From 425c19d0f3a8091409241b425836850918891799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98yvind=20Liland=20Gjesdal?= Date: Sat, 26 Oct 2024 11:17:57 +0200 Subject: [PATCH] Change to use unprivileged user and consitent uid/gid for docker images Updates all dockerfiles with: * Create dspace user and group with consistent UID and GID * Use numeric USER ID * Use number ID > 10000 * Add chown using UID:GID to DOCKER COPY and ADD instructions * Use consistent casings in Docker instructions --- Dockerfile | 17 +++++++++++------ Dockerfile.cli | 9 ++++++--- Dockerfile.dependencies | 9 ++++----- Dockerfile.test | 13 ++++++++----- 4 files changed, 29 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 29668e35269..c35698590ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,14 +8,14 @@ ARG JDK_VERSION=11 # Step 1 - Run Maven Build -FROM ufal/dspace-dependencies:dspace-7_x as build +FROM ufal/dspace-dependencies:dspace-7_x AS build ARG TARGET_DIR=dspace-installer WORKDIR /app # The dspace-installer directory will be written to /install RUN mkdir /install \ && chown -Rv dspace: /install \ && chown -Rv dspace: /app -USER dspace +USER 10001 # Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents) ADD --chown=dspace . /app/ # Build DSpace (note: this build doesn't include the optional, deprecated "dspace-rest" webapp) @@ -25,7 +25,7 @@ RUN mvn --no-transfer-progress package && \ mvn clean # Step 2 - Run Ant Deploy -FROM openjdk:${JDK_VERSION}-slim as ant_build +FROM openjdk:${JDK_VERSION}-slim AS ant_build ARG TARGET_DIR=dspace-installer # COPY the /install directory from 'build' container to /dspace-src in this container COPY --from=build /install /dspace-src @@ -48,16 +48,19 @@ RUN ant init_installation update_configs update_code update_webapps # Step 3 - Run tomcat # Create a new tomcat image that does not retain the the build directory contents FROM tomcat:9-jdk${JDK_VERSION} +# Create a custom dspace user with same gid/uid as last stage +RUN groupadd -g 10002 dspace && \ + useradd -u 10001 -g dspace dspace # NOTE: DSPACE_INSTALL must align with the "dspace.dir" default configuration. ENV DSPACE_INSTALL=/dspace # Copy the /dspace directory from 'ant_build' container to /dspace in this container -COPY --from=ant_build /dspace $DSPACE_INSTALL +COPY --from=ant_build --chown=10001:10002 /dspace $DSPACE_INSTALL # Expose Tomcat port and AJP port EXPOSE 8080 8009 8000 # Give java extra memory (2GB) ENV JAVA_OPTS=-Xmx2000m -COPY scripts/restart_debug/* /usr/local/tomcat/bin -COPY scripts/index-scripts/* /dspace/bin +COPY --chown=10001:10002 scripts/restart_debug/* /usr/local/tomcat/bin +COPY --chown=10001:10002 scripts/index-scripts/* /dspace/bin # Link the DSpace 'server' webapp into Tomcat's webapps directory. # This ensures that when we start Tomcat, it runs from /server path (e.g. http://localhost:8080/server/) RUN ln -s $DSPACE_INSTALL/webapps/server /usr/local/tomcat/webapps/server @@ -66,6 +69,8 @@ RUN ln -s $DSPACE_INSTALL/webapps/server /usr/local/tomcat/webapps/server # Please note that server webapp should only run on one path at a time. #RUN mv /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/ROOT.bk && \ # ln -s $DSPACE_INSTALL/webapps/server /usr/local/tomcat/webapps/ROOT +# Run as dspace user +USER 10001 WORKDIR /usr/local/tomcat/bin RUN chmod u+x redebug.sh undebug.sh custom_run.sh diff --git a/Dockerfile.cli b/Dockerfile.cli index a935c641287..e9e6638cd35 100644 --- a/Dockerfile.cli +++ b/Dockerfile.cli @@ -8,14 +8,14 @@ ARG JDK_VERSION=11 # Step 1 - Run Maven Build -FROM ufal/dspace-dependencies:dspace-7_x as build +FROM ufal/dspace-dependencies:dspace-7_x AS build ARG TARGET_DIR=dspace-installer WORKDIR /app # The dspace-installer directory will be written to /install RUN mkdir /install \ && chown -Rv dspace: /install \ && chown -Rv dspace: /app -USER dspace +USER 10001 # Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents) ADD --chown=dspace . /app/ # Build DSpace. Copy the dspace-installer directory to /install. Clean up the build to keep the docker image small @@ -48,7 +48,10 @@ RUN ant init_installation update_configs update_code FROM openjdk:${JDK_VERSION} # NOTE: DSPACE_INSTALL must align with the "dspace.dir" default configuration. ENV DSPACE_INSTALL=/dspace +RUN groupadd -g 10002 dspace && \ + useradd -u 10001 -g dspace dspace # Copy the /dspace directory from 'ant_build' container to /dspace in this container -COPY --from=ant_build /dspace $DSPACE_INSTALL +COPY --from=ant_build --chown=10001:10002 /dspace $DSPACE_INSTALL # Give java extra memory (1GB) ENV JAVA_OPTS=-Xmx1000m +USER 10001 diff --git a/Dockerfile.dependencies b/Dockerfile.dependencies index a55b323339d..920e4b52214 100644 --- a/Dockerfile.dependencies +++ b/Dockerfile.dependencies @@ -11,9 +11,8 @@ FROM maven:3-openjdk-${JDK_VERSION}-slim as build ARG TARGET_DIR=dspace-installer WORKDIR /app # Create the 'dspace' user account & home directory -RUN useradd dspace \ - && mkdir -p /home/dspace \ - && chown -Rv dspace: /home/dspace +RUN groupadd -g 10002 dspace && \ + useradd -u 10001 -g dspace dspace RUN chown -Rv dspace: /app # Need git to support buildnumber-maven-plugin, which lets us know what version of DSpace is being run. RUN apt-get update \ @@ -22,10 +21,10 @@ RUN apt-get update \ && rm -rf /var/lib/apt/lists/* # Switch to dspace user & run below commands as that user -USER dspace +USER 10001 # Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents) -ADD --chown=dspace . /app/ +ADD --chown=10001:10002 . /app/ # Trigger the installation of all maven dependencies (hide download progress messages) RUN mvn --no-transfer-progress package diff --git a/Dockerfile.test b/Dockerfile.test index eaa61b25170..5f0d86b2414 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -10,7 +10,7 @@ ARG JDK_VERSION=11 # Step 1 - Run Maven Build -FROM ufal/dspace-dependencies:dspace-7_x as build +FROM ufal/dspace-dependencies:dspace-7_x AS build ARG TARGET_DIR=dspace-installer WORKDIR /app # The dspace-installer directory will be written to /install @@ -26,8 +26,8 @@ RUN mvn --no-transfer-progress package -Pdspace-rest && \ mv /app/dspace/target/${TARGET_DIR}/* /install && \ mvn clean -# Step 2 - Run Ant Deploy -FROM openjdk:${JDK_VERSION}-slim as ant_build +# Step 2 - Run Ant Deploy +FROM openjdk:${JDK_VERSION}-slim AS ant_build ARG TARGET_DIR=dspace-installer # COPY the /install directory from 'build' container to /dspace-src in this container COPY --from=build /install /dspace-src @@ -52,8 +52,11 @@ RUN ant init_installation update_configs update_code update_webapps FROM tomcat:9-jdk${JDK_VERSION} ENV DSPACE_INSTALL=/dspace ENV TOMCAT_INSTALL=/usr/local/tomcat +# Create a custom dspace user with same gid/uid as last stage +RUN groupadd -g 10002 dspace && \ + useradd -u 10001 -g dspace dspace # Copy the /dspace directory from 'ant_build' containger to /dspace in this container -COPY --from=ant_build /dspace $DSPACE_INSTALL +COPY --from=ant_build --chown=10001:10002 /dspace $DSPACE_INSTALL # Enable the AJP connector in Tomcat's server.xml # NOTE: secretRequired="false" should only be used when AJP is NOT accessible from an external network. But, secretRequired="true" isn't supported by mod_proxy_ajp until Apache 2.5 RUN sed -i '/Service name="Catalina".*/a \\n ' $TOMCAT_INSTALL/conf/server.xml @@ -78,5 +81,5 @@ RUN ln -s $DSPACE_INSTALL/webapps/server /usr/local/tomcat/webapps/server && # Overwrite the v6.x (deprecated) REST API's web.xml, so that we can run it on HTTP (defaults to requiring HTTPS) # WARNING: THIS IS OBVIOUSLY INSECURE. NEVER DO THIS IN PRODUCTION. -COPY dspace/src/main/docker/test/rest_web.xml $DSPACE_INSTALL/webapps/rest/WEB-INF/web.xml +COPY --chown=10001:10002 dspace/src/main/docker/test/rest_web.xml $DSPACE_INSTALL/webapps/rest/WEB-INF/web.xml RUN sed -i -e "s|\${dspace.dir}|$DSPACE_INSTALL|" $DSPACE_INSTALL/webapps/rest/WEB-INF/web.xml