[
https://issues.apache.org/jira/browse/KNOX-3257?focusedWorklogId=1006430&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006430
]
ASF GitHub Bot logged work on KNOX-3257:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/26 17:53
Start Date: 20/Feb/26 17:53
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #1151:
URL: https://github.com/apache/knox/pull/1151#discussion_r2834419260
##########
gateway-docker/src/main/resources/docker/Dockerfile:
##########
@@ -16,21 +16,33 @@
FROM openjdk:8-jre-alpine3.8
MAINTAINER Apache Knox <[email protected]>
+USER root
# Make sure required packages are available
-RUN apk --no-cache add bash procps ca-certificates krb5 &&
update-ca-certificates
+RUN apk upgrade --no-cache && \
+ apk add --no-cache openssl \
+ procps \
+ ca-certificates \
+ unzip \
+ nss && \
+ apk add --no-cache bash
-# Create an knox user
-RUN addgroup -S knox && adduser -S -G knox knox
+# Create knox user and group
+# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
+RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h
/home/knox knox
# Dependencies
ARG RELEASE_FILE
-COPY ${RELEASE_FILE} /home/knox/
+ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/
# Extract the Knox release tar.gz
-RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
+RUN chmod 644 /home/knox/*.zip && \
+ cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
-# Make sure knox owns its files
-RUN chown -R knox: /home/knox
+# Make sure knox owns its files and make all directories group-accessible for
arbitrary UIDs
+RUN chown -R knox:knox /home/knox && \
+ mkdir -p /home/knox/knox/data/security/keystores && \
Review Comment:
Also, couldn't `find /home/knox -type d -exec chmod g+rwx {}` be replaced
with a recursive `chmod`?
Issue Time Tracking
-------------------
Worklog Id: (was: 1006430)
Time Spent: 1h 50m (was: 1h 40m)
> Update knox image creatation so that we do not need escalated privileges in
> helm install
> ------------------------------------------------------------------------------------------
>
> Key: KNOX-3257
> URL: https://issues.apache.org/jira/browse/KNOX-3257
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> Currently knox docker images are created such that only knox user has access
> to it's fil;es and directories. There are times when helm operations want to
> update the keystore, to add certs specifically, such operations need root
> privileges in helm (or use the exact knox UID which cannot be determined by
> helm container init). The proposed solution is to create a group "knox" with
> a specific GID and have all the knox specific dirs owned by this group.
> Then in helm we use that GID to perform operations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
