From: sousaedu Date: Thu, 14 Oct 2021 02:55:25 +0000 (+0100) Subject: Fix bug 1705 - Adding non-root user to run RO X-Git-Tag: v11.0.2~15 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=bcde9e66b4e89695594dfe29dfbe7172e48dc0fe;p=osm%2Fdevops.git Fix bug 1705 - Adding non-root user to run RO Change-Id: I3b5ccbd3efe4284996c81ebc65fc4adf53e9914e Signed-off-by: sousaedu (cherry picked from commit 0047e36f32b7ac8bf16fdfc8c142ea153f44d32a) --- diff --git a/docker/RO/Dockerfile b/docker/RO/Dockerfile index 8402b426..932fdc3a 100644 --- a/docker/RO/Dockerfile +++ b/docker/RO/Dockerfile @@ -98,10 +98,21 @@ COPY --from=INSTALL /usr/local/lib/python3.8/dist-packages /usr/local/lib/pytho COPY --from=INSTALL /usr/bin/genisoimage /usr/bin/genisoimage COPY --from=INSTALL /etc/protocols /etc/protocols -VOLUME /var/log/osm - EXPOSE 9090 +# Creating the user for the app +RUN groupadd -g 1000 appuser && \ + useradd -u 1000 -g 1000 -d /app appuser && \ + mkdir -p /app/osm_ro && \ + mkdir -p /app/storage/kafka && \ + mkdir /app/log && \ + chown -R appuser:appuser /app + +WORKDIR /app/osm_ro + +# Changing the security context +USER appuser + # Two mysql databases are needed (DB and DB_OVIM). Can be hosted on same or separated containers # These ENV must be provided ENV RO_DB_HOST="" @@ -143,4 +154,3 @@ HEALTHCHECK --start-period=130s --interval=10s --timeout=5s --retries=12 \ CMD curl --silent --fail http://localhost:9090/ro || exit 1 CMD ["python3", "-u", "-m", "osm_ng_ro.ro_main"] - diff --git a/installers/docker/osm_pods/ro.yaml b/installers/docker/osm_pods/ro.yaml index a8a6d7eb..a66be6d9 100644 --- a/installers/docker/osm_pods/ro.yaml +++ b/installers/docker/osm_pods/ro.yaml @@ -62,4 +62,3 @@ spec: envFrom: - secretRef: name: ro-secret -