RUN chown onap:onap /opt -R
 
+VOLUME /opt/app/onap/blueprints/deploy/
+USER onap
 ENTRYPOINT /opt/app/onap/python/start.sh