From: Harish Venkata Kajur <vk250x@att.com>
Date: Wed, 15 Jul 2020 17:16:23 +0000 (-0400)
Subject: Update haproxy to run as user haproxy
X-Git-Tag: 1.7.0~6
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=1833cf56285fa9c6d1937a6cc659b1ca2d91ddec;p=aai%2Faai-common.git

Update haproxy to run as user haproxy

Issue-ID: AAI-2822
Change-Id: I586c5da9c6a8710536b106272447806d3bfed3b4
Signed-off-by: Harish Venkata Kajur <vk250x@att.com>
---

diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile
index a96c3640..9e9d80c7 100644
--- a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile
+++ b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile
@@ -13,16 +13,18 @@ RUN apk add --no-cache \
     shadow \
     util-linux && \
     groupadd haproxy -g 1000 && \
-    adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy
+    adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy && \
+    chown -R haproxy:haproxy /usr/local/etc/haproxy
 
 RUN mkdir -p /etc/ssl/certs/ && mkdir -p /etc/ssl/private
 
-COPY aai.pem /etc/ssl/private/aai.pem
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-COPY resolvers.conf /usr/local/etc/haproxy/resolvers.conf
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+COPY --chown=haproxy aai.pem /etc/ssl/private/aai.pem
+COPY --chown=haproxy docker-entrypoint.sh /docker-entrypoint.sh
+COPY --chown=haproxy resolvers.conf /usr/local/etc/haproxy/resolvers.conf
+COPY --chown=haproxy haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
 
 RUN chmod +x /docker-entrypoint.sh
+USER haproxy
 
 ENTRYPOINT [ "/docker-entrypoint.sh" ]
 CMD [ "haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg", "-f", "/usr/local/etc/haproxy/resolvers.conf" ] 
diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh
index 9095b3d1..a56eea95 100644
--- a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh
+++ b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh
@@ -16,7 +16,7 @@ sed -i 's/${ONAP_NAMESERVER_CLUSTER_IP}/'${NAMESERVER_IP}'/g' /usr/local/etc/hap
 if [ "$1" = 'haproxy' ]; then
     # if the user wants "haproxy", let's use "haproxy-systemd-wrapper" instead so we can have proper reloadability implemented by upstream
     shift # "haproxy"
-    set -- "$(which haproxy-systemd-wrapper)" -p /run/haproxy.pid "$@"
+    set -- "$(which haproxy-systemd-wrapper)" -p /usr/local/etc/haproxy/haproxy.pid "$@"
 fi
 
 exec "$@"
diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg b/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg
index a8da55c5..9f53e717 100644
--- a/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg
+++ b/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg
@@ -2,8 +2,6 @@ global
         log /dev/log    local0
         stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
         stats timeout 30s
-        user haproxy
-        group haproxy
         daemon
         #################################
         # Default SSL material locations#