Update haproxy to run as user haproxy

author Harish Venkata Kajur <vk250x@att.com>

Wed, 15 Jul 2020 17:16:23 +0000 (13:16 -0400)

committer Harish Venkata Kajur <vk250x@att.com>

Wed, 15 Jul 2020 17:17:06 +0000 (13:17 -0400)
author Harish Venkata Kajur <vk250x@att.com>
Wed, 15 Jul 2020 17:16:23 +0000 (13:16 -0400)
committer Harish Venkata Kajur <vk250x@att.com>
Wed, 15 Jul 2020 17:17:06 +0000 (13:17 -0400)
diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile

index a96c364..9e9d80c 100644 (file)
--- a/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile
+++ b/aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile
@@ -13,16 +13,18 @@ RUN apk add --no-cache \
      shadow \
      util-linux && \
      groupadd haproxy -g 1000 && \
-    adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy
+    adduser -u 1000 -S -D -G haproxy -s /bin/bash haproxy && \
+    chown -R haproxy:haproxy /usr/local/etc/haproxy
  
  RUN mkdir -p /etc/ssl/certs/ && mkdir -p /etc/ssl/private
  
-COPY aai.pem /etc/ssl/private/aai.pem
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-COPY resolvers.conf /usr/local/etc/haproxy/resolvers.conf
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+COPY --chown=haproxy aai.pem /etc/ssl/private/aai.pem
+COPY --chown=haproxy docker-entrypoint.sh /docker-entrypoint.sh
+COPY --chown=haproxy resolvers.conf /usr/local/etc/haproxy/resolvers.conf
+COPY --chown=haproxy haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
  
  RUN chmod +x /docker-entrypoint.sh
+USER haproxy
  
  ENTRYPOINT [ "/docker-entrypoint.sh" ]
  CMD [ "haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg", "-f", "/usr/local/etc/haproxy/resolvers.conf" ] 
diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh

index 9095b3d..a56eea9 100644 (file)
--- a/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh
+++ b/aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh
@@ -16,7 +16,7 @@ sed -i 's/${ONAP_NAMESERVER_CLUSTER_IP}/'${NAMESERVER_IP}'/g' /usr/local/etc/hap
  if [ "$1" = 'haproxy' ]; then
      # if the user wants "haproxy", let's use "haproxy-systemd-wrapper" instead so we can have proper reloadability implemented by upstream
      shift # "haproxy"
-    set -- "$(which haproxy-systemd-wrapper)" -p /run/haproxy.pid "$@"
+    set -- "$(which haproxy-systemd-wrapper)" -p /usr/local/etc/haproxy/haproxy.pid "$@"
  fi
  
  exec "$@"
diff --git a/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg b/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg

index a8da55c..9f53e71 100644 (file)
--- a/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg
+++ b/aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg
@@ -2,8 +2,6 @@ global
          log /dev/log    local0
          stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
          stats timeout 30s
-        user haproxy
-        group haproxy
          daemon
          #################################
          # Default SSL material locations#
author	Harish Venkata Kajur <vk250x@att.com>
	Wed, 15 Jul 2020 17:16:23 +0000 (13:16 -0400)
committer	Harish Venkata Kajur <vk250x@att.com>
	Wed, 15 Jul 2020 17:17:06 +0000 (13:17 -0400)
aai-common-docker/aai-haproxy-image/src/main/docker/Dockerfile		patch \| blob \| history
aai-common-docker/aai-haproxy-image/src/main/docker/docker-entrypoint.sh		patch \| blob \| history
aai-common-docker/aai-haproxy-image/src/main/docker/haproxy.cfg		patch \| blob \| history