Change for running as a non-root user (#276)

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* RHEL image runs as mqm instead of root

* Build on host with SELinux enabled

* Enable building on node in an OpenShift cluster

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* Merge lastest changes from master

* RHEL image runs as mqm instead of root

* Fix merge issues

* Test changes for non-root

* Make timeout properly, and more non-root test fixes

* Run tests with fewer/no capabilities

* Correct usage docs for non-root

* Add security docs

* Add temporary debug output

* Remove debug code

* Fixes for termination-log

* Allow init container to run as root

* Fixes for CentOS build

* Fixes for RHEL build

* Logging improvements

* Fix Dockerfile RHEL/CentOS build

* Fix bash error

* Make all builds specify UID

* Use redist client for Go SDK

* Inspect image before running tests

* New test for init container

* Log container runtime in runmqdevserver

* Add extra capabilities if using a RHEL image

docs/security.md

@@ -0,0 +1,39 @@
+# Security
+
+## Container runtime
+
+### User
+
+The MQ server image is run using the "mqm" user.  On the Ubuntu-based image, this uses the UID and GID of 999.  On the Red Hat Enterprise Linux image, it uses the UID and GID of 888.
+
+### Capabilities
+
+The MQ Advanced image requires no Linux capabilities, so you can drop any capabilities which are added by default.  For example, in Docker you could do the following:
+
+```sh
+docker run \
+  --cap-drop=ALL \
+  --env LICENSE=accept \
+  --env MQ_QMGR_NAME=QM1 \
+  --detach \
+  mqadvanced-server:9.1.1.0-x86_64-ubuntu-16.04
+```
+
+The MQ Advanced for Developers image does requires the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
+
+```sh
+docker run \
+  --cap-drop=ALL \
+  --cap-add=CHOWN \
+  --cap-add=SETUID \
+  --cap-add=SETGID \
+  --cap-add=AUDIT_WRITE \
+  --env LICENSE=accept \
+  --env MQ_QMGR_NAME=QM1 \
+  --detach \
+  mqadvanced-server-dev:9.1.1.0-x86_64-ubuntu-16.04
+```
+
+### SELinux
+
+The SELinux label "spc_t" (super-privileged container) is needed to run the MQ container on a host with SELinux enabled.  This is due to a current limitation in how MQ data is stored on volumes, which violates the usual policy applied when using the standard "container_t" label.

docs/usage.md

@@ -66,20 +66,20 @@ The following is an *example* `Dockerfile` for creating your own pre-configured
 
 ```dockerfile
 FROM ibmcom/mq
+USER root
 RUN useradd alice -G mqm && \
     echo alice:passw0rd | chpasswd
+USER mqm
 COPY 20-config.mqsc /etc/mqm/
 ```
 
-Here is an example corresponding `20-config.mqsc` script from the [mqdev blog](https://developer.ibm.com/messaging/2018/10/01/archives-getting-going-without-turning-off-ibm-mq-security/), which allows users with passwords to connect on the `PASSWORD.SVRCONN` channel:
+The `USER` instructions are necessary to ensure that the `useradd` and `chpasswd` commands are run as the root user.
+
+Here is an example corresponding `20-config.mqsc` script, which creates two local queues:
 
 ```mqsc
-DEFINE CHANNEL(PASSWORD.SVRCONN) CHLTYPE(SVRCONN) REPLACE
-SET CHLAUTH(PASSWORD.SVRCONN) TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allow privileged users on this channel')
-SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule')
-SET CHLAUTH(PASSWORD.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
-ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) ADOPTCTX(YES)
-REFRESH SECURITY TYPE(CONNAUTH)
+DEFINE QLOCAL(MY.QUEUE.1) REPLACE
+DEFINE QLOCAL(MY.QUEUE.2) REPLACE
 ```
 
 The file `20-config.mqsc` should be saved into the same directory as the `Dockerfile`.