Various update: log4shell removal, testing-tools uid/gid

Author: lfrancke

druid/Dockerfile

@@ -41,7 +41,7 @@ COPY --chown=${STACKABLE_USER_UID}:0 druid/stackable/patches/${PRODUCT} /stackab
 
 COPY --from=hadoop-builder --chown=${STACKABLE_USER_UID}:0 /stackable/patched-libs /stackable/patched-libs
 # Cache mounts are owned by root by default
-# We need to explicitly give the uid to use which is hardcoded to "1000" in stackable-base
+# We need to explicitly give the uid to use.
 # The cache id has to include the product version that we are building because otherwise
 # docker encounters race conditions when building multiple versions in parallel, as all
 # builder containers will share the same cache and the `rm -rf` commands will fail

java-devel/Dockerfile

@@ -53,8 +53,6 @@ RUN microdnf update && \
     which \
     xz \
     zlib-devel \
-    # Required for log4shell.sh
-    unzip zip && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 

omid/Dockerfile

@@ -49,24 +49,6 @@ if [ "${DELETE_CACHES}" = "true" ] ; then
 fi
 EOF
 
-# ===
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/omid-tso-server-${PRODUCT}-stackable${RELEASE}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/omid-tso-server-${PRODUCT}-stackable${RELEASE}
-# ===
-
 FROM stackable/image/java-base
 
 ARG PRODUCT

shared/log4j.txt

@@ -10,6 +10,9 @@ FROM python:3.12-slim-bullseye@sha256:229b2897e6b5c630d83a721e42dd1c96e3ec996323
 ARG PRODUCT
 ARG RELEASE
 ARG KEYCLOAK_VERSION
+ARG STACKABLE_USER_UID
+ARG STACKABLE_USER_GID
+ARG STACKABLE_USER_NAME
 
 LABEL name="Stackable Testing Tools" \
       maintainer="[email protected]" \
@@ -25,49 +28,54 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 # This is needed so that krb5-user installs without prompting for a realm.
 ENV DEBIAN_FRONTEND=noninteractive
 
-# krb5-user/libkrb5-dev are needed for Kerberos support.
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential \
-        ca-certificates \
-        curl \
-        gzip \
-        jq \
-        krb5-user \
-        kubernetes-client \
-        libkrb5-dev \
-        libssl-dev \
-        libxml2-dev \
-        libxslt1-dev \
-        pkg-config \
-        python3-certifi \
-        python3-idna \
-        python3-semver \
-        python3-thrift \
-        python3-toml \
-        python3-urllib3 \
-        tar \
-        zip \
-        unzip \
-        # Java 11 seems like the best middle-ground for all tools
-        openjdk-11-jdk-headless && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
 
 COPY testing-tools/python /stackable/python
 COPY testing-tools/licenses /licenses
 
-ENV PATH=/stackable/keycloak/bin:$PATH
-RUN curl --fail -L https://repo.stackable.tech/repository/packages/keycloak/keycloak-${KEYCLOAK_VERSION}.tar.gz | tar -xzC /stackable && \
-    ln -s /stackable/keycloak-${KEYCLOAK_VERSION} /stackable/keycloak
+# krb5-user/libkrb5-dev are needed for Kerberos support.
+# Java 11 seems like the best middle-ground for all tools
+RUN <<EOF
+apt-get update
+apt-get install -y --no-install-recommends \
+  build-essential \
+  ca-certificates \
+  curl \
+  gzip \
+  jq \
+  krb5-user \
+  kubernetes-client \
+  libkrb5-dev \
+  libssl-dev \
+  libxml2-dev \
+  libxslt1-dev \
+  pkg-config \
+  python3-certifi \
+  python3-idna \
+  python3-semver \
+  python3-thrift \
+  python3-toml \
+  python3-urllib3 \
+  tar \
+  zip \
+  unzip \
+  openjdk-11-jdk-headless
+
+apt-get clean
+rm -rf /var/lib/apt/lists/*
 
-RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir -r /stackable/python/requirements.txt && \
-    groupadd -r stackable --gid=1000 && \
-    useradd -r -g stackable --uid=1000 stackable && \
-    chown -R stackable:stackable /stackable
+curl --fail -L https://repo.stackable.tech/repository/packages/keycloak/keycloak-${KEYCLOAK_VERSION}.tar.gz | tar -xzC /stackable
+ln -s /stackable/keycloak-${KEYCLOAK_VERSION} /stackable/keycloak
+
+pip install --no-cache-dir --upgrade pip
+pip install --no-cache-dir -r /stackable/python/requirements.txt
+groupadd -r ${STACKABLE_USER_NAME} --gid=${STACKABLE_USER_GID}
+useradd -r -g ${STACKABLE_USER_NAME} --uid=${STACKABLE_USER_UID} ${STACKABLE_USER_NAME}
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+EOF
+
+ENV PATH=/stackable/keycloak/bin:$PATH
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 
 ENV STACKABLE_PRODUCT_VERSION=${PRODUCT}