Fix bug 1708 - Adding non-root user to run PLA
Change-Id: I4c22ceb50c953f75654670fdd1b35e55e90db280
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
diff --git a/docker/PLA/Dockerfile b/docker/PLA/Dockerfile
index 36865e5..c86d973 100644
--- a/docker/PLA/Dockerfile
+++ b/docker/PLA/Dockerfile
@@ -75,12 +75,26 @@
COPY --from=INSTALL /usr/bin/osm* /usr/bin/
COPY --from=INSTALL /minizinc /minizinc
-RUN mkdir /entry_data \
- && mkdir /entry_data/mzn-lib \
- && ln -s /entry_data/mzn-lib /minizinc/share/minizinc/exec
+RUN mkdir /entry_data && \
+ mkdir /placement && \
+ mkdir /entry_data/mzn-lib && \
+ ln -s /entry_data/mzn-lib /minizinc/share/minizinc/exec
-COPY scripts/ scripts/
-RUN mkdir /placement
+COPY scripts/ /app/osm_pla/scripts/
+
+# Creating the user for the app
+RUN groupadd -g 1000 appuser && \
+ useradd -u 1000 -g 1000 -d /app appuser && \
+ mkdir -p /app/osm_pla && \
+ chown -R appuser:appuser /app && \
+ chown -R appuser:appuser /entry_data && \
+ chown -R appuser:appuser /minizinc && \
+ chown -R appuser:appuser /placement
+
+WORKDIR /app/osm_pla
+
+# Changing the security context
+USER appuser
ENV OSMPLA_MESSAGE_DRIVER kafka
ENV OSMPLA_MESSAGE_HOST kafka
@@ -101,4 +115,4 @@
#HEALTHCHECK --start-period=120s --interval=10s --timeout=5s --retries=5 \
# CMD osm-pla-healthcheck || exit 1
-CMD /bin/bash scripts/start.sh
+CMD [ "/bin/bash", "scripts/start.sh" ]
diff --git a/installers/docker/osm_pla/pla.yaml b/installers/docker/osm_pla/pla.yaml
index 00c5cb0..79590ed 100644
--- a/installers/docker/osm_pla/pla.yaml
+++ b/installers/docker/osm_pla/pla.yaml
@@ -29,6 +29,10 @@
labels:
app: pla
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1000
+ fsGroup: 1000
initContainers:
- name: kafka-mongo-test
image: alpine:latest
@@ -43,10 +47,3 @@
value: kafka
- name: OSMPLA_DATABASE_URI
value: mongodb://mongodb-k8s:27017/?replicaSet=rs0
- volumeMounts:
- - name: osm-packages
- mountPath: /app/storage
- volumes:
- - name: osm-packages
- hostPath:
- path: /var/lib/osm/osm_osm_packages/_data