From 7f3a9c5b2c967942c0228515ae1bd89b4083321d Mon Sep 17 00:00:00 2001 From: pmatun-xl Date: Thu, 23 May 2024 14:13:41 +0200 Subject: [PATCH 1/5] S-109087 Support random UID --- templates/dockerfiles/install.j2 | 7 +------ templates/dockerfiles/runtime.j2 | 14 ++++++++------ templates/dockerfiles/variables.j2 | 3 +-- 3 files changed, 10 insertions(+), 14 deletions(-) diff --git a/templates/dockerfiles/install.j2 b/templates/dockerfiles/install.j2 index b7d93fc05..139c6877c 100644 --- a/templates/dockerfiles/install.j2 +++ b/templates/dockerfiles/install.j2 @@ -73,12 +73,7 @@ RUN mv ${APP_HOME}/plugins ${APP_HOME}/default-plugins && \ mkdir ${APP_HOME}/repository ${APP_HOME}/export ${APP_HOME}/archive ${APP_HOME}/work ${APP_HOME}/reports # Set permissions -{%- if target_os == "redhat" %} -RUN groupadd -r -g 10001 xebialabs && \ -{%- else %} -RUN addgroup -S -g 10001 xebialabs && \ -{%- endif %} - chown -R 10001:10001 ${APP_ROOT} && \ +RUN chgrp -R 0 ${APP_ROOT} && \ chmod -R g=u ${APP_ROOT} && \ chmod u+x ${APP_HOME}/bin/*.sh && \ chmod g+x ${APP_HOME}/bin/*.sh diff --git a/templates/dockerfiles/runtime.j2 b/templates/dockerfiles/runtime.j2 index c376cd82e..1ed4ee981 100644 --- a/templates/dockerfiles/runtime.j2 +++ b/templates/dockerfiles/runtime.j2 @@ -3,10 +3,14 @@ RUN echo $'\n#\n# Set TTL for DNS cache.\nnetworkaddress.cache.ttl=30' >> $(readlink -f `which java` | sed -e 's:/jre/bin/java::' -e 's:/bin/java::')/conf/security/java.security COPY resources/amd64/tini ${APP_ROOT} -# Don't run as root and set permissions -RUN chmod ugo+x ${APP_ROOT}/tini && \ - groupadd -f -r -g 10001 xebialabs && \ - useradd -r -M -u 10001 -g 0 -G xebialabs xebialabs +RUN chmod ugo+x ${APP_ROOT}/tini + +# Add xebialabs user but do not switch to it +RUN groupadd -r -g 10001 xebialabs && \ + useradd -r -u 10001 -g xebialabs xebialabs + +# Ensure all necessary directories are writable +RUN chmod -R u+rwx ${APP_HOME} WORKDIR ${APP_HOME} @@ -14,8 +18,6 @@ WORKDIR ${APP_HOME} {{- 'ENV ' if loop.first else ' ' -}}{{ [env['key'], env['value']]|join('=') }}{{ ' \\' if not loop.last else '' }} {% endfor %} -USER 10001 - VOLUME ["{{ volumes|join('", "') }}"] EXPOSE ${APP_PORT} diff --git a/templates/dockerfiles/variables.j2 b/templates/dockerfiles/variables.j2 index 63f5911bb..6c369cf06 100644 --- a/templates/dockerfiles/variables.j2 +++ b/templates/dockerfiles/variables.j2 @@ -1,4 +1,3 @@ # Set root folders -ENV USER_UID=10001 \ - APP_ROOT=/opt/xebialabs \ +ENV APP_ROOT=/opt/xebialabs \ APP_HOME=/opt/xebialabs/{{ product }}-server From 71125c7b0358b9776861b6f609e5c8ec6878fb58 Mon Sep 17 00:00:00 2001 From: pmatun-xl Date: Thu, 23 May 2024 14:45:36 +0200 Subject: [PATCH 2/5] S-109087 Support random UID - removed unnecessary lines --- templates/dockerfiles/runtime.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/dockerfiles/runtime.j2 b/templates/dockerfiles/runtime.j2 index 1ed4ee981..755cc288a 100644 --- a/templates/dockerfiles/runtime.j2 +++ b/templates/dockerfiles/runtime.j2 @@ -9,9 +9,6 @@ RUN chmod ugo+x ${APP_ROOT}/tini RUN groupadd -r -g 10001 xebialabs && \ useradd -r -u 10001 -g xebialabs xebialabs -# Ensure all necessary directories are writable -RUN chmod -R u+rwx ${APP_HOME} - WORKDIR ${APP_HOME} {% for env in environment %} From 23fe2a143ee6ee31fd66dee356c248836f257f74 Mon Sep 17 00:00:00 2001 From: Vedran Pugar Date: Thu, 23 May 2024 19:14:03 +0200 Subject: [PATCH 3/5] add back default user --- templates/dockerfiles/central-configuration/install.j2 | 6 +----- templates/dockerfiles/deploy-task-engine/install.j2 | 6 +----- templates/dockerfiles/deploy-task-engine/variables.j2 | 3 +-- templates/dockerfiles/runtime.j2 | 2 ++ 4 files changed, 5 insertions(+), 12 deletions(-) diff --git a/templates/dockerfiles/central-configuration/install.j2 b/templates/dockerfiles/central-configuration/install.j2 index eb67232ff..fc246bb42 100644 --- a/templates/dockerfiles/central-configuration/install.j2 +++ b/templates/dockerfiles/central-configuration/install.j2 @@ -40,11 +40,7 @@ RUN chmod +x /tmp/modify-wrapper-linux-conf.gawk && \ rm /tmp/modify-wrapper-linux-conf.gawk # Set permissions -{%- if target_os == "redhat" %} -RUN groupadd -r -g 10001 xebialabs && \ -{%- else %} -RUN addgroup -S -g 10001 xebialabs && \ -{%- endif %} +RUN chgrp -R 0 ${APP_ROOT} && \ chown -R 10001:10001 ${APP_ROOT} && \ chmod -R g=u ${APP_ROOT} && \ chmod u+x ${APP_HOME}/bin/*.sh && \ diff --git a/templates/dockerfiles/deploy-task-engine/install.j2 b/templates/dockerfiles/deploy-task-engine/install.j2 index e008ba9ce..91d93f526 100644 --- a/templates/dockerfiles/deploy-task-engine/install.j2 +++ b/templates/dockerfiles/deploy-task-engine/install.j2 @@ -49,11 +49,7 @@ RUN mv ${APP_HOME}/plugins ${APP_HOME}/default-plugins && \ mkdir ${APP_HOME}/repository ${APP_HOME}/export ${APP_HOME}/archive ${APP_HOME}/work ${APP_HOME}/reports # Set permissions -{%- if target_os == "redhat" %} -RUN groupadd -r -g 10001 xebialabs && \ -{%- else %} -RUN addgroup -S -g 10001 xebialabs && \ -{%- endif %} +RUN chgrp -R 0 ${APP_ROOT} && \ chown -R 10001:10001 ${APP_ROOT} && \ chmod -R g=u ${APP_ROOT} && \ chmod u+x ${APP_HOME}/bin/*.sh && \ diff --git a/templates/dockerfiles/deploy-task-engine/variables.j2 b/templates/dockerfiles/deploy-task-engine/variables.j2 index 05dc10aea..3392fdab1 100644 --- a/templates/dockerfiles/deploy-task-engine/variables.j2 +++ b/templates/dockerfiles/deploy-task-engine/variables.j2 @@ -1,4 +1,3 @@ # Set root folders -ENV USER_UID=10001 \ - APP_ROOT=/opt/xebialabs \ +ENV APP_ROOT=/opt/xebialabs \ APP_HOME=/opt/xebialabs/{{ product }} diff --git a/templates/dockerfiles/runtime.j2 b/templates/dockerfiles/runtime.j2 index 755cc288a..8d50e1911 100644 --- a/templates/dockerfiles/runtime.j2 +++ b/templates/dockerfiles/runtime.j2 @@ -15,6 +15,8 @@ WORKDIR ${APP_HOME} {{- 'ENV ' if loop.first else ' ' -}}{{ [env['key'], env['value']]|join('=') }}{{ ' \\' if not loop.last else '' }} {% endfor %} +USER 10001 + VOLUME ["{{ volumes|join('", "') }}"] EXPOSE ${APP_PORT} From c967c41c3f59bea860ea926666f7ffd6653b059c Mon Sep 17 00:00:00 2001 From: pmatun-xl <102291858+pmatun-xl@users.noreply.github.com> Date: Fri, 24 May 2024 08:53:20 +0200 Subject: [PATCH 4/5] Update install.j2 for deploy task engine --- templates/dockerfiles/deploy-task-engine/install.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/dockerfiles/deploy-task-engine/install.j2 b/templates/dockerfiles/deploy-task-engine/install.j2 index 91d93f526..4c75e7b7e 100644 --- a/templates/dockerfiles/deploy-task-engine/install.j2 +++ b/templates/dockerfiles/deploy-task-engine/install.j2 @@ -50,7 +50,6 @@ RUN mv ${APP_HOME}/plugins ${APP_HOME}/default-plugins && \ # Set permissions RUN chgrp -R 0 ${APP_ROOT} && \ - chown -R 10001:10001 ${APP_ROOT} && \ chmod -R g=u ${APP_ROOT} && \ chmod u+x ${APP_HOME}/bin/*.sh && \ chmod g+x ${APP_HOME}/bin/*.sh From d4c4a1f5be31b5bf7b244efe20dc145cd459529f Mon Sep 17 00:00:00 2001 From: pmatun-xl <102291858+pmatun-xl@users.noreply.github.com> Date: Fri, 24 May 2024 08:53:49 +0200 Subject: [PATCH 5/5] Update install.j2 for cc --- templates/dockerfiles/central-configuration/install.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/dockerfiles/central-configuration/install.j2 b/templates/dockerfiles/central-configuration/install.j2 index fc246bb42..96e1d7b4a 100644 --- a/templates/dockerfiles/central-configuration/install.j2 +++ b/templates/dockerfiles/central-configuration/install.j2 @@ -41,7 +41,6 @@ RUN chmod +x /tmp/modify-wrapper-linux-conf.gawk && \ # Set permissions RUN chgrp -R 0 ${APP_ROOT} && \ - chown -R 10001:10001 ${APP_ROOT} && \ chmod -R g=u ${APP_ROOT} && \ chmod u+x ${APP_HOME}/bin/*.sh && \ chmod g+x ${APP_HOME}/bin/*.sh && \