From c3f40c84a7e1f2eca11b7d23585d614a9214f9af Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Tue, 19 Mar 2019 11:29:33 +0000 Subject: [PATCH] Extra changes to support non-root in CIP --- Dockerfile-server | 1 + Makefile-UBUNTU | 2 - cmd/runmqdevserver/tls.go | 34 ---------------- cmd/runmqserver/crtmqvol.go | 66 ++++++++++++++++++++++++++++++- cmd/runmqserver/logging.go | 3 ++ cmd/runmqserver/main.go | 14 +++++++ cmd/runmqserver/qmgr.go | 1 + cmd/runmqserver/webserver.go | 36 ++--------------- internal/keystore/keystore.go | 21 ---------- internal/mqtemplate/mqtemplate.go | 21 ---------- 10 files changed, 88 insertions(+), 111 deletions(-) diff --git a/Dockerfile-server b/Dockerfile-server index 6e5f1af..7086cce 100644 --- a/Dockerfile-server +++ b/Dockerfile-server @@ -70,6 +70,7 @@ RUN chmod ug+x /usr/local/bin/runmqserver \ && chown mqm:mqm /usr/local/bin/*mq* \ && chmod ug+xs /usr/local/bin/chkmq* \ && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \ + && install --directory --mode 0775 --owner mqm --group root /run/tls \ && touch /run/termination-log \ && chown mqm:root /run/termination-log \ && chmod 0660 /run/termination-log diff --git a/Makefile-UBUNTU b/Makefile-UBUNTU index a90b8e7..82b6898 100644 --- a/Makefile-UBUNTU +++ b/Makefile-UBUNTU @@ -274,9 +274,7 @@ build-golang-sdk: downloads/$(MQ_SDK_ARCHIVE) build-golang-sdk-ex .PHONY: build-golang-sdk-ex build-golang-sdk-ex: docker-version build-sdk-ex $(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_GOLANG_SDK)"$(END))) - @echo hello $(DOCKER) build --build-arg BASE_IMAGE=$(MQ_IMAGE_SDK) -t $(MQ_IMAGE_GOLANG_SDK) -f incubating/mq-golang-sdk/Dockerfile . - @echo goodbye .PHONY: docker-pull docker-pull: diff --git a/cmd/runmqdevserver/tls.go b/cmd/runmqdevserver/tls.go index bbfc3af..759ef0f 100644 --- a/cmd/runmqdevserver/tls.go +++ b/cmd/runmqdevserver/tls.go @@ -20,7 +20,6 @@ import ( "os" "path/filepath" - "github.com/ibm-messaging/mq-container/internal/command" "github.com/ibm-messaging/mq-container/internal/keystore" "github.com/ibm-messaging/mq-container/internal/mqtemplate" ) @@ -58,16 +57,6 @@ func configureWebTLS(cms *keystore.KeyStore) error { if err != nil { return err } - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(tlsConfig, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } return nil } @@ -84,29 +73,6 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error { dir := "/run/runmqdevserver/tls" keyFile := filepath.Join(dir, "key.kdb") - _, err = os.Stat(dir) - if err != nil { - if os.IsNotExist(err) { - // #nosec G301 - err = os.MkdirAll(dir, 0770) - if err != nil { - return err - } - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(dir, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } - } else { - return err - } - } - cms := keystore.NewCMSKeyStore(keyFile, passPhrase) err = cms.Create(log) diff --git a/cmd/runmqserver/crtmqvol.go b/cmd/runmqserver/crtmqvol.go index cadd833..0c44869 100644 --- a/cmd/runmqserver/crtmqvol.go +++ b/cmd/runmqserver/crtmqvol.go @@ -1,5 +1,5 @@ /* -© Copyright IBM Corporation 2017, 2018 +© Copyright IBM Corporation 2017, 2019 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -60,3 +60,67 @@ func createVolume(path string) error { } return nil } + +func createWebConsoleTLSDirStructure() error { + // Create tls directory + dir := "/run/tls" + _, err := os.Stat(dir) + if err != nil { + if os.IsNotExist(err) { + err = os.MkdirAll(dir, 0770) + if err != nil { + return err + } + mqmUID, mqmGID, err := command.LookupMQM() + if err != nil { + log.Error(err) + return err + } + err = os.Chown(dir, mqmUID, mqmGID) + if err != nil { + log.Error(err) + return err + } + } else { + return err + } + } + + return nil +} + +func createDevTLSDir() error { + // TODO: Use a persisted file (on the volume) instead? + par := "/run/runmqdevserver" + dir := filepath.Join(par, "tls") + + _, err := os.Stat(dir) + if err != nil { + if os.IsNotExist(err) { + // #nosec G301 + err = os.MkdirAll(dir, 0770) + if err != nil { + return err + } + mqmUID, mqmGID, err := command.LookupMQM() + if err != nil { + log.Error(err) + return err + } + err = os.Chown(dir, mqmUID, mqmGID) + if err != nil { + log.Error(err) + return err + } + err = os.Chown(par, mqmUID, mqmGID) + if err != nil { + log.Error(err) + return err + } + + } else { + return err + } + } + return nil +} diff --git a/cmd/runmqserver/logging.go b/cmd/runmqserver/logging.go index f2f30a8..12ec6ca 100644 --- a/cmd/runmqserver/logging.go +++ b/cmd/runmqserver/logging.go @@ -138,6 +138,9 @@ func logDiagnostics() { out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data") log.Debugf("/mnt/mqm/data:\n%s", out) // #nosec G104 + out, _, _ = command.Run("ls", "-l", "/etc/mqm") + log.Debugf("/etc/mqm:\n%s", out) + // #nosec G104 out, _, _ = command.Run("ls", "-l", "/var/mqm") log.Debugf("/var/mqm:\n%s", out) // #nosec G104 diff --git a/cmd/runmqserver/main.go b/cmd/runmqserver/main.go index 2814e27..acee110 100644 --- a/cmd/runmqserver/main.go +++ b/cmd/runmqserver/main.go @@ -104,6 +104,20 @@ func doMain() error { return err } + err = createWebConsoleTLSDirStructure() + if err != nil { + logTermination(err) + return err + } + + if *devFlag == true { + err = createDevTLSDir() + if err != nil { + logTermination(err) + return err + } + } + // If init flag is set, exit now if *initFlag { return nil diff --git a/cmd/runmqserver/qmgr.go b/cmd/runmqserver/qmgr.go index 49b73c1..5515cfe 100644 --- a/cmd/runmqserver/qmgr.go +++ b/cmd/runmqserver/qmgr.go @@ -34,6 +34,7 @@ func createDirStructure() error { return err } log.Println("Created directory structure under /var/mqm") + return nil } diff --git a/cmd/runmqserver/webserver.go b/cmd/runmqserver/webserver.go index 7897bf5..7537864 100644 --- a/cmd/runmqserver/webserver.go +++ b/cmd/runmqserver/webserver.go @@ -136,34 +136,14 @@ func configureSSO_TLS() error { // Create tls directory dir := "/run/tls" - _, err := os.Stat(dir) - if err != nil { - if os.IsNotExist(err) { - err = os.MkdirAll(dir, 0770) - if err != nil { - return err - } - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(dir, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } - } else { - return err - } - } + mntdir := "/mnt/tls/" // Setup key store & trust store ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), "password") ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), "password") log.Debug("Creating key store") - err = ks.Create(log) + err := ks.Create(log) if err != nil { return err } @@ -173,12 +153,12 @@ func configureSSO_TLS() error { return err } log.Debug("Generating PKCS12 file") - err = ks.GeneratePKCS12("/mnt/tls/tls.key", "/mnt/tls/tls.crt", "/run/tls/tls.p12", "default", "password") + err = ks.GeneratePKCS12(filepath.Join(mntdir, "tls.key"), filepath.Join(mntdir, "tls.crt"), filepath.Join(dir, "tls.p12"), "default", "password") if err != nil { return err } log.Debug("Importing certificate into key store") - err = ks.Import("/run/tls/tls.p12", "password") + err = ks.Import(filepath.Join(dir, "tls.p12"), "password") if err != nil { return err } @@ -203,10 +183,6 @@ func configureWebServer() error { } return err } - uid, gid, err := command.LookupMQM() - if err != nil { - return err - } const prefix string = "/etc/mqm/web" err = filepath.Walk(prefix, func(from string, info os.FileInfo, err error) error { if err != nil { @@ -242,10 +218,6 @@ func configureWebServer() error { return err } } - err = os.Chown(to, uid, gid) - if err != nil { - return err - } return nil }) return err diff --git a/internal/keystore/keystore.go b/internal/keystore/keystore.go index 62a368c..6743779 100644 --- a/internal/keystore/keystore.go +++ b/internal/keystore/keystore.go @@ -99,17 +99,6 @@ func (ks *KeyStore) Create(log *logger.Logger) error { if err != nil { return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out) } - - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(ks.Filename, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } return nil } @@ -128,16 +117,6 @@ func (ks *KeyStore) CreateStash(log *logger.Logger) error { } return err } - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(stashFile, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } return nil } diff --git a/internal/mqtemplate/mqtemplate.go b/internal/mqtemplate/mqtemplate.go index b26ed65..e035b2c 100644 --- a/internal/mqtemplate/mqtemplate.go +++ b/internal/mqtemplate/mqtemplate.go @@ -22,7 +22,6 @@ import ( "path" "text/template" - "github.com/ibm-messaging/mq-container/internal/command" "github.com/ibm-messaging/mq-container/internal/logger" ) @@ -44,16 +43,6 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l log.Error(err) return err } - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(dir, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } } else { return err } @@ -66,15 +55,5 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l log.Error(err) return err } - mqmUID, mqmGID, err := command.LookupMQM() - if err != nil { - log.Error(err) - return err - } - err = os.Chown(destFile, mqmUID, mqmGID) - if err != nil { - log.Error(err) - return err - } return nil }