PR#239: Add CA_URL env var to image - waiverdb

waiverdb

#239 Add CA_URL env var to image

Merged 6 years ago by lholecek. Opened 6 years ago by rayson.

rayson/waiverdb container-download-ca into master

Add CA_URL env var to image

Yuxiang Zhu • 6 years ago

3ea642f

Dockerfile

file modified

+4 -10

		`@@ -8,8 +8,6 @@`
		`# The caller should build a waiverdb RPM package using ./rpmbuild.sh and then pass it in this arg.`
		`ARG waiverdb_rpm`
		`ARG waiverdb_common_rpm`
		`- # The caller can optionally provide a cacert url`
		`- ARG cacert_url=undefined`

		`COPY $waiverdb_rpm /tmp`
		`COPY $waiverdb_common_rpm /tmp`
		`@@ -22,15 +20,11 @@`
		`&& dnf -y clean all \`
		`&& rm -f /tmp/*`

		`- RUN if [ "$cacert_url" != "undefined" ]; then \`
		`- cd /etc/pki/ca-trust/source/anchors \`
		`- && curl -O --insecure $cacert_url \`
		`- && update-ca-trust extract; \`
		`- fi`
		`+ COPY docker/ /docker/`
		`+ # Allow a non-root user to install a custom root CA at run-time`
		`+ RUN chmod g+w /etc/pki/tls/certs/ca-bundle.crt`
lholecek commented 6 years ago Seems the user in container is in `root` group. Is that safe? How does the `USER 1001` work without calling `useradd`?

		`USER 1001`
		`EXPOSE 8080`
		`-`
		`+ ENTRYPOINT ["/docker/docker-entrypoint.sh"]`
		`CMD ["/usr/bin/gunicorn-3", "--bind", "0.0.0.0:8080", "--access-logfile", "-", "--enable-stdio-inheritance", "waiverdb.wsgi:app"]`
		`-`
		`-`

docker/docker-entrypoint.sh

file added

+18

		`@@ -0,0 +1,18 @@`
		`+ #!/bin/bash`
		`+ set -e`
		`+`
		`+ # CA_URL is the URL of a custom root CA certificate to be installed at run-time`
		`+ : ${CA_URL:=}`
		`+`
		`+ main() {`
		`+ # installing CA certificate`
		`+ if [ -n "${CA_URL}" ] && [ ! -f "/tmp/.ca-imported" ]; then`
		`+ # Since update-ca-trust doesn't work as a non-root user, let's just append to the bundle directly`
		`+ curl --silent --show-error --location "${CA_URL}" >> /etc/pki/tls/certs/ca-bundle.crt`
		`+ # Create a file so we know not to import it again if the container is restarted`
		`+ touch /tmp/.ca-imported`
		`+ fi`
		`+ }`
		`+`
		`+ main`
		`+ exec "$@"`

openshift/containers/waiverdb/Dockerfile

file modified

+4 -2

		`@@ -24,7 +24,6 @@`

		`ARG WAIVERDB_GIT_REPO=https://pagure.io/waiverdb.git`
		`ARG WAIVERDB_GIT_REF=master`
		`- ARG WAIVERDB_CACERT_URL=`
		`ARG WAIVERDB_VERSION=`
		`ENV WAIVERDB_VERSION=$WAIVERDB_VERSION`

		`@@ -48,9 +47,12 @@`
		`&& cp conf/client.conf.example /etc/waiverdb/client.conf \`
		`&& dnf -y history undo last \`
		`&& dnf -y clean all \`
		`+ # Allow a non-root user to install a custom root CA at run-time`
		`+ && cp -r docker/ / \`
		`+ && chmod g+w /etc/pki/tls/certs/ca-bundle.crt \`
		`&& cd / && rm -rf /usr/local/src/waiverdb`

		`USER 1001`
		`EXPOSE 8080`
		`-`
		`+ ENTRYPOINT ["/docker/docker-entrypoint.sh"]`
		`CMD ["/usr/bin/gunicorn-3", "--bind", "0.0.0.0:8080", "--access-logfile", "-", "--enable-stdio-inheritance", "waiverdb.wsgi:app"]`

openshift/waiverdb-test-template.yaml

file modified

		`@@ -242,6 +242,8 @@`
		`secretKeyRef:`
		`name: "waiverdb-test-${TEST_ID}-secret"`
		`key: flask-secret-key`
		`+ - name: CA_URL`
		`+ value: https://password.corp.redhat.com/RH-IT-Root-CA.crt`
		`readinessProbe:`
		`timeoutSeconds: 1`
		`initialDelaySeconds: 5`

rayson commented 6 years ago

Fixes #238
An entrypoint script will download and install the CA certificate
at container start.

rebased onto 9900698bca2d4b4ac2722475b0e80fcfa04770cc

6 years ago

rebased onto 5db08333222b76d2d1812a47fd4d7e571d498b35

6 years ago

rebased onto 3ea642f

6 years ago

lholecek commented on line 21 of Dockerfile 6 years ago

Seems the user in container is in root group. Is that safe?

How does the USER 1001 work without calling useradd?

rayson commented 6 years ago

@lholecek I am also not sure if it is acceptable to grant the root group write permission to the trust CA bundle file.
USER 1001 is not actually used by OpenShift, which will start the process with a 'random' UID with root group. Use of USER 1001 is described in OpenShift Image Guidelines.