Fix bug 1707 - Adding non-root user to run POL 70/11670/2
authorsousaedu <eduardo.sousa@canonical.com>
Thu, 14 Oct 2021 14:16:59 +0000 (15:16 +0100)
committerbeierlm <mark.beierl@canonical.com>
Fri, 11 Feb 2022 13:53:31 +0000 (14:53 +0100)
Change-Id: I4b3df48e7c277de7ccd91b4a017577942ec4926f
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
(cherry picked from commit ce5d704ed7b2ea168d0a5d74e6d3558d5a262f3a)

docker/POL/Dockerfile
installers/docker/osm_pods/pol.yaml

index a88ecae..d9585d5 100644 (file)
@@ -70,7 +70,22 @@ COPY --from=INSTALL /usr/bin/mysqlshow /usr/bin/
 COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libedit.so.2 /usr/lib/x86_64-linux-gnu/
 COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libbsd.so.0 /usr/lib/x86_64-linux-gnu/
 
-COPY scripts/ scripts/
+COPY scripts/ /app/osm_pol/scripts/
+
+# Creating the user for the app
+RUN groupadd -g 1000 appuser && \
+    useradd -u 1000 -g 1000 -d /app appuser && \
+    mkdir -p /app/osm_pol && \
+    mkdir -p /app/storage/kafka && \
+    mkdir /app/log && \
+    chown -R appuser:appuser /app
+
+WORKDIR /app/osm_pol
+
+# Changing the security context
+USER appuser
+
+########################################################################
 
 ENV OSMPOL_MESSAGE_DRIVER kafka
 ENV OSMPOL_MESSAGE_HOST kafka
index 7f14225..5f562c2 100644 (file)
@@ -30,6 +30,10 @@ spec:
       labels:
         app: pol
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       initContainers:
       - name: kafka-mongo-test
         image: alpine:latest
@@ -47,10 +51,3 @@ spec:
         envFrom:
         - secretRef:
              name: pol-secret
-        volumeMounts:
-        - name: db
-          mountPath: /app/database
-      volumes:
-      - name: db
-        hostPath:
-         path: /var/lib/osm/osm_pol_db/_data