moresandeep commented on code in PR #1151: URL: https://github.com/apache/knox/pull/1151#discussion_r2834440274
########## gateway-docker/src/main/resources/docker/Dockerfile: ########## @@ -16,21 +16,33 @@ FROM openjdk:8-jre-alpine3.8 MAINTAINER Apache Knox <[email protected]> +USER root # Make sure required packages are available -RUN apk --no-cache add bash procps ca-certificates krb5 && update-ca-certificates +RUN apk upgrade --no-cache && \ + apk add --no-cache openssl \ + procps \ + ca-certificates \ + unzip \ + nss && \ + apk add --no-cache bash -# Create an knox user -RUN addgroup -S knox && adduser -S -G knox knox +# Create knox user and group +# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID +RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h /home/knox knox # Dependencies ARG RELEASE_FILE -COPY ${RELEASE_FILE} /home/knox/ +ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/ # Extract the Knox release tar.gz -RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox +RUN chmod 644 /home/knox/*.zip && \ + cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox -# Make sure knox owns its files -RUN chown -R knox: /home/knox +# Make sure knox owns its files and make all directories group-accessible for arbitrary UIDs +RUN chown -R knox:knox /home/knox && \ + mkdir -p /home/knox/knox/data/security/keystores && \ Review Comment: > couldn't find /home/knox -type d -exec chmod g+rwx {} be replaced with a recursive chmod? Or are you really intending to apply the permissions only to directories? Yup, `chmod -R g+rwX /home/knox` is much better. ########## gateway-docker/src/main/resources/docker/Dockerfile: ########## @@ -16,21 +16,33 @@ FROM openjdk:8-jre-alpine3.8 MAINTAINER Apache Knox <[email protected]> +USER root # Make sure required packages are available -RUN apk --no-cache add bash procps ca-certificates krb5 && update-ca-certificates +RUN apk upgrade --no-cache && \ + apk add --no-cache openssl \ + procps \ + ca-certificates \ + unzip \ + nss && \ + apk add --no-cache bash -# Create an knox user -RUN addgroup -S knox && adduser -S -G knox knox +# Create knox user and group +# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID +RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h /home/knox knox # Dependencies ARG RELEASE_FILE -COPY ${RELEASE_FILE} /home/knox/ +ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/ # Extract the Knox release tar.gz -RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox +RUN chmod 644 /home/knox/*.zip && \ + cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox -# Make sure knox owns its files -RUN chown -R knox: /home/knox +# Make sure knox owns its files and make all directories group-accessible for arbitrary UIDs +RUN chown -R knox:knox /home/knox && \ + mkdir -p /home/knox/knox/data/security/keystores && \ Review Comment: Thanks @pzampino ! let me break it down - `chown -R knox:knox /home/knox` - Here we change the ownership of /home/knox to knox:knox - `mkdir -p /home/knox/knox/data/security/keystores` and `mkdir -p /home/knox/knox/conf` creates keystore and conf dirs that are owned by root, i.e. roor:root. This is because the user of docker file is root. They belong to root and no group (or the root group, i am not sure but I can find out) - `find /home/knox -type d -exec chmod g+rwx {}` specifically `chmod g+rwx /knox/knox` This adds read, write, execute permissions only for the owning group (which is knox, since knox owns /home/knox), not for all groups. This just changes the permissions and not the ownership of /knox/knox/* so owner of /home/knox is knox BUT owner of /home/knox/knox/conf is root (but any user who belongs to knox group (i.e. gid 8000) can read,write and execute ) > What is the rationale for changing the ownership BEFORE creating the subdirs rather than AFTER? If it was done AFTER, then chown -R knox:knox /home/knox would apply the knox ownership to all the subdirs. This is an artifact of my trials and errors. Like you pointed out it's cleaner and less confusing to reorder the commands so the chown -R comes after the mkdir commands. Let me make that change: reorder `chown -R knox:knox /home/knox` and `mkdir -p /home/knox/knox/data/security/keystores` , `mkdir -p /home/knox/knox/conf` to be more cleaner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
