From 6227505bd392d7f5bc4158f8d1a4919379bfd29b Mon Sep 17 00:00:00 2001 From: beierlm Date: Tue, 15 Feb 2022 11:32:13 -0500 Subject: [PATCH] Fix 1707 - Adding non-root user to run POL Change-Id: Id03b6350c1db72f1968c1550bb0f54c8269a5509 Signed-off-by: beierlm --- docker/POL/Dockerfile | 17 ++++++++++++++++- installers/docker/osm_pods/pol.yaml | 11 ++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/docker/POL/Dockerfile b/docker/POL/Dockerfile index a88ecaef..d9585d5b 100644 --- a/docker/POL/Dockerfile +++ b/docker/POL/Dockerfile @@ -70,7 +70,22 @@ COPY --from=INSTALL /usr/bin/mysqlshow /usr/bin/ COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libedit.so.2 /usr/lib/x86_64-linux-gnu/ COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libbsd.so.0 /usr/lib/x86_64-linux-gnu/ -COPY scripts/ scripts/ +COPY scripts/ /app/osm_pol/scripts/ + +# Creating the user for the app +RUN groupadd -g 1000 appuser && \ + useradd -u 1000 -g 1000 -d /app appuser && \ + mkdir -p /app/osm_pol && \ + mkdir -p /app/storage/kafka && \ + mkdir /app/log && \ + chown -R appuser:appuser /app + +WORKDIR /app/osm_pol + +# Changing the security context +USER appuser + +######################################################################## ENV OSMPOL_MESSAGE_DRIVER kafka ENV OSMPOL_MESSAGE_HOST kafka diff --git a/installers/docker/osm_pods/pol.yaml b/installers/docker/osm_pods/pol.yaml index bb09ed26..791c5e7e 100644 --- a/installers/docker/osm_pods/pol.yaml +++ b/installers/docker/osm_pods/pol.yaml @@ -30,6 +30,10 @@ spec: labels: app: pol spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 initContainers: - name: kafka-mongo-test image: alpine:latest @@ -47,10 +51,3 @@ spec: envFrom: - secretRef: name: pol-secret - volumeMounts: - - name: db - mountPath: /app/database - volumes: - - name: db - hostPath: - path: /var/lib/osm/osm_pol_db/_data -- 2.25.1