Fix 1704 - Adding non-root user to run LCM

Change-Id: Ic250be888be01b53a2e71127ddd1d2a5cc0edb03 Signed-off-by: Mark Beierl <mark.beierl@canonical.com>

Fix 1704 - Adding non-root user to run LCM
Change-Id: Ic250be888be01b53a2e71127ddd1d2a5cc0edb03 Signed-off-by: Mark Beierl <mark.beierl@canonical.com>
abc56a90 · Mark Beierl · 31b27b3f · abc56a90 · abc56a90
Commit abc56a90 authored 3 years ago by Mark Beierl
--- a/docker/LCM/Dockerfile
+++ b/docker/LCM/Dockerfile
@@ -54,7 +54,6 @@ RUN curl https://get.helm.sh/helm-v3.7.2-linux-amd64.tar.gz --output helm-v3.7.2
    && mv linux-amd64/helm /usr/local/bin/helm3 \
    && rm -r linux-amd64/

-
 ARG PYTHON3_OSM_COMMON_URL
 ARG PYTHON3_OSM_LCM_URL
 ARG PYTHON3_N2VC_URL
@@ -104,14 +103,22 @@ COPY --from=INSTALL /usr/bin/ssh /usr/bin/ssh
 COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/ /usr/lib/x86_64-linux-gnu/
 COPY --from=INSTALL /lib/x86_64-linux-gnu/ /lib/x86_64-linux-gnu/

-COPY scripts/ scripts/
+COPY scripts/ /app/osm_lcm/scripts/

-########################################################################
+# Creating the user for the app
+RUN groupadd -g 1000 appuser && \
+    useradd -u 1000 -g 1000 -d /app appuser && \
+    mkdir -p /app/osm_lcm && \
+    mkdir -p /app/storage/kafka && \
+    mkdir /app/log && \
+    chown -R appuser:appuser /app

-# Used for local storage
-VOLUME /app/storage
-# Used for logs
-VOLUME /app/log
+WORKDIR /app/osm_lcm
+
+# Changing the security context
+USER appuser
+
+########################################################################

 # The following ENV can be added with "docker run -e xxx' to configure LCM
 ENV OSMLCM_RO_HOST         ro
@@ -159,7 +166,5 @@ ENV OSMLCM_VCA_STABLEREPOURL https://charts.helm.sh/stable
 HEALTHCHECK --start-period=120s --interval=30s --timeout=30s --retries=1 \
  CMD python3 -m osm_lcm.lcm_hc || exit 1

-
 # Run app.py when the container launches
 CMD [ "/bin/bash", "scripts/start.sh" ]
-
--- a/installers/docker/osm_pods/lcm.yaml
+++ b/installers/docker/osm_pods/lcm.yaml
@@ -31,6 +31,10 @@ spec:
      labels:
        app: lcm
    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
      initContainers:
       - name: kafka-ro-mongo-test
         image: alpine:latest
@@ -55,11 +59,4 @@ spec:
          value: mongodb://mongodb-k8s:27017/?replicaSet=rs0
        envFrom:
        - secretRef:
-           name: lcm-secret
-        volumeMounts:
-        - name: osm-packages
-          mountPath: /app/storage
-      volumes:
-      - name: osm-packages
-        hostPath:
-         path: /var/lib/osm/osm_osm_packages/_data
+            name: lcm-secret