From 78c1cb4a99c2054187abe77eb7e15b67561bbd18 Mon Sep 17 00:00:00 2001 From: sousaedu Date: Thu, 14 Oct 2021 15:16:59 +0100 Subject: [PATCH] Fix bug 1707 - Adding non-root user to run POL Change-Id: I4b3df48e7c277de7ccd91b4a017577942ec4926f Signed-off-by: sousaedu (cherry picked from commit ce5d704ed7b2ea168d0a5d74e6d3558d5a262f3a) --- docker/POL/Dockerfile | 17 ++++++++++++++++- installers/docker/osm_pods/pol.yaml | 11 ++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/docker/POL/Dockerfile b/docker/POL/Dockerfile index a88ecaef..d9585d5b 100644 --- a/docker/POL/Dockerfile +++ b/docker/POL/Dockerfile @@ -70,7 +70,22 @@ COPY --from=INSTALL /usr/bin/mysqlshow /usr/bin/ COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libedit.so.2 /usr/lib/x86_64-linux-gnu/ COPY --from=INSTALL /usr/lib/x86_64-linux-gnu/libbsd.so.0 /usr/lib/x86_64-linux-gnu/ -COPY scripts/ scripts/ +COPY scripts/ /app/osm_pol/scripts/ + +# Creating the user for the app +RUN groupadd -g 1000 appuser && \ + useradd -u 1000 -g 1000 -d /app appuser && \ + mkdir -p /app/osm_pol && \ + mkdir -p /app/storage/kafka && \ + mkdir /app/log && \ + chown -R appuser:appuser /app + +WORKDIR /app/osm_pol + +# Changing the security context +USER appuser + +######################################################################## ENV OSMPOL_MESSAGE_DRIVER kafka ENV OSMPOL_MESSAGE_HOST kafka diff --git a/installers/docker/osm_pods/pol.yaml b/installers/docker/osm_pods/pol.yaml index 7f142255..5f562c24 100644 --- a/installers/docker/osm_pods/pol.yaml +++ b/installers/docker/osm_pods/pol.yaml @@ -30,6 +30,10 @@ spec: labels: app: pol spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 initContainers: - name: kafka-mongo-test image: alpine:latest @@ -47,10 +51,3 @@ spec: envFrom: - secretRef: name: pol-secret - volumeMounts: - - name: db - mountPath: /app/database - volumes: - - name: db - hostPath: - path: /var/lib/osm/osm_pol_db/_data -- 2.25.1