Change for running as a non-root user (#276)

* Enable running container as mqm * Fix merge problem * Don't force root usage * RHEL image runs as mqm instead of root * Build on host with SELinux enabled * Enable building on node in an OpenShift cluster * Enable running container as mqm * Fix merge problem * Don't force root usage * Merge lastest changes from master * RHEL image runs as mqm instead of root * Fix merge issues * Test changes for non-root * Make timeout properly, and more non-root test fixes * Run tests with fewer/no capabilities * Correct usage docs for non-root * Add security docs * Add temporary debug output * Remove debug code * Fixes for termination-log * Allow init container to run as root * Fixes for CentOS build * Fixes for RHEL build * Logging improvements * Fix Dockerfile RHEL/CentOS build * Fix bash error * Make all builds specify UID * Use redist client for Go SDK * Inspect image before running tests * New test for init container * Log container runtime in runmqdevserver * Add extra capabilities if using a RHEL image
2019-02-25 15:44:14 +00:00
parent 2dbee560fe
commit cc0f072908
35 changed files with 871 additions and 504 deletions
--- a/mq-advanced-server-rhel/mq-buildah.sh
+++ b/mq-advanced-server-rhel/mq-buildah.sh
@@ -88,13 +88,17 @@ buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install \
  util-linux \
  which

+# Install "sudo" if using MQ Advanced for Developers
+if [ "$mqdev" = "TRUE" ]; then
+  buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install sudo
+fi
+
 # Clean up cached files
 buildah run ${ctr_mq} -- microdnf ${microdnf_opts} clean all
 rm -rf ${mnt_mq}/etc/yum.repos.d/*

 buildah run --user root $ctr_mq -- groupadd --system --gid ${mqm_gid} mqm
-buildah run --user root $ctr_mq -- useradd --system --uid ${mqm_uid} --gid mqm mqm
-buildah run --user root $ctr_mq -- usermod -aG root mqm
+buildah run --user root $ctr_mq -- useradd --system --uid ${mqm_uid} --gid mqm --groups 0 mqm
 buildah run --user root $ctr_mq -- usermod -aG mqm root

 # Install MQ server packages into the MQ builder image
@@ -109,6 +113,11 @@ install --mode 0750 --owner ${mqm_uid} --group 0 ./build/runmqserver ${mnt_mq}/u
 install --mode 6750 --owner ${mqm_uid} --group 0 ./build/chk* ${mnt_mq}/usr/local/bin/
 install --mode 0750 --owner ${mqm_uid} --group 0 ./NOTICES.txt ${mnt_mq}/opt/mqm/licenses/notices-container.txt

+install --directory --mode 0775 --owner ${mqm_uid} --group 0 ${mnt_mq}/run/runmqserver
+buildah run --user root $ctr_mq -- touch /run/termination-log
+buildah run --user root $ctr_mq -- chown mqm:root /run/termination-log
+buildah run --user root $ctr_mq -- chmod 0660 /run/termination-log
+
 ###############################################################################
 # Final Buildah commands
 ###############################################################################
@@ -145,7 +154,7 @@ buildah config \
  --env LANG=en_US.UTF-8 \
  --env LOG_FORMAT=basic \
  --entrypoint runmqserver \
-  --user root \
+  --user ${mqm_uid} \
  $ctr_mq
 buildah unmount $ctr_mq
 buildah commit $ctr_mq $tag