From 5c9951dd741dbeef33038dd61717f13d6a8036c8 Mon Sep 17 00:00:00 2001 From: Dom Gibson Date: Tue, 9 Mar 2021 13:18:28 +0000 Subject: [PATCH 1/6] SCMOD-12755: Allow startup scripts to run as non-root user. --- src/main/docker/Dockerfile | 16 ++++++---------- src/main/docker/startup/startup.sh | 13 ++----------- 2 files changed, 8 insertions(+), 21 deletions(-) diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index 50e993d..1ceadd8 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -26,20 +26,16 @@ RUN zypper -n refresh && \ zypper -n install curl postgresql dejavu-fonts && \ zypper -n clean --all -# Install gosu -RUN gpg --batch --keyserver-options http-proxy=${env.HTTP_PROXY} --keyserver hkps://keys.openpgp.org \ - --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && \ - curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64" && \ - curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64.asc" && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu && \ - rm /usr/local/bin/gosu.asc && \ - chmod +x /usr/local/bin/gosu +RUN chmod a+rwx /etc/pki/trust/anchors && \ + chmod -R a+rwx /var/lib/ca-certificates && \ + chmod -R a+rw /etc/ssl # Add scripts to be executed during startup COPY startup /startup -ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert.sh \ +ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert.sh \ /startup/startup.d/install-ca-cert-base.sh -RUN chmod +x /startup/* /startup/startup.d/* +RUN chmod +rx /startup/* /startup/startup.d/* && \ + mkdir -p /tmp/ssl && chmod a+rwx /tmp/ssl # Add Tini ENV TINI_VERSION v0.18.0 diff --git a/src/main/docker/startup/startup.sh b/src/main/docker/startup/startup.sh index 15986a3..8abdfc1 100644 --- a/src/main/docker/startup/startup.sh +++ b/src/main/docker/startup/startup.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2017-2020 Micro Focus or one of its affiliates. +# Copyright 2017-2021 Micro Focus or one of its affiliates. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,13 +36,4 @@ done log "Startup scripts completed" -# If the RUNAS_USER environment variable is set, execute the specified command as that user. -if [ -n "$RUNAS_USER" ]; then - log "The RUNAS_USER environment variable has been set with a user named ${RUNAS_USER}. \ -Subsequent commands will be run as this user. \ -Please note that this user is expected to already exist, and will not be created." - exec /usr/local/bin/gosu $RUNAS_USER "$@" -else - log "The RUNAS_USER environment variable is not set, subsequent commands will be run as the default user." - exec "$@" -fi +exec "$@" From a6d7a32dc5b18a6d49c4b2df06e7805e947e1c46 Mon Sep 17 00:00:00 2001 From: Dom Gibson Date: Tue, 9 Mar 2021 13:30:15 +0000 Subject: [PATCH 2/6] fix --- src/main/docker/startup/startup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/docker/startup/startup.sh b/src/main/docker/startup/startup.sh index 8abdfc1..69ef9e2 100644 --- a/src/main/docker/startup/startup.sh +++ b/src/main/docker/startup/startup.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2017-2021 Micro Focus or one of its affiliates. +# Copyright 2017-2020 Micro Focus or one of its affiliates. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From ac9cff269e195483f98bbe3d28d67470258fb224 Mon Sep 17 00:00:00 2001 From: Dom Gibson Date: Wed, 10 Mar 2021 10:58:03 +0000 Subject: [PATCH 3/6] Allow users to run specific commands as sudo --- src/main/docker/Dockerfile | 11 ++++------- src/main/docker/caf | 1 + 2 files changed, 5 insertions(+), 7 deletions(-) create mode 100644 src/main/docker/caf diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index 1ceadd8..fcdfd32 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -23,19 +23,16 @@ ENV LANG=en_US.utf8 # Update the OS packages, install cURL, postgreSQL client and dejavu-fonts RUN zypper -n refresh && \ zypper -n update && \ - zypper -n install curl postgresql dejavu-fonts && \ + zypper -n install curl postgresql dejavu-fonts sudo && \ zypper -n clean --all -RUN chmod a+rwx /etc/pki/trust/anchors && \ - chmod -R a+rwx /var/lib/ca-certificates && \ - chmod -R a+rw /etc/ssl - # Add scripts to be executed during startup COPY startup /startup ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert.sh \ /startup/startup.d/install-ca-cert-base.sh -RUN chmod +rx /startup/* /startup/startup.d/* && \ - mkdir -p /tmp/ssl && chmod a+rwx /tmp/ssl +RUN chmod -R +rx /startup/* /startup/startup.d/* && \ + groupadd CAF +COPY caf /etc/sudoers.d/caf # Add Tini ENV TINI_VERSION v0.18.0 diff --git a/src/main/docker/caf b/src/main/docker/caf new file mode 100644 index 0000000..cc69140 --- /dev/null +++ b/src/main/docker/caf @@ -0,0 +1 @@ + %CAF ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates From 7b298b3dc312cadd03e6746252011f5d29372ff6 Mon Sep 17 00:00:00 2001 From: Dom Gibson Date: Wed, 10 Mar 2021 15:05:53 +0000 Subject: [PATCH 4/6] code review --- README.md | 12 ----- release-notes-2.3.0.md | 5 +-- src/main/docker/Dockerfile | 8 ++-- src/main/docker/caf | 1 - .../docker/cert-scripts/install_ca_cert.sh | 44 +++++++++++++++++++ src/main/docker/permissions/caf | 1 + 6 files changed, 50 insertions(+), 21 deletions(-) delete mode 100644 src/main/docker/caf create mode 100644 src/main/docker/cert-scripts/install_ca_cert.sh create mode 100644 src/main/docker/permissions/caf diff --git a/README.md b/README.md index da8167d..771a7be 100644 --- a/README.md +++ b/README.md @@ -11,18 +11,6 @@ This project builds an openSUSE-based image intended for use as a general servic ### DejaVu Fonts [DejaVu Fonts](https://dejavu-fonts.github.io/) is pre-installed in the container. The DejaVu fonts are a font family based on the Bitstream Vera Fonts. Its purpose is to provide a wider range of characters while maintaining the original look and feel through the process of collaborative development. -### Gosu -[Gosu](https://github.com/tianon/gosu/) is pre-installed in the container. Gosu allows derived images to run commands as a specified user, rather than as the default user. - -To use gosu, set the `RUNAS_USER` environment variable in the derived container's Dockerfile. Subsequent commands will then be run as the specified user: - -``` -ENV RUNAS_USER=my-user -CMD ["whoami"] # Outputs my-user -``` - -Note: the user specified by the `RUNAS_USER` is expected to already exist, and the `CMD` will fail if this is not the case. - ### Startup Scripts Any executable scripts added to the `/startup/startup.d/` directory will be automatically run each time the container is started (assuming the image entrypoint is not overwritten). diff --git a/release-notes-2.3.0.md b/release-notes-2.3.0.md index e57aa90..e9bf231 100644 --- a/release-notes-2.3.0.md +++ b/release-notes-2.3.0.md @@ -4,9 +4,8 @@ ${version-number} #### New Features -- SCMOD-11949: The [gosu](https://github.com/tianon/gosu/) tool is now available in the base image. - This tool allows derived images to run commands as a specified user, rather than as the default user. - See the [README.md](https://github.com/CAFapi/opensuse-base-image/blob/develop/README.md) for more details. +- SCMOD-12755: The pre-installed startup script no longer requires root permissions to run. This allows containers + built on this image to run as arbitrary users. #### Known Issues - None diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index fcdfd32..5369075 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -28,11 +28,9 @@ RUN zypper -n refresh && \ # Add scripts to be executed during startup COPY startup /startup -ADD https://raw.githubusercontent.com/CAFapi/caf-common/SCMOD-12755/container-cert-script/install-ca-cert.sh \ - /startup/startup.d/install-ca-cert-base.sh -RUN chmod -R +rx /startup/* /startup/startup.d/* && \ - groupadd CAF -COPY caf /etc/sudoers.d/caf +COPY cert-scripts/install_ca_cert.sh /startup/startup.d/install_ca_cert-base.sh +RUN chmod -R +rx /startup/* /startup/startup.d/* +COPY permissions/caf /etc/sudoers.d/caf # Add Tini ENV TINI_VERSION v0.18.0 diff --git a/src/main/docker/caf b/src/main/docker/caf deleted file mode 100644 index cc69140..0000000 --- a/src/main/docker/caf +++ /dev/null @@ -1 +0,0 @@ - %CAF ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates diff --git a/src/main/docker/cert-scripts/install_ca_cert.sh b/src/main/docker/cert-scripts/install_ca_cert.sh new file mode 100644 index 0000000..bcbfdee --- /dev/null +++ b/src/main/docker/cert-scripts/install_ca_cert.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# +# Copyright 2015-2020 Micro Focus or one of its affiliates. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +MESOS_SANDBOX=${SSL_CA_CRT_DIR:-$MESOS_SANDBOX} + +copy_certs() { + IFS=',' read -a caFiles <<< "$SSL_CA_CRT" + + for caFile in "${caFiles[@]}" + do + if ! [ -e $MESOS_SANDBOX/$caFile ] + then + echo "CA Certificate at '$MESOS_SANDBOX/$caFile' not found" + echo "Aborting further system CA certificate load attempts." + exit 1 + fi + + echo "Installing CA Certificate on $1" + sudo cp -v $MESOS_SANDBOX/$caFile $2/$caFile.crt + done +} + +if [ -n "$MESOS_SANDBOX" ] && [ -n "$SSL_CA_CRT" ] +then + copy_certs "openSUSE" /etc/pki/trust/anchors + sudo update-ca-certificates +else + echo "Not installing CA Certificate." +fi + diff --git a/src/main/docker/permissions/caf b/src/main/docker/permissions/caf new file mode 100644 index 0000000..a94ba23 --- /dev/null +++ b/src/main/docker/permissions/caf @@ -0,0 +1 @@ + ALL ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates From 5107b031d018d9d99f83a04cc9619fe8f7f46898 Mon Sep 17 00:00:00 2001 From: Dom Gibson Date: Wed, 10 Mar 2021 15:23:48 +0000 Subject: [PATCH 5/6] fix license header --- src/main/docker/cert-scripts/install_ca_cert.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/docker/cert-scripts/install_ca_cert.sh b/src/main/docker/cert-scripts/install_ca_cert.sh index bcbfdee..ccb0ee9 100644 --- a/src/main/docker/cert-scripts/install_ca_cert.sh +++ b/src/main/docker/cert-scripts/install_ca_cert.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2015-2020 Micro Focus or one of its affiliates. +# Copyright 2017-2020 Micro Focus or one of its affiliates. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From 68a7914d191d7a0b4c5f6f29a04234db06925705 Mon Sep 17 00:00:00 2001 From: Dom Gibson Date: Mon, 15 Mar 2021 09:43:09 +0000 Subject: [PATCH 6/6] review --- src/main/docker/Dockerfile | 3 +-- src/main/docker/permissions/caf | 1 - .../startup.d/install-ca-cert-base.sh} | 1 - src/main/docker/startup/startup.sh | 1 + src/main/docker/sudoers.d/install-ca-cert-base | 1 + 5 files changed, 3 insertions(+), 4 deletions(-) delete mode 100644 src/main/docker/permissions/caf rename src/main/docker/{cert-scripts/install_ca_cert.sh => startup/startup.d/install-ca-cert-base.sh} (99%) create mode 100644 src/main/docker/sudoers.d/install-ca-cert-base diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile index 5369075..6ac17a2 100644 --- a/src/main/docker/Dockerfile +++ b/src/main/docker/Dockerfile @@ -28,9 +28,8 @@ RUN zypper -n refresh && \ # Add scripts to be executed during startup COPY startup /startup -COPY cert-scripts/install_ca_cert.sh /startup/startup.d/install_ca_cert-base.sh RUN chmod -R +rx /startup/* /startup/startup.d/* -COPY permissions/caf /etc/sudoers.d/caf +COPY sudoers.d/install-ca-cert-base /etc/sudoers.d/install-ca-cert-base # Add Tini ENV TINI_VERSION v0.18.0 diff --git a/src/main/docker/permissions/caf b/src/main/docker/permissions/caf deleted file mode 100644 index a94ba23..0000000 --- a/src/main/docker/permissions/caf +++ /dev/null @@ -1 +0,0 @@ - ALL ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates diff --git a/src/main/docker/cert-scripts/install_ca_cert.sh b/src/main/docker/startup/startup.d/install-ca-cert-base.sh similarity index 99% rename from src/main/docker/cert-scripts/install_ca_cert.sh rename to src/main/docker/startup/startup.d/install-ca-cert-base.sh index ccb0ee9..b173b14 100644 --- a/src/main/docker/cert-scripts/install_ca_cert.sh +++ b/src/main/docker/startup/startup.d/install-ca-cert-base.sh @@ -41,4 +41,3 @@ then else echo "Not installing CA Certificate." fi - diff --git a/src/main/docker/startup/startup.sh b/src/main/docker/startup/startup.sh index 69ef9e2..3bc354e 100644 --- a/src/main/docker/startup/startup.sh +++ b/src/main/docker/startup/startup.sh @@ -36,4 +36,5 @@ done log "Startup scripts completed" +# Execute the specified command exec "$@" diff --git a/src/main/docker/sudoers.d/install-ca-cert-base b/src/main/docker/sudoers.d/install-ca-cert-base new file mode 100644 index 0000000..4d8f31c --- /dev/null +++ b/src/main/docker/sudoers.d/install-ca-cert-base @@ -0,0 +1 @@ +ALL ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates