[
https://issues.apache.org/jira/browse/KNOX-3257?focusedWorklogId=1006432&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006432
]
ASF GitHub Bot logged work on KNOX-3257:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/26 18:23
Start Date: 20/Feb/26 18:23
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #1151:
URL: https://github.com/apache/knox/pull/1151#discussion_r2834440274
##########
gateway-docker/src/main/resources/docker/Dockerfile:
##########
@@ -16,21 +16,33 @@
FROM openjdk:8-jre-alpine3.8
MAINTAINER Apache Knox <[email protected]>
+USER root
# Make sure required packages are available
-RUN apk --no-cache add bash procps ca-certificates krb5 &&
update-ca-certificates
+RUN apk upgrade --no-cache && \
+ apk add --no-cache openssl \
+ procps \
+ ca-certificates \
+ unzip \
+ nss && \
+ apk add --no-cache bash
-# Create an knox user
-RUN addgroup -S knox && adduser -S -G knox knox
+# Create knox user and group
+# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
+RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h
/home/knox knox
# Dependencies
ARG RELEASE_FILE
-COPY ${RELEASE_FILE} /home/knox/
+ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/
# Extract the Knox release tar.gz
-RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
+RUN chmod 644 /home/knox/*.zip && \
+ cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
-# Make sure knox owns its files
-RUN chown -R knox: /home/knox
+# Make sure knox owns its files and make all directories group-accessible for
arbitrary UIDs
+RUN chown -R knox:knox /home/knox && \
+ mkdir -p /home/knox/knox/data/security/keystores && \
Review Comment:
> couldn't find /home/knox -type d -exec chmod g+rwx {} be replaced with a
recursive chmod? Or are you really intending to apply the permissions only to
directories?
Yup, `chmod -R g+rwX /home/knox` is much better.
##########
gateway-docker/src/main/resources/docker/Dockerfile:
##########
@@ -16,21 +16,33 @@
FROM openjdk:8-jre-alpine3.8
MAINTAINER Apache Knox <[email protected]>
+USER root
# Make sure required packages are available
-RUN apk --no-cache add bash procps ca-certificates krb5 &&
update-ca-certificates
+RUN apk upgrade --no-cache && \
+ apk add --no-cache openssl \
+ procps \
+ ca-certificates \
+ unzip \
+ nss && \
+ apk add --no-cache bash
-# Create an knox user
-RUN addgroup -S knox && adduser -S -G knox knox
+# Create knox user and group
+# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
+RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h
/home/knox knox
# Dependencies
ARG RELEASE_FILE
-COPY ${RELEASE_FILE} /home/knox/
+ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/
# Extract the Knox release tar.gz
-RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
+RUN chmod 644 /home/knox/*.zip && \
+ cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln
-nsf /home/knox/*/ /home/knox/knox
-# Make sure knox owns its files
-RUN chown -R knox: /home/knox
+# Make sure knox owns its files and make all directories group-accessible for
arbitrary UIDs
+RUN chown -R knox:knox /home/knox && \
+ mkdir -p /home/knox/knox/data/security/keystores && \
Review Comment:
Thanks @pzampino !
let me break it down
- `chown -R knox:knox /home/knox` - Here we change the ownership of
/home/knox to knox:knox
- `mkdir -p /home/knox/knox/data/security/keystores` and `mkdir -p
/home/knox/knox/conf` creates keystore and conf dirs that are owned by root,
i.e. roor:root. This is because the user of docker file is root. They belong to
root and no group (or the root group, i am not sure but I can find out)
- `find /home/knox -type d -exec chmod g+rwx {}` specifically `chmod g+rwx
/knox/knox` This adds read, write, execute permissions only for the owning
group (which is knox, since knox owns /home/knox), not for all groups. This
just changes the permissions and not the ownership of /knox/knox/* so owner of
/home/knox is knox BUT owner of /home/knox/knox/conf is root (but any user
who belongs to knox group (i.e. gid 8000) can read,write and execute )
> What is the rationale for changing the ownership BEFORE creating the
subdirs rather than AFTER? If it was done AFTER, then chown -R knox:knox
/home/knox would apply the knox ownership to all the subdirs.
This is an artifact of my trials and errors. Like you pointed out it's
cleaner and less confusing to reorder the commands so the chown -R comes after
the mkdir commands.
Let me make that change:
reorder `chown -R knox:knox /home/knox` and
`mkdir -p /home/knox/knox/data/security/keystores` , `mkdir -p
/home/knox/knox/conf` to be more cleaner
Issue Time Tracking
-------------------
Worklog Id: (was: 1006432)
Time Spent: 2h 10m (was: 2h)
> Update knox image creatation so that we do not need escalated privileges in
> helm install
> ------------------------------------------------------------------------------------------
>
> Key: KNOX-3257
> URL: https://issues.apache.org/jira/browse/KNOX-3257
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> Currently knox docker images are created such that only knox user has access
> to it's fil;es and directories. There are times when helm operations want to
> update the keystore, to add certs specifically, such operations need root
> privileges in helm (or use the exact knox UID which cannot be determined by
> helm container init). The proposed solution is to create a group "knox" with
> a specific GID and have all the knox specific dirs owned by this group.
> Then in helm we use that GID to perform operations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
