diff --git a/README.md b/README.md index da8167d..771a7be 100644 --- a/README.md +++ b/README.md @@ -11,18 +11,6 @@ This project builds an openSUSE-based image intended for use as a general servic ### DejaVu Fonts [DejaVu Fonts](https://dejavu-fonts.github.io/) is pre-installed in the container. The DejaVu fonts are a font family based on the Bitstream Vera Fonts. Its purpose is to provide a wider range of characters while maintaining the original look and feel through the process of collaborative development. -### Gosu -[Gosu](https://github.com/tianon/gosu/) is pre-installed in the container. Gosu allows derived images to run commands as a specified user, rather than as the default user. - -To use gosu, set the `RUNAS_USER` environment variable in the derived container's Dockerfile. Subsequent commands will then be run as the specified user: - -``` -ENV RUNAS_USER=my-user -CMD ["whoami"] # Outputs my-user -``` - -Note: the user specified by the `RUNAS_USER` is expected to already exist, and the `CMD` will fail if this is not the case. - ### Startup Scripts Any executable scripts added to the `/startup/startup.d/` directory will be automatically run each time the container is started (assuming the image entrypoint is not overwritten). diff --git a/release-notes-2.4.0.md b/release-notes-2.4.0.md index b365463..9b7e473 100644 --- a/release-notes-2.4.0.md +++ b/release-notes-2.4.0.md @@ -4,5 +4,7 @@ ${version-number} #### New Features +- SCMOD-12755: The pre-installed startup script no longer requires root permissions to run. This allows containers + built on this image to run as arbitrary users. #### Known Issues diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index 19bb32e..83b354f 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -23,23 +23,13 @@ ENV LANG=en_US.utf8 # Update the OS packages, install cURL, postgreSQL client and dejavu-fonts RUN zypper -n refresh && \ zypper -n update && \ - zypper -n install curl postgresql dejavu-fonts && \ + zypper -n install curl postgresql dejavu-fonts sudo && \ zypper -n clean --all -# Install gosu -RUN gpg --batch --keyserver-options http-proxy=${env.HTTP_PROXY} --keyserver hkps://keys.openpgp.org \ - --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && \ - curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64" && \ - curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64.asc" && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu && \ - rm /usr/local/bin/gosu.asc && \ - chmod +x /usr/local/bin/gosu - # Add scripts to be executed during startup COPY startup /startup -ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert.sh \ - /startup/startup.d/install-ca-cert-base.sh -RUN chmod +x /startup/* /startup/startup.d/* +RUN chmod -R +rx /startup/* /startup/startup.d/* +COPY sudoers.d/install-ca-cert-base /etc/sudoers.d/install-ca-cert-base # Add Tini ENV TINI_VERSION v0.18.0 diff --git a/src/main/docker/startup/startup.d/install-ca-cert-base.sh b/src/main/docker/startup/startup.d/install-ca-cert-base.sh new file mode 100644 index 0000000..b173b14 --- /dev/null +++ b/src/main/docker/startup/startup.d/install-ca-cert-base.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Copyright 2017-2020 Micro Focus or one of its affiliates. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +MESOS_SANDBOX=${SSL_CA_CRT_DIR:-$MESOS_SANDBOX} + +copy_certs() { + IFS=',' read -a caFiles <<< "$SSL_CA_CRT" + + for caFile in "${caFiles[@]}" + do + if ! [ -e $MESOS_SANDBOX/$caFile ] + then + echo "CA Certificate at '$MESOS_SANDBOX/$caFile' not found" + echo "Aborting further system CA certificate load attempts." + exit 1 + fi + + echo "Installing CA Certificate on $1" + sudo cp -v $MESOS_SANDBOX/$caFile $2/$caFile.crt + done +} + +if [ -n "$MESOS_SANDBOX" ] && [ -n "$SSL_CA_CRT" ] +then + copy_certs "openSUSE" /etc/pki/trust/anchors + sudo update-ca-certificates +else + echo "Not installing CA Certificate." +fi diff --git a/src/main/docker/startup/startup.sh b/src/main/docker/startup/startup.sh index 6eb160b..7640c4b 100644 --- a/src/main/docker/startup/startup.sh +++ b/src/main/docker/startup/startup.sh @@ -36,13 +36,5 @@ done log "Startup scripts completed" -# If the RUNAS_USER environment variable is set, execute the specified command as that user. -if [ -n "$RUNAS_USER" ]; then - log "The RUNAS_USER environment variable has been set with a user named ${RUNAS_USER}. \ -Subsequent commands will be run as this user. \ -Please note that this user is expected to already exist, and will not be created." - exec /usr/local/bin/gosu $RUNAS_USER "$@" -else - log "The RUNAS_USER environment variable is not set, subsequent commands will be run as the default user." - exec "$@" -fi +# Execute the specified command +exec "$@" diff --git a/src/main/docker/sudoers.d/install-ca-cert-base b/src/main/docker/sudoers.d/install-ca-cert-base new file mode 100644 index 0000000..4d8f31c --- /dev/null +++ b/src/main/docker/sudoers.d/install-ca-cert-base @@ -0,0 +1 @@ +ALL ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates