From 1db162bfcd9acafa3a19c80e3943f568c9f8874a Mon Sep 17 00:00:00 2001
From: Huabing Zhao <zhaohuabing@gmail.com>
Date: Wed, 10 Apr 2019 08:33:58 +0000
Subject: [PATCH] Run API Gateway as non-root user

Change-Id: Iea0f47a7f425b7c812ee683af496b8a6b96dce13
Issue-ID: MSB-320
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
---
 build4docker.sh                                         |  6 +++---
 distributions/msb-apigateway/src/main/docker/Dockerfile |  9 ++++++++-
 openresty-ext/src/assembly/resources/openresty/run.sh   | 14 +++++++-------
 3 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/build4docker.sh b/build4docker.sh
index edcfa65..f0c3f49 100644
--- a/build4docker.sh
+++ b/build4docker.sh
@@ -48,9 +48,9 @@ chmod 777 build_docker_image.sh
 
 
 docker rm -f ${DOCKER_RUN_NAME}
-docker rmi ${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME}:${DOCKER_LATEST_VERSION}
-docker rmi ${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME}:${DOCKER_RELEASE_VERSION}-STAGING-latest
-docker rmi ${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME}:${DOCKER_RELEASE_VERSION}-SNAPSHOT-latest
+docker rmi --force ${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME}:${DOCKER_LATEST_VERSION}
+docker rmi --force ${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME}:${DOCKER_RELEASE_VERSION}-STAGING-latest
+docker rmi --force ${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME}:${DOCKER_RELEASE_VERSION}-SNAPSHOT-latest
 
 ./build_docker_image.sh -n=${DOCKER_REPOSITORY}/onap/msb/${DOCKER_IMAGE_NAME} -v=${DOCKER_LATEST_VERSION} -d=./docker
 
diff --git a/distributions/msb-apigateway/src/main/docker/Dockerfile b/distributions/msb-apigateway/src/main/docker/Dockerfile
index 466dc20..35de11e 100644
--- a/distributions/msb-apigateway/src/main/docker/Dockerfile
+++ b/distributions/msb-apigateway/src/main/docker/Dockerfile
@@ -4,6 +4,13 @@ COPY msb-apigateway*.tar.gz /usr/src
 
 RUN tar -xzf /usr/src/msb-apigateway*.tar.gz -C /usr/local --strip-components=1; \
 	rm /usr/src/msb-apigateway*.tar.gz
-	
+RUN apk add --no-cache shadow sudo && \
+    addgroup -g 1000 msb && \
+    adduser -D -u 1000 -G msb msb && \
+    echo "msb ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/msb && \
+    chmod 0440 /etc/sudoers.d/msb && \
+    chown -R msb:msb /usr/local
+USER msb
+
 WORKDIR /usr/local
 ENTRYPOINT exec $PWD/startup4docker.sh
diff --git a/openresty-ext/src/assembly/resources/openresty/run.sh b/openresty-ext/src/assembly/resources/openresty/run.sh
index ed2a393..5909046 100644
--- a/openresty-ext/src/assembly/resources/openresty/run.sh
+++ b/openresty-ext/src/assembly/resources/openresty/run.sh
@@ -20,10 +20,10 @@ HOME=`cd $DIRNAME/nginx; pwd`
 _NGINXCMD="$HOME/sbin/nginx"
 LUAJIT_HOME=`cd $DIRNAME/luajit; pwd`
 echo =========== prepare the symbolic links  ========================================
-ln -s -f $_NGINXCMD $DIRNAME/bin/openresty
-ln -s -f $LUAJIT_HOME/bin/luajit2.1.0-beta2 $LUAJIT_HOME/bin/luajit
-ln -s -f $LUAJIT_HOME/lib/libluajit-5.1.so.2.1.0 $LUAJIT_HOME/lib/libluajit-5.1.so.2
-ln -s -f $LUAJIT_HOME/lib/libluajit-5.1.so.2.1.0 $LUAJIT_HOME/lib/libluajit-5.1.so
+sudo ln -s -f $_NGINXCMD $DIRNAME/bin/openresty
+sudo ln -s -f $LUAJIT_HOME/bin/luajit2.1.0-beta2 $LUAJIT_HOME/bin/luajit
+sudo ln -s -f $LUAJIT_HOME/lib/libluajit-5.1.so.2.1.0 $LUAJIT_HOME/lib/libluajit-5.1.so.2
+sudo ln -s -f $LUAJIT_HOME/lib/libluajit-5.1.so.2.1.0 $LUAJIT_HOME/lib/libluajit-5.1.so
 echo ================================================================================
 
 echo =========== create symbolic link for libluajit-5.1.so.2  ========================================
@@ -31,8 +31,8 @@ LUAJIT_HOME=`cd $DIRNAME/luajit; pwd`
 LUAJIT_FILENAME="$LUAJIT_HOME/lib/libluajit-5.1.so.2"
 LN_TARGET_FILE='/lib/libluajit-5.1.so.2'
 LN_TARGET_FILE64='/lib64/libluajit-5.1.so.2'
-ln -s -f $LUAJIT_FILENAME $LN_TARGET_FILE
-ln -s -f $LUAJIT_FILENAME $LN_TARGET_FILE64
+sudo ln -s -f $LUAJIT_FILENAME $LN_TARGET_FILE
+sudo ln -s -f $LUAJIT_FILENAME $LN_TARGET_FILE64
 echo ===============================================================================
 
 echo =========== openresty config info  =============================================
@@ -43,5 +43,5 @@ cd $HOME; pwd
 
 echo @WORK_DIR@ $HOME
 echo @C_CMD@ $_NGINXCMD -p $HOME/
-$_NGINXCMD -p $HOME/
+sudo $_NGINXCMD -p $HOME/
 
-- 
2.16.6