Using non root user in controller (#3579)

* Using non root user in controller Have done some basic testing. Would like some feedback. * Fixing jmxremote file permissions * Triggering build * Using chown instead of giving full permissions Using chown instead of giving full permissions * Permissions to create coverage folder Permissions to create coverage folder * Using user's home folder instead of root The root folder has permission issues in IBM PG build. So using /home/owuser instead of /root to store jmxremote files. owuser is the new user we create to avoid using root user. Not switching the user in invoker because it is a privileged container. * Triggering build Triggering build
apache · Oct 11, 2018 · f7afa71 · f7afa71
1 parent 6b1303d
commit f7afa71
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 5 deletions.
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
@@ -106,7 +106,7 @@ jmx:
   rmiBasePortInvoker: 18000
   user: "{{ jmxuser | default('jmxuser') }}"
   pass: "{{ jmxuser | default('jmxpass') }}"
-  jvmCommonArgs: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/root/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/root/jmxremote.access"
+  jvmCommonArgs: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/owuser/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/owuser/jmxremote.access"
   enabled: "{{ jmxremote_enabled | default('true') }}"
 
 transactions:

diff --git a/common/scala/copyJMXFiles.sh b/common/scala/copyJMXFiles.sh
@@ -18,6 +18,6 @@
 
 if [[ $( ls /conf/jmxremote.* 2> /dev/null ) ]]
 then
-  mv /conf/jmxremote.* /root
-  chmod 600 /root/jmxremote.*
+  mv /conf/jmxremote.* /home/owuser
+  chmod 600 /home/owuser/jmxremote.*
 fi
diff --git a/core/controller/Dockerfile b/core/controller/Dockerfile
@@ -3,19 +3,24 @@
 
 FROM scala
 
+ENV UID=1001 \
+    NOT_ROOT_USER=owuser
+
 # Install swagger-ui
 RUN curl -sSL -o swagger-ui-v3.6.0.tar.gz --no-verbose https://github.com/swagger-api/swagger-ui/archive/v3.6.0.tar.gz && \
     mkdir swagger-ui && \
     tar zxf swagger-ui-v3.6.0.tar.gz -C /swagger-ui --strip-components=2 swagger-ui-3.6.0/dist && \
     rm swagger-ui-v3.6.0.tar.gz && \
     sed -i s#http://petstore.swagger.io/v2/swagger.json#/api/v1/api-docs#g /swagger-ui/index.html
 
-#
 # Copy app jars
 ADD build/distributions/controller.tar /
 
 COPY init.sh /
 RUN chmod +x init.sh
 
+RUN adduser -D -u ${UID} -h /home/${NOT_ROOT_USER} -s /bin/bash ${NOT_ROOT_USER}
+USER ${NOT_ROOT_USER}
+
 EXPOSE 8080
 CMD ["./init.sh", "0"]
diff --git a/core/controller/Dockerfile.cov b/core/controller/Dockerfile.cov
@@ -5,11 +5,12 @@ FROM controller
 
 ARG OW_ROOT_DIR
 
+USER root
 RUN mkdir -p /coverage/common && \
     mkdir -p /coverage/controller && \
     mkdir -p "${OW_ROOT_DIR}/common/scala/build" && \
     mkdir -p "${OW_ROOT_DIR}/core/controller/build" && \
     ln -s /coverage/common "${OW_ROOT_DIR}/common/scala/build/scoverage" && \
     ln -s /coverage/controller "${OW_ROOT_DIR}/core/controller/build/scoverage"
 
-COPY build/tmp/docker-coverage /controller/
+COPY build/tmp/docker-coverage /controller/
diff --git a/core/invoker/Dockerfile b/core/invoker/Dockerfile
@@ -4,6 +4,8 @@
 FROM scala
 
 ENV DOCKER_VERSION 1.12.0
+ENV UID=1001 \
+    NOT_ROOT_USER=owuser
 
 RUN apk add --update openssl
 
@@ -20,6 +22,7 @@ ADD build/distributions/invoker.tar ./
 
 COPY init.sh /
 RUN chmod +x init.sh
+RUN adduser -D -u ${UID} -h /home/${NOT_ROOT_USER} -s /bin/bash ${NOT_ROOT_USER}
 
 EXPOSE 8080
 CMD ["./init.sh", "0"]