Running job service with non-root container

job-service running with 10000:10000 user Signed-off-by: Qian Deng <dengq@vmware.com>
2019-07-23 09:50:24 +00:00 · 2019-07-23 09:50:24 +00:00 · 29727148b3
parent e62a9f1e18
commit 29727148b3
4 changed files with 18 additions and 18 deletions
--- a/make/photon/jobservice/Dockerfile
+++ b/make/photon/jobservice/Dockerfile
@ -1,13 +1,17 @@
 FROM photon:2.0

-RUN mkdir /harbor/ \
-    && tdnf install sudo -y >> /dev/null\
+RUN tdnf install sudo -y >> /dev/null\
    && tdnf clean all \
-    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor 
+    && groupadd -r -g 10000 harbor && useradd --no-log-init -r -g 10000 -u 10000 harbor

-COPY ./make/photon/jobservice/start.sh ./make/photon/jobservice/harbor_jobservice /harbor/
+COPY ./make/photon/jobservice/harbor_jobservice /harbor/
+
+RUN chmod u+x /harbor/harbor_jobservice

-RUN chmod u+x /harbor/harbor_jobservice /harbor/start.sh
-RUN mkdir -p /var/log/jobs
 WORKDIR /harbor/
-ENTRYPOINT ["/harbor/start.sh"]
+
+USER harbor
+
+VOLUME ["/var/log/jobs/"]
+
+ENTRYPOINT ["/harbor/harbor_jobservice", "-c", "/etc/jobservice/config.yml"]
--- a/make/photon/jobservice/start.sh
+++ b/make/photon/jobservice/start.sh
@ -1,6 +0,0 @@
-#!/bin/sh
-if [ -d /var/log/jobs ]; then
-    chown -R 10000:10000 /var/log/jobs/
-fi
-sudo -E -u \#10000 "/harbor/harbor_jobservice" "-c" "/etc/jobservice/config.yml"
-
--- a/make/photon/prepare/utils/jobservice.py
+++ b/make/photon/prepare/utils/jobservice.py
@ -18,7 +18,8 @@ def prepare_job_service(config_dict):

    # Job log is stored in data dir
    job_log_dir = os.path.join('/data', "job_logs")
-    prepare_config_dir(job_log_dir)
+    file_path = prepare_config_dir(job_log_dir)
+    os.chown(file_path, DEFAULT_UID, DEFAULT_GID)
    # Render Jobservice env
    render_jinja(
        job_service_env_template_path,
--- a/make/prepare
+++ b/make/prepare
@ -45,10 +45,11 @@ secret_dir=${data_path}/secret
 config_dir=$harbor_prepare_path/common/config

 # Run prepare script
-docker run --rm -v $input_dir:/input:z \
-                    -v $harbor_prepare_path:/compose_location:z \
-                    -v $config_dir:/config:z \
-                    -v $secret_dir:/secret:z \
+docker run --rm -v $input_dir:/input \
+                    -v $data_path:/data \
+                    -v $harbor_prepare_path:/compose_location \
+                    -v $config_dir:/config \
+                    -v $secret_dir:/secret \
                    goharbor/prepare:dev $@

 echo "Clean up the input dir"