[
https://issues.apache.org/jira/browse/KNOX-3257?focusedWorklogId=1006429&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006429
]
ASF GitHub Bot logged work on KNOX-3257:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/26 17:51
Start Date: 20/Feb/26 17:51
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #1151:
URL: https://github.com/apache/knox/pull/1151#discussion_r2834411200
##########
gateway-docker/src/main/resources/docker/Dockerfile:
##########
@@ -16,21 +16,33 @@
FROM openjdk:8-jre-alpine3.8
MAINTAINER Apache Knox <[email protected]>
+USER root
# Make sure required packages are available
-RUN apk --no-cache add bash procps ca-certificates krb5 &&
update-ca-certificates
+RUN apk upgrade --no-cache && \
+ apk add --no-cache openssl \
+ procps \
+ ca-certificates \
+ unzip \
+ nss && \
+ apk add --no-cache bash
-# Create an knox user
-RUN addgroup -S knox && adduser -S -G knox knox
+# Create knox user and group
+# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
+RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h
/home/knox knox
# Dependencies
ARG RELEASE_FILE
-COPY ${RELEASE_FILE} /home/knox/
+ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/
# Extract the Knox release tar.gz
-RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
+RUN chmod 644 /home/knox/*.zip && \
+ cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
-# Make sure knox owns its files
-RUN chown -R knox: /home/knox
+# Make sure knox owns its files and make all directories group-accessible for
arbitrary UIDs
+RUN chown -R knox:knox /home/knox && \
+ mkdir -p /home/knox/knox/data/security/keystores && \
Review Comment:
chown -R knox:knox /home/knox --> /home/knox owned by knox user and the knox
group
mkdir -p /home/knox/knox/data/security/keystores
mkdir -p /home/knox/knox/conf --> Creates subdirs owned by root? To which
group do they belong?
find /home/knox -type d -exec chmod g+rwx {} Changes the permissions for the
owning group, right? If this group is knox then I guess that works. If the
group associated with /home/knox/knox/data/security/keystores (for example) is
NOT knox, then I think the group permissions change doesn't have the desired
affect, does it?
What is the rationale for changing the ownership BEFORE creating the subdirs
rather than AFTER? If it was done AFTER, then chown -R knox:knox /home/knox
would apply the knox ownership to all the subdirs.
Issue Time Tracking
-------------------
Worklog Id: (was: 1006429)
Time Spent: 1h 40m (was: 1.5h)
> Update knox image creatation so that we do not need escalated privileges in
> helm install
> ------------------------------------------------------------------------------------------
>
> Key: KNOX-3257
> URL: https://issues.apache.org/jira/browse/KNOX-3257
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Currently knox docker images are created such that only knox user has access
> to it's fil;es and directories. There are times when helm operations want to
> update the keystore, to add certs specifically, such operations need root
> privileges in helm (or use the exact knox UID which cannot be determined by
> helm container init). The proposed solution is to create a group "knox" with
> a specific GID and have all the knox specific dirs owned by this group.
> Then in helm we use that GID to perform operations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
