Skip to content

Commit 4024486

Browse files
moresandeepmoresandeep
authored
KNOX-3257 - Update knox image creatation so that we do not need escalated privileges in helm install (#1151)
1 parent 882fe7f commit 4024486

File tree

1 file changed

+22
-9
lines changed
  • gateway-docker/src/main/resources/docker

1 file changed

+22
-9
lines changed

gateway-docker/src/main/resources/docker/Dockerfile

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,21 +16,33 @@
1616
FROM openjdk:8-jre-alpine3.8
1717
MAINTAINER Apache Knox <dev@knox.apache.org>
1818

19+
USER root
1920
# Make sure required packages are available
20-
RUN apk --no-cache add bash procps ca-certificates krb5 && update-ca-certificates
21+
RUN apk upgrade --no-cache && \
22+
apk add --no-cache openssl \
23+
procps \
24+
ca-certificates \
25+
unzip \
26+
nss && \
27+
apk add --no-cache bash
2128

22-
# Create an knox user
23-
RUN addgroup -S knox && adduser -S -G knox knox
29+
# Create knox user and group
30+
# Using GID 8000 for the knox group to allow arbitrary UIDs with this GID
31+
RUN groupadd --system -g 8000 knox && adduser --system -u 8000 -g knox -h /home/knox knox
2432

2533
# Dependencies
2634
ARG RELEASE_FILE
27-
COPY ${RELEASE_FILE} /home/knox/
35+
ADD --chown=knox:knox ${RELEASE_FILE} /home/knox/
2836

2937
# Extract the Knox release tar.gz
30-
RUN cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox
38+
RUN chmod 644 /home/knox/*.zip && \
39+
cd /home/knox && unzip /home/knox/*.zip && rm -f /home/knox/*.zip && ln -nsf /home/knox/*/ /home/knox/knox
3140

32-
# Make sure knox owns its files
33-
RUN chown -R knox: /home/knox
41+
# Make sure knox owns its files and make all directories group-accessible for arbitrary UIDs
42+
RUN mkdir -p /home/knox/knox/data/security/keystores && \
43+
mkdir -p /home/knox/knox/conf && \
44+
chown -R knox:knox /home/knox && \
45+
chmod -R g+rwX /home/knox \
3446

3547
# Add the entrypoint script
3648
ARG ENTRYPOINT
@@ -44,7 +56,9 @@ ADD --chown=knox:knox \
4456
http://www.awstrust.com/repository/AmazonRootCA2.cer \
4557
http://www.awstrust.com/repository/AmazonRootCA3.cer \
4658
http://www.awstrust.com/repository/AmazonRootCA4.cer \
47-
http://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem /home/knox/cacrts/
59+
http://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem \
60+
https://letsencrypt.org/certs/isrgrootx1.pem \
61+
https://letsencrypt.org/certs/isrg-root-x2.pem /home/knox/cacrts/
4862

4963
WORKDIR /home/knox/knox
5064

@@ -54,5 +68,4 @@ EXPOSE ${EXPOSE_PORT}
5468

5569
# Switch off of the root user
5670
USER knox
57-
5871
ENTRYPOINT ["./entrypoint.sh"]

0 commit comments

Comments
 (0)