SCMOD-12755: Allow startup scripts to run as non-root user.

README.md

@@ -11,18 +11,6 @@ This project builds an openSUSE-based image intended for use as a general servic
 ### DejaVu Fonts
 [DejaVu Fonts](https://dejavu-fonts.github.io/) is pre-installed in the container. The DejaVu fonts are a font family based on the Bitstream Vera Fonts. Its purpose is to provide a wider range of characters while maintaining the original look and feel through the process of collaborative development.
 
-### Gosu
-[Gosu](https://github.com/tianon/gosu/) is pre-installed in the container. Gosu allows derived images to run commands as a specified user, rather than as the default user.  
-
-To use gosu, set the `RUNAS_USER` environment variable in the derived container's Dockerfile. Subsequent commands will then be run as the specified user:
-
-```
-ENV RUNAS_USER=my-user
-CMD ["whoami"] # Outputs my-user
-```
-
-Note: the user specified by the `RUNAS_USER` is expected to already exist, and the `CMD` will fail if this is not the case.
-
 ### Startup Scripts
 Any executable scripts added to the `/startup/startup.d/` directory will be automatically run each time the container is started (assuming the image entrypoint is not overwritten).
 

release-notes-2.4.0.md

@@ -4,5 +4,7 @@
 ${version-number}
 
 #### New Features
+- SCMOD-12755: The pre-installed startup script no longer requires root permissions to run. This allows containers 
+  built on this image to run as arbitrary users.
 
 #### Known Issues

src/main/docker/Dockerfile

@@ -23,23 +23,13 @@ ENV LANG=en_US.utf8
 # Update the OS packages, install cURL, postgreSQL client and dejavu-fonts
 RUN zypper -n refresh && \
     zypper -n update && \
-    zypper -n install curl postgresql dejavu-fonts && \
+    zypper -n install curl postgresql dejavu-fonts sudo && \
     zypper -n clean --all
 
-# Install gosu
-RUN gpg --batch --keyserver-options http-proxy=${env.HTTP_PROXY} --keyserver hkps://keys.openpgp.org \
-      --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && \
-    curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64" && \
-    curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.12/gosu-amd64.asc" && \
-    gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu && \
-    rm /usr/local/bin/gosu.asc && \
-    chmod +x /usr/local/bin/gosu
-
 # Add scripts to be executed during startup
 COPY startup /startup
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert.sh \
-    /startup/startup.d/install-ca-cert-base.sh
-RUN chmod +x /startup/* /startup/startup.d/*
+RUN chmod -R +rx /startup/* /startup/startup.d/*
+COPY sudoers.d/install-ca-cert-base /etc/sudoers.d/install-ca-cert-base
 
 # Add Tini
 ENV TINI_VERSION v0.18.0

src/main/docker/startup/startup.d/install-ca-cert-base.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# Copyright 2017-2020 Micro Focus or one of its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+MESOS_SANDBOX=${SSL_CA_CRT_DIR:-$MESOS_SANDBOX}
+
+copy_certs() {
+    IFS=',' read -a caFiles <<< "$SSL_CA_CRT"
+
+    for caFile in "${caFiles[@]}"
+    do
+        if ! [ -e $MESOS_SANDBOX/$caFile ]
+        then
+            echo "CA Certificate at '$MESOS_SANDBOX/$caFile' not found"
+            echo "Aborting further system CA certificate load attempts."
+            exit 1
+        fi
+
+        echo "Installing CA Certificate on $1"
+        sudo cp -v $MESOS_SANDBOX/$caFile $2/$caFile.crt
+    done
+}
+
+if [ -n "$MESOS_SANDBOX" ] && [ -n "$SSL_CA_CRT" ]
+then
+    copy_certs "openSUSE" /etc/pki/trust/anchors
+    sudo update-ca-certificates
+else
+    echo "Not installing CA Certificate."
+fi

src/main/docker/startup/startup.sh

@@ -36,13 +36,5 @@ done
 
 log "Startup scripts completed"
 
-# If the RUNAS_USER environment variable is set, execute the specified command as that user.
-if [ -n "$RUNAS_USER" ]; then
-    log "The RUNAS_USER environment variable has been set with a user named ${RUNAS_USER}. \
-Subsequent commands will be run as this user. \
-Please note that this user is expected to already exist, and will not be created."
-    exec /usr/local/bin/gosu $RUNAS_USER "$@"
-else
-    log "The RUNAS_USER environment variable is not set, subsequent commands will be run as the default user."
-    exec "$@"
-fi
+# Execute the specified command
+exec "$@"

src/main/docker/sudoers.d/install-ca-cert-base

@@ -0,0 +1 @@
+ALL ALL=(ALL) NOPASSWD: /bin/cp * /etc/pki/trust/anchors*, /usr/sbin/update-ca-certificates