Change for running as a non-root user (#276)

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* RHEL image runs as mqm instead of root

* Build on host with SELinux enabled

* Enable building on node in an OpenShift cluster

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* Merge lastest changes from master

* RHEL image runs as mqm instead of root

* Fix merge issues

* Test changes for non-root

* Make timeout properly, and more non-root test fixes

* Run tests with fewer/no capabilities

* Correct usage docs for non-root

* Add security docs

* Add temporary debug output

* Remove debug code

* Fixes for termination-log

* Allow init container to run as root

* Fixes for CentOS build

* Fixes for RHEL build

* Logging improvements

* Fix Dockerfile RHEL/CentOS build

* Fix bash error

* Make all builds specify UID

* Use redist client for Go SDK

* Inspect image before running tests

* New test for init container

* Log container runtime in runmqdevserver

* Add extra capabilities if using a RHEL image

incubating/mqadvanced-server-dev/Dockerfile

@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2015, 2018
+# © Copyright IBM Corporation 2015, 2019
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -43,6 +43,20 @@ ENV MQ_DEV=true
 # Default administrator password
 ENV MQ_ADMIN_PASSWORD=passw0rd
 
+ARG MQM_UID=999
+
+USER root
+
+COPY incubating/mqadvanced-server-dev/install-extra-packages.sh /usr/local/bin/
+
+RUN chmod u+x /usr/local/bin/install-extra-packages.sh \
+  && sleep 1 \
+  && install-extra-packages.sh
+
+# WARNING: This is what allows the mqm user to change the password of any other user
+# It's used by runmqdevserver to change the admin/app passwords.
+RUN echo "mqm    ALL = NOPASSWD: /usr/sbin/chpasswd" > /etc/sudoers.d/mq-dev-config
+
 ## Add admin and app users, and set a default password for admin
 RUN useradd admin -G mqm \
   && groupadd mqclient \
@@ -55,12 +69,17 @@ RUN mkdir -p /run/runmqdevserver \
 
 COPY --from=builder /go/src/github.com/ibm-messaging/mq-container/runmqserver /usr/local/bin/
 COPY --from=builder /go/src/github.com/ibm-messaging/mq-container/runmqdevserver /usr/local/bin/
+
 # Copy template files
-COPY incubating/mqadvanced-server-dev/*.tpl /etc/mqm/
+COPY --chown=mqm:mqm incubating/mqadvanced-server-dev/*.tpl /etc/mqm/
 # Copy web XML files for default developer configuration
-COPY incubating/mqadvanced-server-dev/web /etc/mqm/web
-RUN chmod +x /usr/local/bin/runmq*
+COPY --chown=mqm:mqm incubating/mqadvanced-server-dev/web /etc/mqm/web
+
+RUN chmod +x /usr/local/bin/runmq* \
+  && install --directory --mode 0775 --owner mqm --group root /run/runmqdevserver
 
 EXPOSE 9443
 
+USER $MQM_UID
+
 ENTRYPOINT ["runmqdevserver"]

incubating/mqadvanced-server-dev/install-extra-packages.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# -*- mode: sh -*-
+# © Copyright IBM Corporation 2019
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+test -f /usr/bin/yum && RHEL=true || RHEL=false
+test -f /usr/bin/apt-get && UBUNTU=true || UBUNTU=false
+
+if ($UBUNTU); then
+    export DEBIAN_FRONTEND=noninteractive
+    apt-get update
+    apt-get install -y --no-install-recommends sudo
+    rm -rf /var/lib/apt/lists/*
+fi
+
+if ($RHEL); then
+    yum -y install sudo
+    yum -y clean all
+    rm -rf /var/cache/yum/*
+fi