From 34c72a4d56324182b2e1d6f6fbaa508ca0953d2f Mon Sep 17 00:00:00 2001 From: rajeevme Date: Thu, 22 Aug 2019 22:22:19 +0530 Subject: [PATCH] [AAI-2177] Run container process as non-root Issue-ID: AAI-2177 Change-Id: I8844d2b58a3ce0b501c5621d1271f0da3ac32784 Signed-off-by: rajeevme Change-Id: I3d99cad8b8398b1899395c611b5790aefb6787b7 --- src/main/bin/start.sh | 4 ++++ src/main/docker/Dockerfile | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/src/main/bin/start.sh b/src/main/bin/start.sh index 87ec099..28cca96 100644 --- a/src/main/bin/start.sh +++ b/src/main/bin/start.sh @@ -33,4 +33,8 @@ fi JVM_MAX_HEAP=${MAX_HEAP:-1024} set -x +if [ -z "$RUN_MS_AS_ROOT" ] ; then exec java -Xmx${JVM_MAX_HEAP}m $PROPS -jar ${APP_HOME}/gizmo.jar +else +exec sudo -E java -Xmx${JVM_MAX_HEAP}m $PROPS -jar ${APP_HOME}/gizmo.jar +fi \ No newline at end of file diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index 35297e7..036091e 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -12,6 +12,11 @@ ARG USERS_HOME=/opt/aaihome RUN mkdir -p $MICRO_HOME $USERS_HOME /logs \ && groupadd -g 492382 aaiadmin \ && useradd -r -u 341790 -g 492382 -ms /bin/sh -d $USERS_HOME/aaiadmin aaiadmin +##The following 2 lines are added to add the user to the sudoers group +##The script src\main\bin\start.sh could then optionally run the process as sudo user if an environment variable is set +## By default the sudo mode is disabled. +RUN usermod -aG sudo aaiadmin &&\ + echo 'aaiadmin ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers WORKDIR $MICRO_HOME COPY /maven/gizmo/ . RUN chmod 755 $BIN_HOME/* \ -- 2.16.6