Merge branch 'feature/PB-44239-make-openshift-compatible-nonroot-container' into 'master'

Feature/pb 44239 make openshift compatible nonroot container

See merge request passbolt/passbolt_docker!237

Author: dlen

.gitlab-ci/Jobs/build_image.yml

@@ -227,3 +227,21 @@ build-pro-stable-rootless-arm-v7:
     PLATFORM: "linux/arm/v7"
     SUPERCRONIC_ARCH: arm
     SUPERCRONIC_SHA1SUM: 510b84b031b78ebe25b1f00c91ced3434edcd383
+
+build-ce-stable-openshift:
+  extends: .stable-build
+  variables:
+    DOCKERFILE_PATH: "debian/Dockerfile.openshift"
+    DOCKER_TAG: "openshift"
+    SUPERCRONIC_ARCH: amd64
+    SUPERCRONIC_SHA1SUM: bc072eba2ae083849d5f86c6bd1f345f6ed902d0
+    PLATFORM: "linux/amd64"
+
+build-pro-stable-openshift:
+  extends: .stable-build-pro
+  variables:
+    DOCKERFILE_PATH: "debian/Dockerfile.openshift"
+    DOCKER_TAG: "openshift"
+    SUPERCRONIC_ARCH: amd64
+    SUPERCRONIC_SHA1SUM: bc072eba2ae083849d5f86c6bd1f345f6ed902d0
+    PLATFORM: "linux/amd64"

.gitlab-ci/Jobs/publish.yaml

@@ -142,3 +142,30 @@ publish-pro-non-root:
   rules:
     - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "pro"'
       when: on_success
+publish-ce-openshift:
+  extends: .publish
+  variables:
+    DOCKER_TAG: "openshift"
+    PASSBOLT_FLAVOUR: "ce"
+    PASSBOLT_IMAGE_FLAVOUR: "ce-openshift"
+  script:
+    - *manifest-yaml
+    - ./manifest-tool-linux-amd64 push from-spec manifests.yaml
+    - crane cp "${CI_REGISTRY_IMAGE}:latest-${PASSBOLT_IMAGE_FLAVOUR}" "${DOCKER_HUB_PASSBOLT_REGISTRY}:latest-${PASSBOLT_IMAGE_FLAVOUR}"
+    - crane cp "${CI_REGISTRY_IMAGE}:${PASSBOLT_VERSION}-${PASSBOLT_IMAGE_FLAVOUR}" "${DOCKER_HUB_PASSBOLT_REGISTRY}:${PASSBOLT_VERSION}-${PASSBOLT_IMAGE_FLAVOUR}"
+    - 'bash .gitlab-ci/scripts/bin/slack-status-messages.sh ":whale: $PASSBOLT_VERSION $PASSBOLT_IMAGE_FLAVOUR docker image has been published" "$CI_PROJECT_URL/-/jobs/$CI_JOB_ID"'
+publish-pro-openshift:
+  extends: .publish
+  variables:
+    DOCKER_TAG: "openshift"
+    PASSBOLT_FLAVOUR: "pro"
+    PASSBOLT_IMAGE_FLAVOUR: "pro-openshift"
+  script:
+    - *manifest-yaml
+    - ./manifest-tool-linux-amd64 push from-spec manifests.yaml
+    - crane cp "${CI_REGISTRY_IMAGE}:latest-${PASSBOLT_IMAGE_FLAVOUR}" "${DOCKER_HUB_PASSBOLT_REGISTRY}:latest-${PASSBOLT_IMAGE_FLAVOUR}"
+    - crane cp "${CI_REGISTRY_IMAGE}:${PASSBOLT_VERSION}-${PASSBOLT_IMAGE_FLAVOUR}" "${DOCKER_HUB_PASSBOLT_REGISTRY}:${PASSBOLT_VERSION}-${PASSBOLT_IMAGE_FLAVOUR}"
+    - 'bash .gitlab-ci/scripts/bin/slack-status-messages.sh ":whale: $PASSBOLT_VERSION $PASSBOLT_IMAGE_FLAVOUR docker image has been published" "$CI_PROJECT_URL/-/jobs/$CI_JOB_ID"'
+  rules:
+    - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "pro"'
+      when: on_success

.gitlab-ci/Jobs/test_images.yaml

@@ -112,3 +112,51 @@ pro-non-root-docker-runtime-with-passbolt-php:
   variables:
     TEST_NAME: docker_runtime_with_passbolt_php
     ROOTLESS: "true"
+
+ce-openshift-docker-image:
+  extends: .test-images
+  variables:
+    TEST_NAME: docker_image
+    ROOTLESS: "true"
+
+ce-openshift-docker-runtime:
+  extends: .test-images
+  variables:
+    TEST_NAME: docker_runtime
+    ROOTLESS: "true"
+
+ce-openshift-docker-runtime-no-envs:
+  extends: .test-images
+  variables:
+    TEST_NAME: docker_runtime_no_envs
+    ROOTLESS: "true"
+
+ce-openshift-docker-runtime-with-passbolt-php:
+  extends: .test-images
+  variables:
+    TEST_NAME: docker_runtime_with_passbolt_php
+    ROOTLESS: "true"
+
+pro-openshift-docker-image:
+  extends: .test-pro-images
+  variables:
+    TEST_NAME: docker_image
+    ROOTLESS: "true"
+
+pro-openshift-docker-runtime:
+  extends: .test-pro-images
+  variables:
+    TEST_NAME: docker_runtime
+    ROOTLESS: "true"
+
+pro-openshift-docker-runtime-no-envs:
+  extends: .test-pro-images
+  variables:
+    TEST_NAME: docker_runtime_no_envs
+    ROOTLESS: "true"
+
+pro-openshift-docker-runtime-with-passbolt-php:
+  extends: .test-images
+  variables:
+    TEST_NAME: docker_runtime_with_passbolt_php
+    ROOTLESS: "true"

.gitlab-ci/Jobs/test_vulnerabilities.yaml

@@ -36,3 +36,17 @@ docker-pro-rootless:
     PASSBOLT_FLAVOUR: "pro"
     DOCKER_TAG: "rootless"
     OPPOSITE_FLAVOUR: "ce"
+
+docker-pro-openshift:
+  extends: .test-vulnerabilities
+  variables:
+    PASSBOLT_FLAVOUR: "pro"
+    DOCKER_TAG: "openshift"
+    OPPOSITE_FLAVOUR: "ce"
+
+docker-ce-openshift:
+  extends: .test-vulnerabilities
+  variables:
+    PASSBOLT_FLAVOUR: "ce"
+    DOCKER_TAG: "openshift"
+    OPPOSITE_FLAVOUR: "pro"

debian/Dockerfile.openshift

@@ -0,0 +1,138 @@
+FROM debian:trixie-slim
+
+ARG API_REPOSITORY="https://github.com/passbolt/passbolt_api"
+ARG IMAGE_DESCRIPTION="Passbolt CE Backend, a JSON API written with CakePHP"
+ARG BUILD_DATE=""
+
+LABEL org.opencontainers.image.created="${BUILD_DATE}"
+LABEL org.opencontainers.image.description="${IMAGE_DESCRIPTION}"
+LABEL org.opencontainers.image.documentation=https://help.passbolt.com/
+LABEL org.opencontainers.image.authors="Passbolt SA <[email protected]>"
+LABEL org.opencontainers.image.licenses=AGPL-3.0-only
+LABEL org.opencontainers.image.source="${API_REPOSITORY}"
+LABEL org.opencontainers.image.title=passbolt/passbolt
+LABEL org.opencontainers.image.url=https://passbolt.com
+
+ARG SUPERCRONIC_ARCH=amd64
+ARG SUPERCRONIC_SHA1SUM=bc072eba2ae083849d5f86c6bd1f345f6ed902d0
+
+ARG PASSBOLT_DISTRO="buster"
+ARG PASSBOLT_COMPONENT="stable"
+ARG PASSBOLT_SERVER_KEY="https://download.passbolt.com"
+ARG PASSBOLT_FLAVOUR="ce"
+ARG PASSBOLT_PKG=passbolt-$PASSBOLT_FLAVOUR-server
+ARG PASSBOLT_REPO_URL="https://download.passbolt.com"
+ARG PASSBOLT_REPO_KEY_PATH="/usr/share/keyrings/passbolt-repository.gpg"
+ARG PASSBOLT_SOURCES_LIST_PATH="/etc/apt/sources.list.d/passbolt.sources"
+
+ARG PASSBOLT_USER_UID=33
+ARG PASSBOLT_GROUP_GID=33
+
+ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
+ENV PHP_VERSION=8.4
+ENV GNUPGHOME=/var/lib/passbolt/.gnupg
+ENV SUPERCRONIC_VERSION=0.2.38
+ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v${SUPERCRONIC_VERSION}/supercronic-linux-${SUPERCRONIC_ARCH} \
+  SUPERCRONIC=supercronic-linux-${SUPERCRONIC_ARCH}
+ENV PASSBOLT_FLAVOUR="${PASSBOLT_FLAVOUR}"
+ENV LOG_ERROR_URL="console://?levels[]=warning&levels[]=error&levels[]=critical&levels[]=alert&levels[]=emergency"
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN usermod -u $PASSBOLT_USER_UID www-data \
+  && groupmod -g $PASSBOLT_GROUP_GID www-data
+
+RUN apt-get update \
+  && DEBIAN_FRONTEND=non-interactive apt-get -y install \
+  ca-certificates \
+  gnupg \
+  curl \
+  && curl -s $PASSBOLT_SERVER_KEY/pub.key |\
+  gpg --dearmor | tee $PASSBOLT_REPO_KEY_PATH > /dev/null \
+  && chmod 644 $PASSBOLT_REPO_KEY_PATH \
+  && echo -e "Types: deb \nURIs: $PASSBOLT_REPO_URL/$PASSBOLT_FLAVOUR/debian \nSuites: $PASSBOLT_DISTRO \nComponents: $PASSBOLT_COMPONENT \nSigned-By: $PASSBOLT_REPO_KEY_PATH" > $PASSBOLT_SOURCES_LIST_PATH \
+  && apt-get update \
+  && DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
+  nginx \
+  $PASSBOLT_PKG \
+  supervisor \
+  && rm -f /etc/passbolt/jwt/* \
+  && curl -fsSLO "$SUPERCRONIC_URL" \
+  && echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - \
+  && chmod +x "$SUPERCRONIC" \
+  && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
+  && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
+
+COPY conf/supervisor/cron.conf.rootless /etc/supervisor/conf.d/cron.conf
+COPY conf/supervisor/nginx.conf /etc/supervisor/conf.d/nginx.conf
+COPY conf/supervisor/php.conf /etc/supervisor/conf.d/php.conf
+
+RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+  && sed -i 's,listen \[\:\:\]\:80;,listen \[\:\:\]\:8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+  && rm /etc/nginx/sites-enabled/default \
+  && cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
+  && sed -i 's,;clear_env = no,clear_env = no,' /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
+  && sed -i 's,# include __PASSBOLT_SSL__,include /etc/nginx/snippets/passbolt-ssl.conf;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+  && sed -i 's,listen \[\:\:\]\:443 ssl http2;,listen \[\:\:\]\:4433 ssl http2;,' /etc/nginx/snippets/passbolt-ssl.conf \
+  && sed -i '/listen \[\:\:\]\:4433 ssl http2;/a \ \ listen 4433 ssl http2;' /etc/nginx/snippets/passbolt-ssl.conf \
+  && sed -i 's,__CERT_PATH__,/etc/passbolt/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \
+  && sed -i 's,__KEY_PATH__,/etc/passbolt/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \
+  && sed -i '/user www-data;/d' /etc/nginx/nginx.conf \
+  && sed -i 's,/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+  && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+  && sed -i "s,listen = /run/php/php$PHP_VERSION-fpm.sock,listen = 127.0.0.1:9000," /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
+  && sed -i "s,unix:/run/php/php$PHP_VERSION-fpm.sock,127.0.0.1:9000," /etc/nginx/sites-enabled/nginx-passbolt.conf \
+  && sed -i "s,pid = /run/php/php$PHP_VERSION-fpm.pid,pid = /tmp/php$PHP_VERSION-fpm.pid," /etc/php/$PHP_VERSION/fpm/php-fpm.conf \
+  && sed -i 's,/var/run/supervisor.sock,/tmp/supervisor.sock,' /etc/supervisor/supervisord.conf \
+  && chown -R www-data:0 /etc/nginx \
+  && chmod -R g+w /etc/nginx \
+  && mkdir /etc/passbolt/certs \
+  && chown www-data:0 /etc/passbolt/certs \
+  && chown www-data:0 /etc/passbolt/jwt \
+  && chown www-data:0 /var/log/supervisor \
+  && chown www-data:0 /etc/supervisor/conf.d/cron.conf \
+  && chown www-data:0 /etc/supervisor/conf.d/php.conf \
+  && chown www-data:0 /etc/supervisor/conf.d/nginx.conf \
+  && chown -R www-data:0 /var/log/nginx \
+  && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
+  && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
+  && chown -R www-data:0 /var/log/supervisor \
+  && touch /var/www/.profile \
+  && chown www-data:0 /var/www/.profile \
+  && sed -i 's,www-data\s,,' /etc/cron.d/$PASSBOLT_PKG \
+  && sed -i "s,__PASSBOLT_PACKAGE__,$PASSBOLT_PKG," /etc/supervisor/conf.d/cron.conf \
+  && touch /etc/environment \
+  && chown www-data:0 /etc/environment \
+  && chmod 600 /etc/environment
+
+COPY conf/php/zz-docker.conf /etc/php/$PHP_VERSION/fpm/pool.d/zz-docker.conf
+COPY scripts/entrypoint/docker-entrypoint.openshift.sh /docker-entrypoint.sh
+COPY scripts/entrypoint/passbolt/entrypoint-openshift.sh /passbolt/entrypoint-openshift.sh
+COPY scripts/entrypoint/passbolt/env.sh /passbolt/env.sh
+COPY scripts/entrypoint/passbolt/deprecated_paths.sh /passbolt/deprecated_paths.sh
+COPY scripts/wait-for.sh /usr/bin/wait-for.sh
+
+RUN chmod 0644 /etc/supervisor/conf.d/* \
+  && chmod 0755 /docker-entrypoint.sh \
+  && chmod 0755 /passbolt/* \
+  && chmod 0755 /usr/bin/wait-for.sh
+
+# Changes ownership of some files for Openshift compatibility  
+RUN chgrp -R 0   /var/lib/passbolt /etc/passbolt /etc/supervisor /etc/environment /var/log/supervisor /var/log/nginx && \
+    chmod -R g=u /var/lib/passbolt /etc/passbolt /etc/supervisor /etc/environment /var/log/supervisor /var/log/nginx && \
+    chgrp 0 /var/run  && \ 
+    chmod g=u /var/run && \ 
+    mkdir /var/run/php && \
+    chgrp -R 0 /var/run/php  && \ 
+    chmod -R g=u /var/run/php
+
+# Openshift uses a random UID which is added to the root group. This mimics the functionality with the default user we provide.
+RUN usermod -a -G root www-data
+
+EXPOSE 8080 4433
+
+WORKDIR /usr/share/php/passbolt
+
+USER www-data
+
+CMD ["/docker-entrypoint.sh"]

scripts/entrypoint/docker-entrypoint.openshift.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+passbolt_config="/etc/passbolt"
+gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}"
+gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}"
+
+ssl_key='/etc/passbolt/certs/certificate.key'
+ssl_cert='/etc/passbolt/certs/certificate.crt'
+
+deprecation_message=""
+
+subscription_key_file_paths=("/etc/passbolt/subscription_key.txt" "/etc/passbolt/license")
+
+source $(dirname $0)/../passbolt/entrypoint-openshift.sh
+source $(dirname $0)/../passbolt/env.sh
+source $(dirname $0)/../passbolt/deprecated_paths.sh
+
+manage_docker_env
+
+check_deprecated_paths
+
+if [ ! -f "$gpg_private_key" ] ||
+  [ ! -f "$gpg_public_key" ]; then
+  gpg_gen_key
+  gpg_import_key
+else
+  gpg_import_key
+fi
+
+if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] &&
+  [ ! -f "$ssl_cert" ] && [ ! -L "$ssl_cert" ]; then
+  gen_ssl_cert
+fi
+
+install
+
+echo -e "$deprecation_message"
+
+declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' >/etc/environment
+
+exec /usr/bin/supervisord -n