From: beierlm Date: Tue, 15 Feb 2022 16:32:13 +0000 (-0500) Subject: Fix 1707 - Adding non-root user to run POL X-Git-Tag: v10.1.0-rc1~8 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=6227505bd392d7f5bc4158f8d1a4919379bfd29b;p=osm%2Fdevops.git Fix 1707 - Adding non-root user to run POL Change-Id: Id03b6350c1db72f1968c1550bb0f54c8269a5509 Signed-off-by: beierlm --- diff --git a/docker/POL/Dockerfile b/docker/POL/Dockerfile index a88ecaef..d9585d5b 100644 --- a/docker/POL/Dockerfile +++ b/docker/POL/Dockerfile @@ -70,7 +70,22 @@ COPY --from=INSTALL /usr/bin/mysqlshow /usr/bin/ COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libedit.so.2 /usr/lib/x86_64-linux-gnu/ COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libbsd.so.0 /usr/lib/x86_64-linux-gnu/ -COPY scripts/ scripts/ +COPY scripts/ /app/osm_pol/scripts/ + +# Creating the user for the app +RUN groupadd -g 1000 appuser && \ + useradd -u 1000 -g 1000 -d /app appuser && \ + mkdir -p /app/osm_pol && \ + mkdir -p /app/storage/kafka && \ + mkdir /app/log && \ + chown -R appuser:appuser /app + +WORKDIR /app/osm_pol + +# Changing the security context +USER appuser + +######################################################################## ENV OSMPOL_MESSAGE_DRIVER kafka ENV OSMPOL_MESSAGE_HOST kafka diff --git a/installers/docker/osm_pods/pol.yaml b/installers/docker/osm_pods/pol.yaml index bb09ed26..791c5e7e 100644 --- a/installers/docker/osm_pods/pol.yaml +++ b/installers/docker/osm_pods/pol.yaml @@ -30,6 +30,10 @@ spec: labels: app: pol spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 initContainers: - name: kafka-mongo-test image: alpine:latest @@ -47,10 +51,3 @@ spec: envFrom: - secretRef: name: pol-secret - volumeMounts: - - name: db - mountPath: /app/database - volumes: - - name: db - hostPath: - path: /var/lib/osm/osm_pol_db/_data