From: ChrisC Date: Tue, 17 Mar 2020 13:23:42 +0000 (+0100) Subject: AAF non-root X-Git-Tag: 2.1.20~1 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=commitdiff_plain;h=48bcfb9d4b03ac3e2e6915f7bdf72599c8794d43 AAF non-root update AAF service dockerfiles to run as user AAF, reusing existing script infra Issue-ID: AAF-1102 Signed-off-by: ChrisC , JulienBe Change-Id: I2d9feef65a98d4545e407825533cd1741f891b45 --- diff --git a/auth/auth-cass/cass_init/cmd.sh b/auth/auth-cass/cass_init/cmd.sh index 7569440f..f605a472 100644 --- a/auth/auth-cass/cass_init/cmd.sh +++ b/auth/auth-cass/cass_init/cmd.sh @@ -24,6 +24,7 @@ DIR="/opt/app/aaf/status" INSTALLED_VERSION=/var/lib/cassandra/AAF_VERSION AAF_INIT_DATA=/var/lib/cassandra/AAF_INIT_DATA +CQLSH=${CQLSH:=/opt/cassandra/bin/cqlsh} if [ ! -e /aaf_cmd ]; then ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd @@ -71,7 +72,7 @@ function wait_start { function wait_cql { status wait for keyspace to be initialized for CNT in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do - if [ -n "$(cqlsh -e 'describe keyspaces' | grep authz)" ]; then + if [ -n "$($CQLSH -e 'describe keyspaces' | grep authz)" ]; then break else echo "Waiting for Keyspaces to be loaded... Sleep 10" @@ -96,11 +97,11 @@ function wait_ready { function install_cql { wait_start cassandra responsive # Now, make sure data exists - if [ ! -e $INSTALLED_VERSION ] && [ -n "$(cqlsh -e 'describe keyspaces' | grep authz)" ]; then - cqlsh --request-timeout=60 -e 'DROP KEYSPACE authz' + if [ ! -e $INSTALLED_VERSION ] && [ -n "$($CQLSH -e 'describe keyspaces' | grep authz)" ]; then + $CQLSH --request-timeout=60 -e 'DROP KEYSPACE authz' fi - if [ -z "`cqlsh --request-timeout 60 -e 'describe keyspaces' | grep authz`" ]; then + if [ -z "$($CQLSH --request-timeout 60 -e 'describe keyspaces' | grep authz)" ]; then status install echo "Initializing Cassandra DB" echo "Docker Installed Basic Cassandra on aaf.cass. Executing the following " @@ -109,10 +110,10 @@ function install_cql { echo " cd /opt/app/aaf/cass_init" cd /opt/app/aaf/cass_init echo " cqlsh -f keyspace.cql" - cqlsh --request-timeout=100 -f keyspace.cql + $CQLSH --request-timeout=100 -f keyspace.cql status keyspace installed echo " cqlsh -f init.cql" - cqlsh --request-timeout=100 -f init.cql + $CQLSH --request-timeout=100 -f init.cql status data initialized echo "" echo "The following will give you a temporary identity with which to start working, or emergency" diff --git a/auth/auth-cass/cass_init/restore.sh b/auth/auth-cass/cass_init/restore.sh index abc6a7cc..ba2c49eb 100644 --- a/auth/auth-cass/cass_init/restore.sh +++ b/auth/auth-cass/cass_init/restore.sh @@ -4,7 +4,7 @@ echo `date` ENV=DOCKER -CQLSH="cqlsh -k authz" +CQLSH="${CQLSH:=/opt/cassandra/bin/cqlsh} -k authz" cd dats if [ "$*" = "" ]; then diff --git a/auth/auth-cass/docker/Dockerfile.cass b/auth/auth-cass/docker/Dockerfile.cass index 0f12d8c8..5d9c3db9 100644 --- a/auth/auth-cass/docker/Dockerfile.cass +++ b/auth/auth-cass/docker/Dockerfile.cass @@ -32,11 +32,16 @@ COPY aaf-auth-batch-*-full.jar /opt/app/aaf/cass_init/ COPY cass_data/*.dat /opt/app/aaf/cass_init/dats/ COPY sample.identities.dat /opt/app/aaf/cass_init/data/identites.dat -RUN mkdir -p /opt/app/aaf/status && chmod 777 /opt/app/aaf/status && \ - addgroup ${USER} && adduser --no-create-home --ingroup ${USER} --disabled-password --gecos "" --shell /bin/bash ${USER} && \ - chown -R ${USER}:${USER} /opt/app/aaf/cass_init - +RUN mkdir -p /opt/app/aaf/status &&\ + chmod 777 /opt/app/aaf/status && \ + addgroup ${DUSER} && adduser --ingroup cassandra --disabled-password --gecos "" --shell /bin/bash ${DUSER} && \ + chown -R ${DUSER}:cassandra /opt/app/aaf/cass_init &&\ + chown -R ${DUSER}:cassandra /etc/cassandra &&\ + mkdir -p /var/lib/cassandra/data && chown -R ${DUSER}:cassandra /var/lib/cassandra &&\ + chown -R ${DUSER}:cassandra /var/log/cassandra &&\ + ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd && chmod a+x /aaf_cmd +USER ${DUSER} ENTRYPOINT ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh"] CMD ["start"] # Default is to start up with CQL setup only diff --git a/auth/auth-cass/docker/dbuild.sh b/auth/auth-cass/docker/dbuild.sh index 7e2ac7c5..6a1ae1c1 100644 --- a/auth/auth-cass/docker/dbuild.sh +++ b/auth/auth-cass/docker/dbuild.sh @@ -25,7 +25,7 @@ if [ -e ../../docker/d.props ]; then . ../../docker/d.props fi DOCKER=${DOCKER:-docker} - + function SCP() { SANS=${1/-SNAPSHOT/} echo $1 = $SANS @@ -52,7 +52,7 @@ echo "$0: DOCKER_PULL_REGISTRY=${DOCKER_REGISTRY}" DIR=$(pwd) cd .. sed -e 's/${AAF_VERSION}/'${VERSION/-SNAPSHOT/}'/g' \ - -e 's/${USER}/'${USER}'/g' \ + -e 's/${DUSER}/'${DUSER}'/g' \ -e 's/${REGISTRY}/'${DOCKER_PULL_REGISTRY}'/g' \ $DIR/Dockerfile.cass > Dockerfile cd .. diff --git a/auth/auth-cass/docker/dcqlsh.sh b/auth/auth-cass/docker/dcqlsh.sh index 2518eb90..c8708d75 100644 --- a/auth/auth-cass/docker/dcqlsh.sh +++ b/auth/auth-cass/docker/dcqlsh.sh @@ -22,5 +22,5 @@ if [ -e ../../docker/d.props ]; then . ../../docker/d.props fi -${DOCKER:=docker} exec -it aaf-cass /usr/bin/cqlsh -k authz +${DOCKER:=docker} exec -it aaf-cass ${CQLSH:=/usr/bin/cqlsh} -k authz diff --git a/auth/docker/Dockerfile.agent b/auth/docker/Dockerfile.agent index ec5f24ea..e974dc49 100644 --- a/auth/docker/Dockerfile.agent +++ b/auth/docker/Dockerfile.agent @@ -31,5 +31,5 @@ COPY bin/aaf-cadi-servlet-sample-*-sample.jar /opt/app/aaf_config/bin/ COPY cert/*trust*.b64 /opt/app/aaf_config/cert/ RUN chmod 755 /opt/app/aaf_config/bin/* &&\ if [ -n "${DUSER}" ]; then chown -R ${DUSER}:${DUSER} /opt/app/aaf_config; fi - +USER ${DUSER} CMD [] diff --git a/auth/docker/Dockerfile.config b/auth/docker/Dockerfile.config index 4bb7a940..b2263ecc 100644 --- a/auth/docker/Dockerfile.config +++ b/auth/docker/Dockerfile.config @@ -39,5 +39,5 @@ COPY bin/aaf-auth-batch-${JAR_VERSION}-full.jar /opt/app/aaf_config/bin/ RUN mkdir -p /opt/app/osaaf &&\ chmod 755 /opt/app/aaf_config/bin/*.sh &&\ if [ -n "${DUSER}" ]; then chown ${DUSER}:${DUSER} /opt/app/osaaf && chown -R ${DUSER}:${DUSER} /opt/app/aaf_config; fi - +USER ${DUSER} CMD ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"] diff --git a/auth/docker/Dockerfile.core b/auth/docker/Dockerfile.core index 5c66c8ca..4179c5e7 100644 --- a/auth/docker/Dockerfile.core +++ b/auth/docker/Dockerfile.core @@ -37,4 +37,4 @@ RUN mkdir -p /opt/app/osaaf &&\ && chown ${DUSER}:${DUSER} /opt/app/osaaf \ && chown -R ${DUSER}:${DUSER} /opt/app/aaf;\ fi - +USER ${DUSER} diff --git a/auth/docker/Dockerfile.hello b/auth/docker/Dockerfile.hello index 4b12a6f1..82d9a9f5 100644 --- a/auth/docker/Dockerfile.hello +++ b/auth/docker/Dockerfile.hello @@ -37,5 +37,5 @@ RUN mkdir -p /opt/app/osaaf &&\ && chown ${DUSER}:${DUSER} /opt/app/osaaf \ && chown -R ${DUSER}:${DUSER} /opt/app/aaf;\ fi - +USER ${DUSER} CMD [] diff --git a/auth/helm/aaf-hello/templates/aaf-hello.yaml b/auth/helm/aaf-hello/templates/aaf-hello.yaml index 3ff9a576..a79f39ed 100644 --- a/auth/helm/aaf-hello/templates/aaf-hello.yaml +++ b/auth/helm/aaf-hello/templates/aaf-hello.yaml @@ -56,6 +56,18 @@ spec: persistentVolumeClaim: claimName: aaf-hello-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/osaaf + name: aaf-hello-vol - name: aaf-hello-config image: "{{ .Values.image.repository }}{{ .Values.service.agentImage }}" imagePullPolicy: IfNotPresent diff --git a/auth/helm/aaf/templates/aaf-cass.yaml b/auth/helm/aaf/templates/aaf-cass.yaml index f795dfe5..ace21817 100644 --- a/auth/helm/aaf/templates/aaf-cass.yaml +++ b/auth/helm/aaf/templates/aaf-cass.yaml @@ -68,6 +68,23 @@ spec: - name: aaf-status-vol persistentVolumeClaim: claimName: aaf-status-pvc + initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /var/lib/cassandra + chown -R 1000:1000 /var/lib/cassandra + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/aaf/status + name: aaf-status-vol + - mountPath: /var/lib/cassandra + name: aaf-cass-vol containers: ### ### AAF-CASS diff --git a/auth/helm/aaf/templates/aaf-cm.yaml b/auth/helm/aaf/templates/aaf-cm.yaml index ebb49835..e64da6cc 100644 --- a/auth/helm/aaf/templates/aaf-cm.yaml +++ b/auth/helm/aaf/templates/aaf-cm.yaml @@ -59,6 +59,22 @@ spec: persistentVolumeClaim: claimName: aaf-status-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/aaf/status + name: aaf-status-vol + - mountPath: /opt/app/osaaf + name: aaf-config-vol - name: aaf-config-container image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }} imagePullPolicy: IfNotPresent diff --git a/auth/helm/aaf/templates/aaf-fs.yaml b/auth/helm/aaf/templates/aaf-fs.yaml index 479447de..e3973af0 100644 --- a/auth/helm/aaf/templates/aaf-fs.yaml +++ b/auth/helm/aaf/templates/aaf-fs.yaml @@ -59,6 +59,22 @@ spec: persistentVolumeClaim: claimName: aaf-status-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/osaaf + name: aaf-config-vol + - mountPath: /opt/app/aaf/status + name: aaf-status-vol - name: aaf-config-container image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }} imagePullPolicy: IfNotPresent diff --git a/auth/helm/aaf/templates/aaf-gui.yaml b/auth/helm/aaf/templates/aaf-gui.yaml index 14c42599..93c1473f 100644 --- a/auth/helm/aaf/templates/aaf-gui.yaml +++ b/auth/helm/aaf/templates/aaf-gui.yaml @@ -60,6 +60,22 @@ spec: persistentVolumeClaim: claimName: aaf-status-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/osaaf + name: aaf-config-vol + - mountPath: /opt/app/aaf/status + name: aaf-status-vol - name: aaf-config-container image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }} imagePullPolicy: IfNotPresent diff --git a/auth/helm/aaf/templates/aaf-locate.yaml b/auth/helm/aaf/templates/aaf-locate.yaml index d4f2bf66..57ba43d0 100644 --- a/auth/helm/aaf/templates/aaf-locate.yaml +++ b/auth/helm/aaf/templates/aaf-locate.yaml @@ -59,6 +59,22 @@ spec: persistentVolumeClaim: claimName: aaf-status-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/aaf/status + name: aaf-status-vol + - mountPath: /opt/app/osaaf + name: aaf-config-vol - name: aaf-config-container image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }} imagePullPolicy: IfNotPresent diff --git a/auth/helm/aaf/templates/aaf-oauth.yaml b/auth/helm/aaf/templates/aaf-oauth.yaml index 4d5ac75a..ab21e3ab 100644 --- a/auth/helm/aaf/templates/aaf-oauth.yaml +++ b/auth/helm/aaf/templates/aaf-oauth.yaml @@ -59,6 +59,22 @@ spec: persistentVolumeClaim: claimName: aaf-status-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/aaf/status + name: aaf-status-vol + - mountPath: /opt/app/osaaf + name: aaf-config-vol - name: aaf-config-container image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }} imagePullPolicy: IfNotPresent diff --git a/auth/helm/aaf/templates/aaf-service.yaml b/auth/helm/aaf/templates/aaf-service.yaml index 96efa75c..f4772d67 100644 --- a/auth/helm/aaf/templates/aaf-service.yaml +++ b/auth/helm/aaf/templates/aaf-service.yaml @@ -58,6 +58,22 @@ spec: persistentVolumeClaim: claimName: aaf-status-pvc initContainers: + - command: + - /bin/sh + - -c + - | + chmod -R 775 /opt/app/aaf/status + chown -R 1000:1000 /opt/app/aaf/status + chmod -R 775 /opt/app/osaaf + chown -R 1000:1000 /opt/app/osaaf + image: busybox:1.28 + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: init-sysctl + volumeMounts: + - mountPath: /opt/app/aaf/status + name: aaf-status-vol + - mountPath: /opt/app/osaaf + name: aaf-config-vol - name: aaf-config-container image: {{ .Values.image.repository }}onap/aaf/aaf_config:{{ .Values.image.version }} imagePullPolicy: IfNotPresent