This is an automated email from the ASF dual-hosted git repository.
vvraskin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new f7afa71 Using non root user in controller (#3579)
f7afa71 is described below
commit f7afa71b1156ea193fc1df4bfcdf39fdb64a50c5
Author: Himavanth <[email protected]>
AuthorDate: Thu Oct 11 11:54:12 2018 +0530
Using non root user in controller (#3579)
* Using non root user in controller
Have done some basic testing.
Would like some feedback.
* Fixing jmxremote file permissions
* Triggering build
* Using chown instead of giving full permissions
Using chown instead of giving full permissions
* Permissions to create coverage folder
Permissions to create coverage folder
* Using user's home folder instead of root
The root folder has permission issues in IBM PG build. So using
/home/owuser instead of /root to store jmxremote files. owuser is the
new user we create to avoid using root user. Not switching the user in
invoker because it is a privileged container.
* Triggering build
Triggering build
---
ansible/group_vars/all | 2 +-
common/scala/copyJMXFiles.sh | 4 ++--
core/controller/Dockerfile | 7 ++++++-
core/controller/Dockerfile.cov | 3 ++-
core/invoker/Dockerfile | 3 +++
5 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
old mode 100644
new mode 100755
index 4229701..8265c4a
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -106,7 +106,7 @@ jmx:
rmiBasePortInvoker: 18000
user: "{{ jmxuser | default('jmxuser') }}"
pass: "{{ jmxuser | default('jmxpass') }}"
- jvmCommonArgs: "-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/root/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/root/jmxremote.access"
+ jvmCommonArgs: "-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/home/owuser/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/home/owuser/jmxremote.access"
enabled: "{{ jmxremote_enabled | default('true') }}"
transactions:
diff --git a/common/scala/copyJMXFiles.sh b/common/scala/copyJMXFiles.sh
index 82b6fbb..85265b7 100644
--- a/common/scala/copyJMXFiles.sh
+++ b/common/scala/copyJMXFiles.sh
@@ -18,6 +18,6 @@
if [[ $( ls /conf/jmxremote.* 2> /dev/null ) ]]
then
- mv /conf/jmxremote.* /root
- chmod 600 /root/jmxremote.*
+ mv /conf/jmxremote.* /home/owuser
+ chmod 600 /home/owuser/jmxremote.*
fi
diff --git a/core/controller/Dockerfile b/core/controller/Dockerfile
index 23e274d..151444f 100644
--- a/core/controller/Dockerfile
+++ b/core/controller/Dockerfile
@@ -3,6 +3,9 @@
FROM scala
+ENV UID=1001 \
+ NOT_ROOT_USER=owuser
+
# Install swagger-ui
RUN curl -sSL -o swagger-ui-v3.6.0.tar.gz --no-verbose
https://github.com/swagger-api/swagger-ui/archive/v3.6.0.tar.gz && \
mkdir swagger-ui && \
@@ -10,12 +13,14 @@ RUN curl -sSL -o swagger-ui-v3.6.0.tar.gz --no-verbose
https://github.com/swagge
rm swagger-ui-v3.6.0.tar.gz && \
sed -i s#http://petstore.swagger.io/v2/swagger.json#/api/v1/api-docs#g
/swagger-ui/index.html
-#
# Copy app jars
ADD build/distributions/controller.tar /
COPY init.sh /
RUN chmod +x init.sh
+RUN adduser -D -u ${UID} -h /home/${NOT_ROOT_USER} -s /bin/bash
${NOT_ROOT_USER}
+USER ${NOT_ROOT_USER}
+
EXPOSE 8080
CMD ["./init.sh", "0"]
diff --git a/core/controller/Dockerfile.cov b/core/controller/Dockerfile.cov
index 035ce29..fc0430e 100644
--- a/core/controller/Dockerfile.cov
+++ b/core/controller/Dockerfile.cov
@@ -5,6 +5,7 @@ FROM controller
ARG OW_ROOT_DIR
+USER root
RUN mkdir -p /coverage/common && \
mkdir -p /coverage/controller && \
mkdir -p "${OW_ROOT_DIR}/common/scala/build" && \
@@ -12,4 +13,4 @@ RUN mkdir -p /coverage/common && \
ln -s /coverage/common "${OW_ROOT_DIR}/common/scala/build/scoverage" && \
ln -s /coverage/controller "${OW_ROOT_DIR}/core/controller/build/scoverage"
-COPY build/tmp/docker-coverage /controller/
\ No newline at end of file
+COPY build/tmp/docker-coverage /controller/
diff --git a/core/invoker/Dockerfile b/core/invoker/Dockerfile
index 268f24a..ba22363 100644
--- a/core/invoker/Dockerfile
+++ b/core/invoker/Dockerfile
@@ -4,6 +4,8 @@
FROM scala
ENV DOCKER_VERSION 1.12.0
+ENV UID=1001 \
+ NOT_ROOT_USER=owuser
RUN apk add --update openssl
@@ -20,6 +22,7 @@ ADD build/distributions/invoker.tar ./
COPY init.sh /
RUN chmod +x init.sh
+RUN adduser -D -u ${UID} -h /home/${NOT_ROOT_USER} -s /bin/bash
${NOT_ROOT_USER}
EXPOSE 8080
CMD ["./init.sh", "0"]
