AAF non-root

update AAF service dockerfiles to run as user AAF, reusing existing script infra

Issue-ID: AAF-1102
Signed-off-by: ChrisC <christophe.closset@intl.att.com>, JulienBe <jb3179x@att.com>
Change-Id: I2d9feef65a98d4545e407825533cd1741f891b45

diff --git a/auth/auth-cass/cass_init/cmd.sh b/auth/auth-cass/cass_init/cmd.sh
index 7569440..f605a47 100644 (file)
--- a/auth/auth-cass/cass_init/cmd.sh
+++ b/auth/auth-cass/cass_init/cmd.sh
@@ -24,6 +24,7 @@
 DIR="/opt/app/aaf/status"
 INSTALLED_VERSION=/var/lib/cassandra/AAF_VERSION
 AAF_INIT_DATA=/var/lib/cassandra/AAF_INIT_DATA
+CQLSH=${CQLSH:=/opt/cassandra/bin/cqlsh}
 
 if [ ! -e /aaf_cmd ]; then
   ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd
@@ -71,7 +72,7 @@ function wait_start {
 function wait_cql {
    status wait for keyspace to be initialized
    for CNT in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
-     if [ -n "$(cqlsh -e 'describe keyspaces' | grep authz)"  ]; then
+     if [ -n "$($CQLSH -e 'describe keyspaces' | grep authz)"  ]; then
        break
      else
         echo "Waiting for Keyspaces to be loaded... Sleep 10"
@@ -96,11 +97,11 @@ function wait_ready {
 function install_cql {
     wait_start cassandra responsive   
     # Now, make sure data exists
-    if [ ! -e $INSTALLED_VERSION ] && [ -n "$(cqlsh -e 'describe keyspaces' | grep authz)" ]; then
-      cqlsh --request-timeout=60 -e 'DROP KEYSPACE authz' 
+    if [ ! -e $INSTALLED_VERSION ] && [ -n "$($CQLSH -e 'describe keyspaces' | grep authz)" ]; then
+      $CQLSH --request-timeout=60 -e 'DROP KEYSPACE authz'
     fi
 
-    if [ -z "`cqlsh --request-timeout 60 -e 'describe keyspaces' | grep authz`" ]; then
+    if [ -z "$($CQLSH --request-timeout 60 -e 'describe keyspaces' | grep authz)" ]; then
         status install 
         echo "Initializing Cassandra DB" 
         echo "Docker Installed Basic Cassandra on aaf.cass.  Executing the following "
@@ -109,10 +110,10 @@ function install_cql {
         echo " cd /opt/app/aaf/cass_init"
         cd /opt/app/aaf/cass_init
         echo " cqlsh -f keyspace.cql"
-        cqlsh --request-timeout=100 -f keyspace.cql
+        $CQLSH --request-timeout=100 -f keyspace.cql
        status keyspace installed
         echo " cqlsh -f init.cql"
-        cqlsh --request-timeout=100 -f init.cql
+        $CQLSH --request-timeout=100 -f init.cql
        status data initialized
         echo ""
         echo "The following will give you a temporary identity with which to start working, or emergency"

diff --git a/auth/auth-cass/cass_init/restore.sh b/auth/auth-cass/cass_init/restore.sh
index abc6a7c..ba2c49e 100644 (file)
--- a/auth/auth-cass/cass_init/restore.sh
+++ b/auth/auth-cass/cass_init/restore.sh
@@ -4,7 +4,7 @@
 echo `date`
 ENV=DOCKER
 
-CQLSH="cqlsh -k authz"
+CQLSH="${CQLSH:=/opt/cassandra/bin/cqlsh} -k authz"
 
 cd dats
 if [ "$*" = "" ]; then

diff --git a/auth/auth-cass/docker/Dockerfile.cass b/auth/auth-cass/docker/Dockerfile.cass
index 0f12d8c..5d9c3db 100644 (file)
--- a/auth/auth-cass/docker/Dockerfile.cass
+++ b/auth/auth-cass/docker/Dockerfile.cass
@@ -32,11 +32,16 @@ COPY aaf-auth-batch-*-full.jar /opt/app/aaf/cass_init/
 COPY cass_data/*.dat /opt/app/aaf/cass_init/dats/
 COPY sample.identities.dat /opt/app/aaf/cass_init/data/identites.dat
 
-RUN mkdir -p /opt/app/aaf/status && chmod 777 /opt/app/aaf/status && \
-    addgroup ${USER} && adduser --no-create-home --ingroup ${USER} --disabled-password --gecos "" --shell /bin/bash ${USER} && \
-    chown -R ${USER}:${USER} /opt/app/aaf/cass_init
-
+RUN mkdir -p /opt/app/aaf/status &&\
+    chmod 777 /opt/app/aaf/status && \
+    addgroup ${DUSER} && adduser --ingroup cassandra --disabled-password --gecos "" --shell /bin/bash ${DUSER} && \
+    chown -R ${DUSER}:cassandra /opt/app/aaf/cass_init &&\
+    chown -R ${DUSER}:cassandra /etc/cassandra &&\
+    mkdir -p /var/lib/cassandra/data && chown -R ${DUSER}:cassandra /var/lib/cassandra &&\
+    chown -R ${DUSER}:cassandra /var/log/cassandra &&\
+    ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd && chmod a+x /aaf_cmd
 
+USER ${DUSER}
 ENTRYPOINT ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh"]
 CMD ["start"]
 # Default is to start up with CQL setup only

diff --git a/auth/auth-cass/docker/dbuild.sh b/auth/auth-cass/docker/dbuild.sh
index 7e2ac7c..6a1ae1c 100644 (file)
--- a/auth/auth-cass/docker/dbuild.sh
+++ b/auth/auth-cass/docker/dbuild.sh
@@ -25,7 +25,7 @@ if [ -e ../../docker/d.props ]; then
   . ../../docker/d.props
 fi
 DOCKER=${DOCKER:-docker}
- 
+
 function SCP() {
   SANS=${1/-SNAPSHOT/}
   echo $1 = $SANS
@@ -52,7 +52,7 @@ echo "$0: DOCKER_PULL_REGISTRY=${DOCKER_REGISTRY}"
 DIR=$(pwd)
 cd ..
 sed -e 's/${AAF_VERSION}/'${VERSION/-SNAPSHOT/}'/g' \
-    -e 's/${USER}/'${USER}'/g' \
+    -e 's/${DUSER}/'${DUSER}'/g' \
     -e 's/${REGISTRY}/'${DOCKER_PULL_REGISTRY}'/g' \
     $DIR/Dockerfile.cass > Dockerfile
 cd ..

diff --git a/auth/auth-cass/docker/dcqlsh.sh b/auth/auth-cass/docker/dcqlsh.sh
index 2518eb9..c8708d7 100644 (file)
--- a/auth/auth-cass/docker/dcqlsh.sh
+++ b/auth/auth-cass/docker/dcqlsh.sh
@@ -22,5 +22,5 @@
 if [ -e ../../docker/d.props ]; then
   . ../../docker/d.props
 fi
-${DOCKER:=docker} exec -it aaf-cass /usr/bin/cqlsh -k authz
+${DOCKER:=docker} exec -it aaf-cass ${CQLSH:=/usr/bin/cqlsh} -k authz
 

diff --git a/auth/docker/Dockerfile.agent b/auth/docker/Dockerfile.agent
index ec5f24e..e974dc4 100644 (file)
--- a/auth/docker/Dockerfile.agent
+++ b/auth/docker/Dockerfile.agent
@@ -31,5 +31,5 @@ COPY bin/aaf-cadi-servlet-sample-*-sample.jar /opt/app/aaf_config/bin/
 COPY cert/*trust*.b64 /opt/app/aaf_config/cert/
 RUN chmod 755 /opt/app/aaf_config/bin/* &&\
     if [ -n "${DUSER}" ]; then chown -R ${DUSER}:${DUSER} /opt/app/aaf_config; fi
-
+USER ${DUSER}
 CMD []

diff --git a/auth/docker/Dockerfile.config b/auth/docker/Dockerfile.config
index 4bb7a94..b2263ec 100644 (file)
--- a/auth/docker/Dockerfile.config
+++ b/auth/docker/Dockerfile.config
@@ -39,5 +39,5 @@ COPY bin/aaf-auth-batch-${JAR_VERSION}-full.jar /opt/app/aaf_config/bin/
 RUN mkdir -p /opt/app/osaaf &&\
     chmod 755 /opt/app/aaf_config/bin/*.sh &&\
     if [ -n "${DUSER}" ]; then chown ${DUSER}:${DUSER} /opt/app/osaaf && chown -R ${DUSER}:${DUSER} /opt/app/aaf_config; fi
-
+USER ${DUSER}
 CMD ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"]

diff --git a/auth/docker/Dockerfile.core b/auth/docker/Dockerfile.core
index 5c66c8c..4179c5e 100644 (file)
--- a/auth/docker/Dockerfile.core
+++ b/auth/docker/Dockerfile.core
@@ -37,4 +37,4 @@ RUN mkdir -p /opt/app/osaaf &&\
       && chown ${DUSER}:${DUSER} /opt/app/osaaf \
       && chown -R ${DUSER}:${DUSER} /opt/app/aaf;\
     fi
-
+USER ${DUSER}

diff --git a/auth/docker/Dockerfile.hello b/auth/docker/Dockerfile.hello
index 4b12a6f..82d9a9f 100644 (file)
--- a/auth/docker/Dockerfile.hello
+++ b/auth/docker/Dockerfile.hello
@@ -37,5 +37,5 @@ RUN mkdir -p /opt/app/osaaf &&\
       && chown ${DUSER}:${DUSER} /opt/app/osaaf \
       && chown -R ${DUSER}:${DUSER} /opt/app/aaf;\
     fi
-
+USER ${DUSER}
 CMD []

diff --git a/auth/helm/aaf-hello/templates/aaf-hello.yaml b/auth/helm/aaf-hello/templates/aaf-hello.yaml
index 3ff9a57..a79f39e 100644 (file)
--- a/auth/helm/aaf-hello/templates/aaf-hello.yaml
+++ b/auth/helm/aaf-hello/templates/aaf-hello.yaml
@@ -56,6 +56,18 @@ spec:
           persistentVolumeClaim:
             claimName: aaf-hello-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/osaaf
+              name: aaf-hello-vol
         - name: aaf-hello-config
           image: "{{ .Values.image.repository }}{{ .Values.service.agentImage }}"
           imagePullPolicy: IfNotPresent

diff --git a/auth/helm/aaf/templates/aaf-cass.yaml b/auth/helm/aaf/templates/aaf-cass.yaml
index f795dfe..ace2181 100644 (file)
--- a/auth/helm/aaf/templates/aaf-cass.yaml
+++ b/auth/helm/aaf/templates/aaf-cass.yaml
@@ -68,6 +68,23 @@ spec:
       - name: aaf-status-vol
         persistentVolumeClaim:
           claimName: aaf-status-pvc
+      initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /var/lib/cassandra
+              chown -R 1000:1000 /var/lib/cassandra
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/aaf/status
+              name: aaf-status-vol
+            - mountPath: /var/lib/cassandra
+              name: aaf-cass-vol
       containers:
 ###
 ### AAF-CASS

diff --git a/auth/helm/aaf/templates/aaf-cm.yaml b/auth/helm/aaf/templates/aaf-cm.yaml
index ebb4983..e64da6c 100644 (file)
--- a/auth/helm/aaf/templates/aaf-cm.yaml
+++ b/auth/helm/aaf/templates/aaf-cm.yaml
@@ -59,6 +59,22 @@ spec:
         persistentVolumeClaim:
           claimName: aaf-status-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/aaf/status
+              name: aaf-status-vol
+            - mountPath: /opt/app/osaaf
+              name: aaf-config-vol
         - name: aaf-config-container
           image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
           imagePullPolicy: IfNotPresent

diff --git a/auth/helm/aaf/templates/aaf-fs.yaml b/auth/helm/aaf/templates/aaf-fs.yaml
index 479447d..e3973af 100644 (file)
--- a/auth/helm/aaf/templates/aaf-fs.yaml
+++ b/auth/helm/aaf/templates/aaf-fs.yaml
@@ -59,6 +59,22 @@ spec:
         persistentVolumeClaim:
           claimName: aaf-status-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/osaaf
+              name: aaf-config-vol
+            - mountPath: /opt/app/aaf/status
+              name: aaf-status-vol
         - name: aaf-config-container
           image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
           imagePullPolicy: IfNotPresent

diff --git a/auth/helm/aaf/templates/aaf-gui.yaml b/auth/helm/aaf/templates/aaf-gui.yaml
index 14c4259..93c1473 100644 (file)
--- a/auth/helm/aaf/templates/aaf-gui.yaml
+++ b/auth/helm/aaf/templates/aaf-gui.yaml
@@ -60,6 +60,22 @@ spec:
         persistentVolumeClaim:
           claimName: aaf-status-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/osaaf
+              name: aaf-config-vol
+            - mountPath: /opt/app/aaf/status
+              name: aaf-status-vol
         - name: aaf-config-container
           image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
           imagePullPolicy: IfNotPresent

diff --git a/auth/helm/aaf/templates/aaf-locate.yaml b/auth/helm/aaf/templates/aaf-locate.yaml
index d4f2bf6..57ba43d 100644 (file)
--- a/auth/helm/aaf/templates/aaf-locate.yaml
+++ b/auth/helm/aaf/templates/aaf-locate.yaml
@@ -59,6 +59,22 @@ spec:
         persistentVolumeClaim:
           claimName: aaf-status-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/aaf/status
+              name: aaf-status-vol
+            - mountPath: /opt/app/osaaf
+              name: aaf-config-vol
         - name: aaf-config-container
           image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
           imagePullPolicy: IfNotPresent

diff --git a/auth/helm/aaf/templates/aaf-oauth.yaml b/auth/helm/aaf/templates/aaf-oauth.yaml
index 4d5ac75..ab21e3a 100644 (file)
--- a/auth/helm/aaf/templates/aaf-oauth.yaml
+++ b/auth/helm/aaf/templates/aaf-oauth.yaml
@@ -59,6 +59,22 @@ spec:
         persistentVolumeClaim:
           claimName: aaf-status-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+            - mountPath: /opt/app/aaf/status
+              name: aaf-status-vol
+            - mountPath: /opt/app/osaaf
+              name: aaf-config-vol
         - name: aaf-config-container
           image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
           imagePullPolicy: IfNotPresent

diff --git a/auth/helm/aaf/templates/aaf-service.yaml b/auth/helm/aaf/templates/aaf-service.yaml
index 96efa75..f4772d6 100644 (file)
--- a/auth/helm/aaf/templates/aaf-service.yaml
+++ b/auth/helm/aaf/templates/aaf-service.yaml
@@ -58,6 +58,22 @@ spec:
         persistentVolumeClaim:
           claimName: aaf-status-pvc
       initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - |
+              chmod -R 775 /opt/app/aaf/status
+              chown -R 1000:1000 /opt/app/aaf/status
+              chmod -R 775 /opt/app/osaaf
+              chown -R 1000:1000 /opt/app/osaaf
+          image: busybox:1.28
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: init-sysctl
+          volumeMounts:
+          - mountPath: /opt/app/aaf/status
+            name: aaf-status-vol
+          - mountPath: /opt/app/osaaf
+            name: aaf-config-vol
         - name: aaf-config-container
           image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }}
           imagePullPolicy: IfNotPresent