Change for running as a non-root user (#276)

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* RHEL image runs as mqm instead of root

* Build on host with SELinux enabled

* Enable building on node in an OpenShift cluster

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* Merge lastest changes from master

* RHEL image runs as mqm instead of root

* Fix merge issues

* Test changes for non-root

* Make timeout properly, and more non-root test fixes

* Run tests with fewer/no capabilities

* Correct usage docs for non-root

* Add security docs

* Add temporary debug output

* Remove debug code

* Fixes for termination-log

* Allow init container to run as root

* Fixes for CentOS build

* Fixes for RHEL build

* Logging improvements

* Fix Dockerfile RHEL/CentOS build

* Fix bash error

* Make all builds specify UID

* Use redist client for Go SDK

* Inspect image before running tests

* New test for init container

* Log container runtime in runmqdevserver

* Add extra capabilities if using a RHEL image

internal/containerruntime/runtime.go

@@ -0,0 +1,120 @@
+/*
+© Copyright IBM Corporation 2019
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package runtime
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+
+	"github.com/genuinetools/amicontained/container"
+)
+
+func GetContainerRuntime() (string, error) {
+	return container.DetectRuntime()
+}
+
+func GetBaseImage() (string, error) {
+	buf, err := ioutil.ReadFile("/etc/os-release")
+	if err != nil {
+		return "", fmt.Errorf("Failed to read /etc/os-release: %v", err)
+	}
+	lines := strings.Split(string(buf), "\n")
+	for _, l := range lines {
+		if strings.HasPrefix(l, "PRETTY_NAME=") {
+			words := strings.Split(l, "\"")
+			if len(words) >= 2 {
+				return words[1], nil
+			}
+		}
+	}
+	return "unknown", nil
+}
+
+// GetCapabilities gets the Linux capabilities (e.g. setuid, setgid).  See https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
+func GetCapabilities() (map[string][]string, error) {
+	return container.Capabilities()
+}
+
+// GetSeccomp gets the seccomp enforcing mode, which affects which kernel calls can be made
+func GetSeccomp() (string, error) {
+	s, err := container.SeccompEnforcingMode()
+	if err != nil {
+		return "", fmt.Errorf("Failed to get container SeccompEnforcingMode: %v", err)
+	}
+	return s, nil
+}
+
+// GetSecurityAttributes gets the security attributes of the current process.
+// The security attributes indicate whether AppArmor or SELinux are being used,
+// and what the level of confinement is.
+func GetSecurityAttributes() string {
+	a, err := readProc("/proc/self/attr/current")
+	// On some systems, if AppArmor or SELinux are not installed, you get an
+	// error when you try and read `/proc/self/attr/current`, even though the
+	// file exists.
+	if err != nil || a == "" {
+		a = "none"
+	}
+	return a
+}
+
+// func logUser() {
+// 	u, err := user.GetUser()
+// 	if err == nil {
+// 		if len(u.SupplementalGID) == 0 {
+// 			log.Printf("Running as user ID %v (%v) with primary group %v", u.UID, u.Name, u.PrimaryGID)
+// 		} else {
+// 			log.Printf("Running as user ID %v (%v) with primary group %v, and supplementary groups %v", u.UID, u.Name, u.PrimaryGID, strings.Join(u.SupplementalGID, ","))
+// 		}
+// 	}
+// }
+
+func readProc(filename string) (value string, err error) {
+	// #nosec G304
+	buf, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(buf)), nil
+}
+
+func GetMounts() (map[string]string, error) {
+	all, err := readProc("/proc/mounts")
+	if err != nil {
+		return nil, fmt.Errorf("Couldn't read /proc/mounts")
+	}
+	result := make(map[string]string)
+	lines := strings.Split(all, "\n")
+	for i := range lines {
+		parts := strings.Split(lines[i], " ")
+		//dev := parts[0]
+		mountPoint := parts[1]
+		fsType := parts[2]
+		if strings.Contains(mountPoint, "/mnt/mqm") {
+			result[mountPoint] = fsType
+		}
+	}
+	return result, nil
+}
+
+func GetKernelVersion() (string, error) {
+	return readProc("/proc/sys/kernel/osrelease")
+}
+
+func GetMaxFileHandles() (string, error) {
+	return readProc("/proc/sys/fs/file-max")
+}

internal/containerruntime/runtime_linux.go

@@ -0,0 +1,126 @@
+// +build linux
+
+/*
+© Copyright IBM Corporation 2017, 2019
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package runtime
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// fsTypes contains file system identifier codes.
+// This code will not compile on some operating systems - Linux only.
+var fsTypes = map[int64]string{
+	0x61756673: "aufs",
+	0xef53:     "ext",
+	0x6969:     "nfs",
+	0x65735546: "fuse",
+	0x9123683e: "btrfs",
+	0x01021994: "tmpfs",
+	0x794c7630: "overlayfs",
+	0x58465342: "xfs",
+	// less popular codes
+	0xadf5:     "adfs",
+	0xadff:     "affs",
+	0x5346414F: "afs",
+	0x0187:     "autofs",
+	0x73757245: "coda",
+	0x28cd3d45: "cramfs",
+	0x453dcd28: "cramfs",
+	0x64626720: "debugfs",
+	0x73636673: "securityfs",
+	0xf97cff8c: "selinux",
+	0x43415d53: "smack",
+	0x858458f6: "ramfs",
+	0x958458f6: "hugetlbfs",
+	0x73717368: "squashfs",
+	0xf15f:     "ecryptfs",
+	0x414A53:   "efs",
+	0xabba1974: "xenfs",
+	0x3434:     "nilfs",
+	0xF2F52010: "f2fs",
+	0xf995e849: "hpfs",
+	0x9660:     "isofs",
+	0x72b6:     "jffs2",
+	0x6165676C: "pstorefs",
+	0xde5e81e4: "efivarfs",
+	0x00c0ffee: "hostfs",
+	0x137F:     "minix_14",  // minix v1 fs, 14 char names
+	0x138F:     "minix_30",  // minix v1 fs, 30 char names
+	0x2468:     "minix2_14", // minix v2 fs, 14 char names
+	0x2478:     "minix2_30", // minix v2 fs, 30 char names
+	0x4d5a:     "minix3_60", // minix v3 fs, 60 char names
+	0x4d44:     "msdos",
+	0x564c:     "ncp",
+	0x7461636f: "ocfs2",
+	0x9fa1:     "openprom",
+	0x002f:     "qnx4",
+	0x68191122: "qnx6",
+	0x6B414653: "afs_fs",
+	0x52654973: "reiserfs",
+	0x517B:     "smb",
+	0x27e0eb:   "cgroup",
+	0x63677270: "cgroup2",
+	0x7655821:  "rdtgroup",
+	0x57AC6E9D: "stack_end",
+	0x74726163: "tracefs",
+	0x01021997: "v9fs",
+	0x62646576: "bdevfs",
+	0x64646178: "daxfs",
+	0x42494e4d: "binfmtfs",
+	0x1cd1:     "devpts",
+	0xBAD1DEA:  "futexfs",
+	0x50495045: "pipefs",
+	0x9fa0:     "proc",
+	0x534F434B: "sockfs",
+	0x62656572: "sysfs",
+	0x9fa2:     "usbdevice",
+	0x11307854: "mtd_inode",
+	0x09041934: "anon_inode",
+	0x73727279: "btrfs",
+	0x6e736673: "nsfs",
+	0xcafe4a11: "bpf",
+	0x5a3c69f0: "aafs",
+	0x15013346: "udf",
+	0x13661366: "balloon_kvm",
+	0x58295829: "zsmalloc",
+}
+
+// GetFilesystem returns the filesystem type for the specified path
+func GetFilesystem(path string) (string, error) {
+	statfs := &unix.Statfs_t{}
+	err := unix.Statfs(path, statfs)
+	if err != nil {
+		return "", err
+	}
+	// Use a type conversion to make type an int64.  On s390x it's a uint32.
+	t, ok := fsTypes[int64(statfs.Type)]
+	if !ok {
+		return "unknown", nil
+		// log.Printf("WARNING: detected %v has unknown filesystem type %x", path, statfs.Type)
+	}
+	return t, nil
+}
+
+// SupportedFilesystem returns true if the supplied filesystem type is supported for MQ data
+func SupportedFilesystem(fsType string) bool {
+	switch fsType {
+	case "aufs", "overlayfs", "tmpfs":
+		return false
+	default:
+		return true
+	}
+}

internal/containerruntime/runtime_other.go

@@ -0,0 +1,24 @@
+// +build !linux
+
+/*
+© Copyright IBM Corporation 2018, 2019
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package runtime
+
+// Dummy version of this function, only for non-Linux systems.
+// Having this allows unit tests to be run on other platforms (e.g. macOS)
+func checkFS(path string) error {
+	return nil
+}

internal/logger/logger.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -44,7 +44,7 @@ type Logger struct {
 	pid         string
 	serverName  string
 	host        string
-	user        *user.User
+	userName    string
 }
 
 // NewLogger creates a new logger
@@ -53,9 +53,13 @@ func NewLogger(writer io.Writer, debug bool, json bool, serverName string) (*Log
 	if err != nil {
 		return nil, err
 	}
+	// This can fail because the container's running as a random UID which
+	// is not known by the OS.  We don't want this to break the logging
+	// entirely, so just use a blank user name.
 	user, err := user.Current()
-	if err != nil {
-		return nil, err
+	userName := ""
+	if err == nil {
+		userName = user.Username
 	}
 	return &Logger{
 		mutex:       sync.Mutex{},
@@ -66,7 +70,7 @@ func NewLogger(writer io.Writer, debug bool, json bool, serverName string) (*Log
 		pid:         strconv.Itoa(os.Getpid()),
 		serverName:  serverName,
 		host:        hostname,
-		user:        user,
+		userName:    userName,
 	}, nil
 }
 
@@ -93,7 +97,7 @@ func (l *Logger) log(level string, msg string) {
 		"ibm_serverName":  l.serverName,
 		"ibm_processName": l.processName,
 		"ibm_processId":   l.pid,
-		"ibm_userName":    l.user.Username,
+		"ibm_userName":    l.userName,
 		"type":            "mq_containerlog",
 	}
 	s, err := l.format(entry)

internal/user/user.go

@@ -0,0 +1,82 @@
+/*
+© Copyright IBM Corporation 2018, 2019
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package user
+
+import (
+	"fmt"
+	"os/user"
+	"strings"
+
+	"github.com/ibm-messaging/mq-container/internal/command"
+)
+
+// User holds information on primary and supplemental OS groups
+type User struct {
+	UID             string
+	Name            string
+	PrimaryGID      string
+	SupplementalGID []string
+}
+
+// GetUser returns the current user and group information
+func GetUser() (User, error) {
+	u, err := user.Current()
+	if err != nil {
+		return User{}, err
+	}
+	g, err := getCurrentUserGroups()
+	if err != nil {
+		return User{}, err
+	}
+	if err != nil && len(g) == 0 {
+		return User{
+			UID:             u.Uid,
+			Name:            u.Name,
+			PrimaryGID:      u.Gid,
+			SupplementalGID: []string{},
+		}, nil
+	}
+	// Look for the primary group in the list of group IDs
+	for i, v := range g {
+		if v == u.Gid {
+			// Remove the element from the slice
+			g = append(g[:i], g[i+1:]...)
+		}
+	}
+	return User{
+		UID:             u.Uid,
+		Name:            u.Name,
+		PrimaryGID:      u.Gid,
+		SupplementalGID: g,
+	}, nil
+}
+
+func getCurrentUserGroups() ([]string, error) {
+	var nilArray []string
+	out, _, err := command.Run("id", "--groups")
+	if err != nil {
+		return nilArray, err
+	}
+
+	out = strings.TrimSpace(out)
+	if out == "" {
+		// we don't have any groups?
+		return nilArray, fmt.Errorf("Unable to determine groups for current user")
+	}
+
+	groups := strings.Split(out, " ")
+	return groups, nil
+}