From f2cbe96c42631eaf177f9e650247394c934ded1d Mon Sep 17 00:00:00 2001 From: Ozan Gunalp Date: Tue, 13 Feb 2024 17:06:08 +0100 Subject: [PATCH] Run solace container with a non-root user for podman compatibility The user gets ownership of the /var/lib/solace directory --- .../DevServicesSolaceProcessor.java | 29 ++++++++++++++----- .../deployment/test/SolaceContainer.java | 8 +++-- .../messaging/base/SolaceContainer.java | 8 +++-- 3 files changed, 33 insertions(+), 12 deletions(-) diff --git a/quarkus-solace-client/deployment/src/main/java/com/solace/quarkus/deployment/DevServicesSolaceProcessor.java b/quarkus-solace-client/deployment/src/main/java/com/solace/quarkus/deployment/DevServicesSolaceProcessor.java index 0ea8489..5834024 100644 --- a/quarkus-solace-client/deployment/src/main/java/com/solace/quarkus/deployment/DevServicesSolaceProcessor.java +++ b/quarkus-solace-client/deployment/src/main/java/com/solace/quarkus/deployment/DevServicesSolaceProcessor.java @@ -2,6 +2,7 @@ import static io.quarkus.runtime.LaunchMode.DEVELOPMENT; +import java.io.IOException; import java.time.Duration; import java.util.List; import java.util.Map; @@ -14,7 +15,7 @@ import org.testcontainers.containers.wait.strategy.Wait; import org.testcontainers.utility.DockerImageName; -import com.github.dockerjava.api.model.Ulimit; +import com.github.dockerjava.api.command.InspectContainerResponse; import io.quarkus.deployment.IsNormal; import io.quarkus.deployment.annotations.BuildStep; @@ -211,13 +212,9 @@ public QuarkusSolaceContainer(DockerImageName dockerImageName, String serviceNam addExposedPort(2222); // SSH connection to CLI withCreateContainerCmdModifier(cmd -> { - cmd.getHostConfig().withShmSize((long) Math.pow(1024, 3)) - .withUlimits(new Ulimit[] { - new Ulimit("core", -1, -1), - new Ulimit("memlock", -1, -1), - new Ulimit("nofile", 2448L, 42192L), - }) - .withCpusetCpus("0-1") + cmd.withUser("1000"); + cmd.getHostConfig() + .withShmSize((long) Math.pow(1024, 3)) .withMemorySwap(-1L) .withMemoryReservation(0L); }); @@ -245,6 +242,11 @@ protected void configure() { } } + @Override + protected void containerIsStarted(InspectContainerResponse containerInfo) { + executeCommand("chown 1000:0 -R /var/lib/solace"); + } + public int getPort() { if (useSharedNetwork) { return 55555; @@ -257,6 +259,17 @@ public int getPort() { public String getHost() { return useSharedNetwork ? hostName : super.getHost(); } + + private void executeCommand(String... command) { + try { + ExecResult execResult = execInContainer(command); + if (execResult.getExitCode() != 0) { + logger().error("Could not execute command {}: {}", command, execResult.getStderr()); + } + } catch (IOException | InterruptedException e) { + logger().error("Could not execute command {}: {}", command, e.getMessage()); + } + } } private static class SolaceDevServiceConfig { diff --git a/quarkus-solace-client/deployment/src/test/java/com/solace/quarkus/deployment/test/SolaceContainer.java b/quarkus-solace-client/deployment/src/test/java/com/solace/quarkus/deployment/test/SolaceContainer.java index 7853299..8f95158 100644 --- a/quarkus-solace-client/deployment/src/test/java/com/solace/quarkus/deployment/test/SolaceContainer.java +++ b/quarkus-solace-client/deployment/src/test/java/com/solace/quarkus/deployment/test/SolaceContainer.java @@ -14,7 +14,6 @@ import org.testcontainers.utility.MountableFile; import com.github.dockerjava.api.command.InspectContainerResponse; -import com.github.dockerjava.api.model.Ulimit; public class SolaceContainer extends GenericContainer { @@ -55,7 +54,11 @@ public SolaceContainer(DockerImageName dockerImageName) { super(dockerImageName); dockerImageName.assertCompatibleWith(DEFAULT_IMAGE_NAME); withCreateContainerCmdModifier(cmd -> { - cmd.getHostConfig().withShmSize(SHM_SIZE).withUlimits(new Ulimit[] { new Ulimit("nofile", 2448L, 6592L) }); + cmd.withUser("1000"); + cmd.getHostConfig() + .withShmSize(SHM_SIZE) + .withMemorySwap(-1L) + .withMemoryReservation(0L); }); this.waitStrategy = Wait.forLogMessage(SOLACE_READY_MESSAGE, 1).withStartupTimeout(Duration.ofSeconds(60)); withExposedPorts(8080); @@ -70,6 +73,7 @@ protected void configure() { @Override protected void containerIsStarted(InspectContainerResponse containerInfo) { + executeCommand("chown 1000:0 -R /var/lib/solace"); if (withClientCert) { executeCommand("cp", "/tmp/solace.pem", "/usr/sw/jail/certs/solace.pem"); executeCommand("cp", "/tmp/rootCA.crt", "/usr/sw/jail/certs/rootCA.crt"); diff --git a/quarkus-solace-messaging-connector/runtime/src/test/java/com/solace/quarkus/messaging/base/SolaceContainer.java b/quarkus-solace-messaging-connector/runtime/src/test/java/com/solace/quarkus/messaging/base/SolaceContainer.java index 8beae7e..a6ad7a7 100644 --- a/quarkus-solace-messaging-connector/runtime/src/test/java/com/solace/quarkus/messaging/base/SolaceContainer.java +++ b/quarkus-solace-messaging-connector/runtime/src/test/java/com/solace/quarkus/messaging/base/SolaceContainer.java @@ -14,7 +14,6 @@ import org.testcontainers.utility.MountableFile; import com.github.dockerjava.api.command.InspectContainerResponse; -import com.github.dockerjava.api.model.Ulimit; public class SolaceContainer extends GenericContainer { @@ -65,7 +64,11 @@ public SolaceContainer(DockerImageName dockerImageName) { super(dockerImageName); dockerImageName.assertCompatibleWith(DEFAULT_IMAGE_NAME); withCreateContainerCmdModifier(cmd -> { - cmd.getHostConfig().withShmSize(SHM_SIZE).withUlimits(new Ulimit[] { new Ulimit("nofile", 2448L, 6592L) }); + cmd.withUser("1000"); + cmd.getHostConfig() + .withShmSize(SHM_SIZE) + .withMemorySwap(-1L) + .withMemoryReservation(0L); }); this.waitStrategy = Wait.forLogMessage(SOLACE_READY_MESSAGE, 1).withStartupTimeout(Duration.ofSeconds(60)); withExposedPorts(8080); @@ -82,6 +85,7 @@ protected void configure() { @Override protected void containerIsStarted(InspectContainerResponse containerInfo) { + executeCommand("chown 1000:0 -R /var/lib/solace"); if (withClientCert) { executeCommand("cp", "/tmp/solace.pem", "/usr/sw/jail/certs/solace.pem"); executeCommand("cp", "/tmp/rootCA.crt", "/usr/sw/jail/certs/rootCA.crt");