[
https://issues.apache.org/jira/browse/KNOX-3257?focusedWorklogId=1006385&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006385
]
ASF GitHub Bot logged work on KNOX-3257:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/26 14:34
Start Date: 20/Feb/26 14:34
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #1151:
URL: https://github.com/apache/knox/pull/1151#discussion_r2833506390
##########
gateway-docker/src/main/resources/docker/Dockerfile:
##########
@@ -16,21 +16,33 @@
FROM openjdk:8-jre-alpine3.8
MAINTAINER Apache Knox <[email protected]>
+USER root
# Make sure required packages are available
-RUN apk --no-cache add bash procps ca-certificates krb5 &&
update-ca-certificates
+RUN apk upgrade --no-cache && \
+ apk add --no-cache openssl \
+ procps \
+ ca-certificates \
+ unzip \
+ nss && \
+ apk add --no-cache bash
-# Create an knox user
-RUN addgroup -S knox && adduser -S -G knox knox
+# Create knox user and group
+# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
+RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h
/home/knox knox
# Dependencies
ARG RELEASE_FILE
-COPY ${RELEASE_FILE} /home/knox/
+ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/
# Extract the Knox release tar.gz
-RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
+RUN chmod 644 /home/knox/*.zip && \
+ cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
-# Make sure knox owns its files
-RUN chown -R knox: /home/knox
+# Make sure knox owns its files and make all directories group-accessible for
arbitrary UIDs
+RUN chown -R knox:knox /home/knox && \
+ mkdir -p /home/knox/knox/data/security/keystores && \
Review Comment:
Nope, actually `mkdir` creates new directories owned by the current
executing user (which is root at this point in the Dockerfile)
The [subsequent command
](https://github.com/apache/knox/pull/1151/changes#diff-2081726cf47ef00f51e773964f9384297212a1d33099002cba220bb3fac825eaR45)
`find /home/knox -type d -exec chmod g+rwx {} \;` Changes permissions.
Issue Time Tracking
-------------------
Worklog Id: (was: 1006385)
Time Spent: 1h (was: 50m)
> Update knox image creatation so that we do not need escalated privileges in
> helm install
> ------------------------------------------------------------------------------------------
>
> Key: KNOX-3257
> URL: https://issues.apache.org/jira/browse/KNOX-3257
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently knox docker images are created such that only knox user has access
> to it's fil;es and directories. There are times when helm operations want to
> update the keystore, to add certs specifically, such operations need root
> privileges in helm (or use the exact knox UID which cannot be determined by
> helm container init). The proposed solution is to create a group "knox" with
> a specific GID and have all the knox specific dirs owned by this group.
> Then in helm we use that GID to perform operations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
