diff --git a/.tekton/compliance-operator-dev-pull-request.yaml b/.tekton/compliance-operator-dev-pull-request.yaml index b9bb2cb117..a344e5e807 100644 --- a/.tekton/compliance-operator-dev-pull-request.yaml +++ b/.tekton/compliance-operator-dev-pull-request.yaml @@ -8,7 +8,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: "true" pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() ) + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "images/operator/Dockerfile".pathChanged() || "build/bin/*".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() ) creationTimestamp: labels: appstudio.openshift.io/application: compliance-operator-dev diff --git a/.tekton/compliance-operator-dev-push.yaml b/.tekton/compliance-operator-dev-push.yaml index 0a8588c310..53195e9cc2 100644 --- a/.tekton/compliance-operator-dev-push.yaml +++ b/.tekton/compliance-operator-dev-push.yaml @@ -8,7 +8,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/cancel-in-progress: "false" pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() ) + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" && ( ".tekton/compliance-operator-dev-*.yaml".pathChanged() || "images/operator/***".pathChanged() || "images/redhat.repo".pathChanged() || "main.go".pathChanged() || "tools.go".pathChanged() || "images/operator/Dockerfile".pathChanged() || "build/bin/*".pathChanged() || "pkg/**/*.go".pathChanged() || "cmd/**/*.go".pathChanged() || "version/***".pathChanged() || "config/***".pathChanged() || "*Makefile*".pathChanged() || "vendor/***".pathChanged() || "tests/***".pathChanged() || "LICENSE".pathChanged() ) creationTimestamp: labels: appstudio.openshift.io/application: compliance-operator-dev diff --git a/Dockerfile.ci b/Dockerfile.ci index 3d992c0f76..5127f50428 100644 --- a/Dockerfile.ci +++ b/Dockerfile.ci @@ -12,16 +12,13 @@ RUN make manager # Step two: containerize compliance-operator FROM registry.access.redhat.com/ubi9/ubi-micro:latest -ENV OPERATOR=/usr/local/bin/compliance-operator \ - USER_UID=1001 \ - USER_NAME=compliance-operator +ENV OPERATOR=/usr/local/bin/compliance-operator # install operator binary COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR} -COPY build/bin /usr/local/bin -RUN /usr/local/bin/user_setup +COPY build/bin/entrypoint /usr/local/bin/entrypoint ENTRYPOINT ["/usr/local/bin/entrypoint"] -USER ${USER_UID} +USER 1001 diff --git a/build/Dockerfile b/build/Dockerfile index 29447e67f3..42725a970a 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -11,16 +11,13 @@ RUN make manager # Step two: containerize compliance-operator FROM registry.access.redhat.com/ubi9/ubi-micro:latest -ENV OPERATOR=/usr/local/bin/compliance-operator \ - USER_UID=1001 \ - USER_NAME=compliance-operator +ENV OPERATOR=/usr/local/bin/compliance-operator # install operator binary COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR} -COPY build/bin /usr/local/bin -RUN /usr/local/bin/user_setup +COPY build/bin/entrypoint /usr/local/bin/entrypoint ENTRYPOINT ["/usr/local/bin/entrypoint"] -USER ${USER_UID} +USER 1001 diff --git a/build/bin/entrypoint b/build/bin/entrypoint index 9060e1554f..0402c4b517 100755 --- a/build/bin/entrypoint +++ b/build/bin/entrypoint @@ -1,12 +1,11 @@ #!/bin/sh -e # This is documented here: -# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines +# https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/images/creating-images#use-uid_create-images -if ! whoami &>/dev/null; then - if [ -w /etc/passwd ]; then - echo "${USER_NAME:-compliance-operator}:x:$(id -u):$(id -g):${USER_NAME:-compliance-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd - fi -fi +# Since version 4.1 OCP supports arbitrary UIDs without requiring /etc/passwd entries +# https://docs.redhat.com/en/documentation/openshift_container_platform/4.1/html/images/creating_images +# The container runs with the UID assigned by the platform, with group 0 (root) membership +# File permissions are managed through group ownership, not username lookups exec ${OPERATOR} $@ diff --git a/build/bin/user_setup b/build/bin/user_setup deleted file mode 100755 index 913beec1a0..0000000000 --- a/build/bin/user_setup +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -set -x - -# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be) -mkdir -p ${HOME} -chown ${USER_UID:-1001}:0 ${HOME} -chmod ug+rwx ${HOME} - -# runtime user will need to be able to self-insert in /etc/passwd -chmod g+rw /etc/passwd - -# no need for this script to remain in the image after running -rm $0 diff --git a/images/operator/Dockerfile b/images/operator/Dockerfile index 8107d3e2be..e1761ffe59 100644 --- a/images/operator/Dockerfile +++ b/images/operator/Dockerfile @@ -31,19 +31,14 @@ LABEL \ WORKDIR / -# Needed by the user_setup and entrypoint scripts -ENV OPERATOR_BIN=/usr/local/bin/compliance-operator \ - USER_NAME=compliance-operator \ - USER_UID=1001 +ENV OPERATOR_BIN=/usr/local/bin/compliance-operator COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/LICENSE /licenses/LICENSE COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR_BIN} -COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/bin/* /usr/local/bin +COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/bin/entrypoint /usr/local/bin/entrypoint # This is required for the bundle build. COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/bundle /bundle -RUN /usr/local/bin/user_setup - ENTRYPOINT ["/usr/local/bin/entrypoint"] -USER ${USER_UID} +USER 1001