SCMOD-12755: Allow startup scripts to run as non-root user.

src/main/docker/Dockerfile.jdk

@@ -42,7 +42,7 @@ RUN cd $JAVA_HOME/jre/lib/security && \
 #
 # The actual image definition
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SCMOD-12755-SNAPSHOT
 
 # Refresh the OS repositories and install OpenJDK 8 Development Kit
 RUN zypper -n refresh && \
@@ -51,10 +51,11 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
+COPY sudoers.d/install-ca-cert-java /etc/sudoers.d/install-ca-cert-java
+
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
-    /startup/startup.d/
-RUN chmod +x /startup/startup.d/install-ca-cert-java.sh
+COPY startup.d/install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
+RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set Java Home
 ENV JAVA_HOME=/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0

src/main/docker/Dockerfile.jre

@@ -39,7 +39,7 @@ RUN cd /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security && \
 #
 # The actual image definition
 #
-FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SNAPSHOT
+FROM ${DOCKER_HUB_PUBLIC}/cafapi/prereleases:opensuse-base-2.3.0-SCMOD-12755-SNAPSHOT
 
 # Refresh the OS repositories and install OpenJDK 8 Runtime Environment 
 RUN zypper -n refresh && \
@@ -48,10 +48,11 @@ RUN zypper -n refresh && \
     zypper al java-1_8_0-openjdk && \
     zypper -n clean --all
 
+COPY sudoers.d/install-ca-cert-java /etc/sudoers.d/install-ca-cert-java
+
 # Install Java certificate installation script
-ADD https://raw.githubusercontent.com/CAFapi/caf-common/v1.19.0/container-cert-script/install-ca-cert-java.sh \
-    /startup/startup.d/
-RUN chmod +x /startup/startup.d/install-ca-cert-java.sh
+COPY startup.d/install-ca-cert-java.sh /startup/startup.d/install-ca-cert-java.sh
+RUN chmod +rx /startup/startup.d/install-ca-cert-java.sh
 
 # Set JRE Home
 ENV JRE_HOME=/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre

src/main/docker/startup.d/install-ca-cert-java.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# Copyright 2017-2020 Micro Focus or one of its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+JAVA_KEYSTORE_PASSWORD=${JAVA_KEYSTORE_PASSWORD:-changeit}
+MESOS_SANDBOX=${SSL_CA_CRT_DIR:-$MESOS_SANDBOX}
+
+import_java_cert() {
+    echo "Importing CA cert into Java Keystore on $1"
+    sudo keytool -noprompt -keystore $2 -storepass $JAVA_KEYSTORE_PASSWORD -importcert -alias caf-ssl-ca-cert-$4 -file $3
+}
+
+import_java_certs() {
+    IFS=',' read -a caFiles <<< "$SSL_CA_CRT"
+
+    index=0
+    for caFile in "${caFiles[@]}"
+    do
+        if ! [ -e $MESOS_SANDBOX/$caFile ]
+        then
+            echo "CA Certificate at '$MESOS_SANDBOX/$caFile' not found"
+            echo "Aborting further Java CA certificate load attempts."
+            exit 1
+        fi
+
+        import_java_cert $1 $2 $MESOS_SANDBOX/$caFile $index
+	    (( index++ ))
+        echo "CA Certificate '$caFile' added to cacerts"
+    done
+}
+
+if [ -n "$MESOS_SANDBOX" ] && [ -n "$SSL_CA_CRT" ]
+then
+    import_java_certs "OpenSUSE" /usr/lib64/jvm/jre/lib/security/cacerts
+else
+    echo "Not installing CA Certificate for Java"
+fi

src/main/docker/sudoers.d/install-ca-cert-java

@@ -0,0 +1 @@
+ ALL ALL=(ALL) NOPASSWD: /usr/lib64/jvm/jre/bin/keytool