diff options
author | Andras Timar <andras.timar@collabora.com> | 2020-02-11 11:05:21 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2020-02-17 18:31:36 +0100 |
commit | 0009343003f6aabd9883597148c505f3a20a553a (patch) | |
tree | f4737fece6a11c9cfbaafcffd9f929b9531dd5a1 /docker | |
parent | cypress: desktop: Fix-up copy-paste test. (diff) | |
download | online-0009343003f6aabd9883597148c505f3a20a553a.tar.gz online-0009343003f6aabd9883597148c505f3a20a553a.zip |
docker: non-root container
Change-Id: I30b48fa193fe06ee42752e8ba4883c5221b28924
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/88435
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
Diffstat (limited to 'docker')
-rw-r--r-- | docker/Dockerfile | 12 | ||||
-rwxr-xr-x | docker/scripts/run-lool.sh | 5 |
2 files changed, 11 insertions, 6 deletions
diff --git a/docker/Dockerfile b/docker/Dockerfile index 6651b29f97..c82cdee4c9 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -30,10 +30,16 @@ RUN mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd RUN rm -rf /var/cache/loolwsd/* RUN rm -rf /opt/lool RUN mkdir -p /opt/lool/child-roots -RUN chown lool: /opt/lool -RUN chown lool: /opt/lool/child-roots RUN loolwsd-systemplate-setup /opt/lool/systemplate /opt/libreoffice >/dev/null 2>&1 RUN touch /var/log/loolwsd.log -RUN chown lool /var/log/loolwsd.log +# Fix permissions +RUN chown lool:lool /var/log/loolwsd.log +RUN chown -R lool:lool /opt/ +RUN chown -R lool:lool /etc/loolwsd + EXPOSE 9980 + +# switch to lool user (use numeric user id to be compatible with Kubernetes Pod Security Policies) +USER 101 + CMD bash /run-lool.sh diff --git a/docker/scripts/run-lool.sh b/docker/scripts/run-lool.sh index 227eb51165..7fca8a15d7 100755 --- a/docker/scripts/run-lool.sh +++ b/docker/scripts/run-lool.sh @@ -15,7 +15,7 @@ if test "${DONT_GEN_SSL_CERT-set}" == set; then mkdir -p /opt/ssl/ cd /opt/ssl/ mkdir -p certs/ca -openssl rand -writerand /root/.rnd +openssl rand -writerand /opt/lool/.rnd openssl genrsa -out certs/ca/root.key.pem 2048 openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority" mkdir -p certs/{servers,tmp} @@ -24,7 +24,6 @@ openssl genrsa -out certs/servers/localhost/privkey.pem 2048 openssl req -key certs/servers/localhost/privkey.pem -new -sha256 -out certs/tmp/localhost.csr.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost" openssl x509 -req -in certs/tmp/localhost.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/localhost/cert.pem -days 9131 mv certs/servers/localhost/privkey.pem /etc/loolwsd/key.pem -chown lool: /etc/loolwsd/key.pem mv certs/servers/localhost/cert.pem /etc/loolwsd/cert.pem mv certs/ca/root.crt.pem /etc/loolwsd/ca-chain.cert.pem fi @@ -43,4 +42,4 @@ perl -pi -e "s/<password (.*)>.*<\/password>/<password \1>${password}<\/password ) & # Start loolwsd -su -c "/usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd ${extra_params}" -s /bin/bash lool +/bin/bash -c "/usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd ${extra_params}" |