Build on host with SELinux enabled
This commit is contained in:
Arthur Barr
@@ -34,8 +34,10 @@ readonly dev=$2
|
||||
IMAGE_REVISION=${IMAGE_REVISION:="Not Applicable"}
|
||||
IMAGE_SOURCE=${IMAGE_SOURCE:="Not Applicable"}
|
||||
|
||||
# Run the build in a container
|
||||
# Note the ":Z" on the volume is to allow the container to access the files when SELinux is enabled
|
||||
podman run \
|
||||
--volume ${PWD}:/opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/ \
|
||||
--volume ${PWD}:/opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/:Z \
|
||||
--env IMAGE_REVISION="$IMAGE_REVISION" \
|
||||
--env IMAGE_SOURCE="$IMAGE_SOURCE" \
|
||||
--env MQDEV=${dev} \
|
||||
|
||||
@@ -46,9 +46,10 @@ fi
|
||||
|
||||
|
||||
# Accept the MQ license
|
||||
buildah run --volume ${dir_extract}:/mnt/mq-download $ctr_mq -- /mnt/mq-download/MQServer/mqlicense.sh -text_only -accept
|
||||
buildah run --user root --volume ${dir_extract}:/mnt/mq-download:Z $ctr_mq -- /mnt/mq-download/MQServer/mqlicense.sh -text_only -accept
|
||||
|
||||
buildah run --volume ${dir_extract}:/mnt/mq-download $ctr_mq -- bash -c "cd /mnt/mq-download/MQServer && rpm -ivh $mq_packages"
|
||||
# Install MQ
|
||||
buildah run --user root --volume ${dir_extract}:/mnt/mq-download:Z $ctr_mq -- bash -c "cd /mnt/mq-download/MQServer && rpm -ivh $mq_packages"
|
||||
|
||||
rm -rf ${dir_extract}/MQServer
|
||||
|
||||
@@ -71,7 +72,7 @@ rm -rf $mnt_mq/var/mqm
|
||||
mkdir -p $mnt_mq/mnt/mqm
|
||||
|
||||
# Create a symlink for /var/mqm -> /mnt/mqm/data
|
||||
buildah run $ctr_mq -- ln -s /mnt/mqm/data /var/mqm
|
||||
buildah run --user root $ctr_mq -- ln -s /mnt/mqm/data /var/mqm
|
||||
|
||||
# Optional: Set these values for the IBM Cloud Vulnerability Report
|
||||
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' $mnt_mq/etc/login.defs
|
||||
|
||||
@@ -16,8 +16,6 @@
|
||||
# limitations under the License.
|
||||
|
||||
# Build a RHEL image, using the buildah tool
|
||||
# Usage
|
||||
# mq-buildah.sh ARCHIVE-NAME PACKAGES
|
||||
|
||||
set -x
|
||||
set -e
|
||||
@@ -56,6 +54,8 @@ readonly packages=$2
|
||||
readonly tag=$3
|
||||
readonly version=$4
|
||||
readonly mqdev=$5
|
||||
readonly mqm_uid=888
|
||||
readonly mqm_gid=888
|
||||
|
||||
###############################################################################
|
||||
# Install MQ server
|
||||
@@ -93,10 +93,10 @@ buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install \
|
||||
buildah run ${ctr_mq} -- microdnf ${microdnf_opts} clean all
|
||||
rm -rf ${mnt_mq}/etc/yum.repos.d/*
|
||||
|
||||
groupadd --root ${mnt_mq} --system --gid 888 mqm
|
||||
useradd --root ${mnt_mq} --system --uid 888 --gid mqm mqm
|
||||
usermod --root ${mnt_mq} -aG root mqm
|
||||
usermod --root ${mnt_mq} -aG mqm root
|
||||
buildah run --user root $ctr_mq -- groupadd --system --gid ${mqm_gid} mqm
|
||||
buildah run --user root $ctr_mq -- useradd --system --uid ${mqm_uid} --gid mqm mqm
|
||||
buildah run --user root $ctr_mq -- usermod -aG root mqm
|
||||
buildah run --user root $ctr_mq -- usermod -aG mqm root
|
||||
|
||||
# Install MQ server packages into the MQ builder image
|
||||
./mq-advanced-server-rhel/install-mq-rhel.sh ${ctr_mq} "${mnt_mq}" "${archive}" "${packages}"
|
||||
@@ -106,9 +106,9 @@ mkdir -p ${mnt_mq}/etc/mqm
|
||||
chown 888:888 ${mnt_mq}/etc/mqm
|
||||
|
||||
# Install the Go binaries into the image
|
||||
install --mode 0750 --owner 888 --group 888 ./build/runmqserver ${mnt_mq}/usr/local/bin/
|
||||
install --mode 6750 --owner 888 --group 888 ./build/chk* ${mnt_mq}/usr/local/bin/
|
||||
install --mode 0750 --owner 888 --group 888 ./NOTICES.txt ${mnt_mq}/opt/mqm/licenses/notices-container.txt
|
||||
install --mode 0750 --owner ${mqm_uid} --group 0 ./build/runmqserver ${mnt_mq}/usr/local/bin/
|
||||
install --mode 6750 --owner ${mqm_uid} --group 0 ./build/chk* ${mnt_mq}/usr/local/bin/
|
||||
install --mode 0750 --owner ${mqm_uid} --group 0 ./NOTICES.txt ${mnt_mq}/opt/mqm/licenses/notices-container.txt
|
||||
|
||||
###############################################################################
|
||||
# Final Buildah commands
|
||||
|
||||
@@ -15,9 +15,7 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Build a RHEL image, using the buildah tool
|
||||
# Usage
|
||||
# mq-buildah.sh ARCHIVEFILE PACKAGES
|
||||
# Build a RHEL image of MQ Advanced for Developers, using the buildah tool
|
||||
|
||||
set -x
|
||||
set -e
|
||||
@@ -57,12 +55,11 @@ readonly tag=$2
|
||||
readonly version=$3
|
||||
|
||||
|
||||
useradd --root $mnt_mq --gid mqm admin
|
||||
groupadd --root $mnt_mq --system mqclient
|
||||
useradd --root $mnt_mq --gid mqclient app
|
||||
|
||||
buildah run $ctr_mq -- id admin
|
||||
buildah run $ctr_mq -- sh -c "echo admin:passw0rd | chpasswd"
|
||||
# Run these commands inside the container so that the SELinux context is handled correctly
|
||||
buildah run --user root $ctr_mq -- useradd --gid mqm admin
|
||||
buildah run --user root $ctr_mq -- groupadd --system mqclient
|
||||
buildah run --user root $ctr_mq -- useradd --gid mqclient app
|
||||
buildah run --user root $ctr_mq -- bash -c "echo admin:passw0rd | chpasswd"
|
||||
|
||||
mkdir -p $mnt_mq/run/runmqdevserver
|
||||
chown 888:888 $mnt_mq/run/runmqdevserver
|
||||
|
||||
Reference in New Issue
Block a user