From: sousaedu Date: Tue, 9 Nov 2021 23:59:54 +0000 (+0000) Subject: Fix bug 1708 - Adding non-root user to run PLA X-Git-Tag: v10.1.0-rc1~10 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F78%2F11678%2F2;p=osm%2Fdevops.git Fix bug 1708 - Adding non-root user to run PLA Change-Id: I4c22ceb50c953f75654670fdd1b35e55e90db280 Signed-off-by: sousaedu --- diff --git a/docker/PLA/Dockerfile b/docker/PLA/Dockerfile index 36865e5c..c86d973a 100644 --- a/docker/PLA/Dockerfile +++ b/docker/PLA/Dockerfile @@ -75,12 +75,26 @@ COPY --from=INSTALL /usr/local/lib/python3.8/dist-packages /usr/local/lib/python COPY --from=INSTALL /usr/bin/osm* /usr/bin/ COPY --from=INSTALL /minizinc /minizinc -RUN mkdir /entry_data \ - && mkdir /entry_data/mzn-lib \ - && ln -s /entry_data/mzn-lib /minizinc/share/minizinc/exec +RUN mkdir /entry_data && \ + mkdir /placement && \ + mkdir /entry_data/mzn-lib && \ + ln -s /entry_data/mzn-lib /minizinc/share/minizinc/exec -COPY scripts/ scripts/ -RUN mkdir /placement +COPY scripts/ /app/osm_pla/scripts/ + +# Creating the user for the app +RUN groupadd -g 1000 appuser && \ + useradd -u 1000 -g 1000 -d /app appuser && \ + mkdir -p /app/osm_pla && \ + chown -R appuser:appuser /app && \ + chown -R appuser:appuser /entry_data && \ + chown -R appuser:appuser /minizinc && \ + chown -R appuser:appuser /placement + +WORKDIR /app/osm_pla + +# Changing the security context +USER appuser ENV OSMPLA_MESSAGE_DRIVER kafka ENV OSMPLA_MESSAGE_HOST kafka @@ -101,4 +115,4 @@ ENV LD_LIBRARY_PATH "/minizinc/lib:${LD_LIBRARY_PATH}" #HEALTHCHECK --start-period=120s --interval=10s --timeout=5s --retries=5 \ # CMD osm-pla-healthcheck || exit 1 -CMD /bin/bash scripts/start.sh +CMD [ "/bin/bash", "scripts/start.sh" ] diff --git a/installers/docker/osm_pla/pla.yaml b/installers/docker/osm_pla/pla.yaml index ce7326bc..97a4280a 100644 --- a/installers/docker/osm_pla/pla.yaml +++ b/installers/docker/osm_pla/pla.yaml @@ -29,6 +29,10 @@ spec: labels: app: pla spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 initContainers: - name: kafka-mongo-test image: alpine:latest @@ -43,10 +47,3 @@ spec: value: kafka - name: OSMPLA_DATABASE_URI value: mongodb://mongodb-k8s:27017/?replicaSet=rs0 - volumeMounts: - - name: osm-packages - mountPath: /app/storage - volumes: - - name: osm-packages - hostPath: - path: /var/lib/osm/osm_osm_packages/_data