pzampino commented on code in PR #1151: URL: https://github.com/apache/knox/pull/1151#discussion_r2834411200
########## gateway-docker/src/main/resources/docker/Dockerfile: ########## @@ -16,21 +16,33 @@ FROM openjdk:8-jre-alpine3.8 MAINTAINER Apache Knox <[email protected]> +USER root # Make sure required packages are available -RUN apk --no-cache add bash procps ca-certificates krb5 && update-ca-certificates +RUN apk upgrade --no-cache && \ + apk add --no-cache openssl \ + procps \ + ca-certificates \ + unzip \ + nss && \ + apk add --no-cache bash -# Create an knox user -RUN addgroup -S knox && adduser -S -G knox knox +# Create knox user and group +# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID +RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h /home/knox knox # Dependencies ARG RELEASE_FILE -COPY ${RELEASE_FILE} /home/knox/ +ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/ # Extract the Knox release tar.gz -RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox +RUN chmod 644 /home/knox/*.zip && \ + cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox -# Make sure knox owns its files -RUN chown -R knox: /home/knox +# Make sure knox owns its files and make all directories group-accessible for arbitrary UIDs +RUN chown -R knox:knox /home/knox && \ + mkdir -p /home/knox/knox/data/security/keystores && \ Review Comment: chown -R knox:knox /home/knox --> /home/knox owned by knox user and the knox group mkdir -p /home/knox/knox/data/security/keystores mkdir -p /home/knox/knox/conf --> Creates subdirs owned by root? To which group do they belong? find /home/knox -type d -exec chmod g+rwx {} Changes the permissions for the owning group, right? If this group is knox then I guess that works. If the group associated with /home/knox/knox/data/security/keystores (for example) is NOT knox, then I think the group permissions change doesn't have the desired affect, does it? What is the rationale for changing the ownership BEFORE creating the subdirs rather than AFTER? If it was done AFTER, then chown -R knox:knox /home/knox would apply the knox ownership to all the subdirs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
