Change for running as a non-root user (#276)

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* RHEL image runs as mqm instead of root

* Build on host with SELinux enabled

* Enable building on node in an OpenShift cluster

* Enable running container as mqm

* Fix merge problem

* Don't force root usage

* Merge lastest changes from master

* RHEL image runs as mqm instead of root

* Fix merge issues

* Test changes for non-root

* Make timeout properly, and more non-root test fixes

* Run tests with fewer/no capabilities

* Correct usage docs for non-root

* Add security docs

* Add temporary debug output

* Remove debug code

* Fixes for termination-log

* Allow init container to run as root

* Fixes for CentOS build

* Fixes for RHEL build

* Logging improvements

* Fix Dockerfile RHEL/CentOS build

* Fix bash error

* Make all builds specify UID

* Use redist client for Go SDK

* Inspect image before running tests

* New test for init container

* Log container runtime in runmqdevserver

* Add extra capabilities if using a RHEL image

mq-advanced-server-rhel/mqdev-buildah.sh

@@ -53,7 +53,12 @@ fi
 
 readonly tag=$2
 readonly version=$3
+readonly mqm_uid=888
+readonly mqm_gid=888
 
+# WARNING: This is what allows the mqm user to change the password of any other user
+# It's used by runmqdevserver to change the admin/app passwords.
+echo "mqm    ALL = NOPASSWD: /usr/sbin/chpasswd" > $mnt_mq/etc/sudoers.d/mq-dev-config
 
 # Run these commands inside the container so that the SELinux context is handled correctly
 buildah run --user root $ctr_mq -- useradd --gid mqm admin
@@ -61,17 +66,24 @@ buildah run --user root $ctr_mq -- groupadd --system mqclient
 buildah run --user root $ctr_mq -- useradd --gid mqclient app
 buildah run --user root $ctr_mq -- bash -c "echo admin:passw0rd | chpasswd"
 
-mkdir -p $mnt_mq/run/runmqdevserver
-chown 888:888 $mnt_mq/run/runmqdevserver
+mkdir --parents $mnt_mq/run/runmqdevserver
+chown ${mqm_uid}:${mqm_gid} $mnt_mq/run/runmqdevserver
 
 # Copy runmqdevserver program
-install --mode 0750 --owner 888 --group 888 ./build/runmqdevserver ${mnt_mq}/usr/local/bin/
+install --mode 0750 --owner ${mqm_uid} --group ${mqm_gid} ./build/runmqdevserver ${mnt_mq}/usr/local/bin/
+
+install --directory --mode 0775 --owner ${mqm_uid} --group 0 ${mnt_mq}/run/runmqdevserver
 
 # Copy template files
-cp incubating/mqadvanced-server-dev/*.tpl ${mnt_mq}/etc/mqm/
+cp ./incubating/mqadvanced-server-dev/*.tpl ${mnt_mq}/etc/mqm/
 
 # Copy web XML files for default developer configuration
-cp -R incubating/mqadvanced-server-dev/web ${mnt_mq}/etc/mqm/web
+mkdir --parents ${mnt_mq}/etc/mqm/web
+cp --recursive ./incubating/mqadvanced-server-dev/web/* ${mnt_mq}/etc/mqm/web/
+
+# Make "mqm" the owner of all the config files
+chown --recursive ${mqm_uid}:${mqm_gid} ${mnt_mq}/etc/mqm/*
+chmod --recursive 0750 ${mnt_mq}/etc/mqm/*
 
 ###############################################################################
 # Final Buildah commands
@@ -102,7 +114,7 @@ buildah config \
   --env MQ_ADMIN_PASSWORD=passw0rd \
   --env MQ_DEV=true \
   --entrypoint runmqdevserver \
-  --user root \
+  --user ${mqm_uid} \
   $ctr_mq
 buildah unmount $ctr_mq
 buildah commit $ctr_mq $tag