From ffc48b4fae6794c9208e1a2c222227855f8dd878 Mon Sep 17 00:00:00 2001 From: Ryan Melton Date: Thu, 14 Dec 2023 11:28:08 -0700 Subject: [PATCH 1/3] run all containers as non-root --- compose-ubi.yaml | 24 ++++++++++-------------- compose.yaml | 24 ++++++++++-------------- openc3-minio/Dockerfile | 7 +++++++ openc3-redis/Dockerfile | 11 ++++++++++- openc3-redis/docker-entrypoint.sh | 15 +++++++++++++++ openc3-ruby/Dockerfile | 4 ++-- openc3-ruby/Dockerfile-ubi | 4 ++-- openc3-traefik/Dockerfile | 16 +++++++++++++--- openc3-traefik/Dockerfile-dev | 16 +++++++++++++--- openc3-traefik/Dockerfile-dev-base | 16 +++++++++++++--- 10 files changed, 95 insertions(+), 42 deletions(-) create mode 100644 openc3-redis/docker-entrypoint.sh diff --git a/compose-ubi.yaml b/compose-ubi.yaml index 8a1d4c47c6..d38c798bbc 100644 --- a/compose-ubi.yaml +++ b/compose-ubi.yaml @@ -28,12 +28,13 @@ networks: services: openc3-minio: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-minio:${OPENC3_TAG}" # Uncomment to run unit tests against the minio server # ports: # - "127.0.0.1:9000:9000" volumes: - - "openc3-minio-v:/data" + - "openc3-bucket-v:/data" - "./cacert.pem:/devel/cacert.pem:z" command: server --address ":9000" --console-address ":9001" /data restart: "unless-stopped" @@ -55,6 +56,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-redis: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis:${OPENC3_TAG}" volumes: - "openc3-redis-v:/data" @@ -73,6 +75,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-redis-ephemeral: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis:${OPENC3_TAG}" volumes: - "openc3-redis-ephemeral-v:/data" @@ -92,9 +95,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-cosmos-cmd-tlm-api: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-cmd-tlm-api:${OPENC3_TAG}" restart: "unless-stopped" depends_on: @@ -123,9 +124,7 @@ services: - ".env" openc3-cosmos-script-runner-api: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-script-runner-api:${OPENC3_TAG}" restart: "unless-stopped" depends_on: @@ -158,9 +157,7 @@ services: - ".env" openc3-operator: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-operator:${OPENC3_TAG}" restart: "unless-stopped" # ports: @@ -194,6 +191,7 @@ services: - host.docker.internal:host-gateway openc3-traefik: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-traefik:${OPENC3_TAG}" volumes: - "./cacert.pem:/devel/cacert.pem:z" @@ -225,9 +223,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-cosmos-init: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-init:${OPENC3_TAG}" restart: on-failure depends_on: @@ -259,5 +255,5 @@ services: volumes: openc3-redis-v: {} openc3-redis-ephemeral-v: {} - openc3-minio-v: {} + openc3-bucket-v: {} openc3-gems-v: {} diff --git a/compose.yaml b/compose.yaml index 1d71e4191e..ae1e597605 100644 --- a/compose.yaml +++ b/compose.yaml @@ -28,12 +28,13 @@ networks: services: openc3-minio: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-minio${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" # Uncomment to run unit tests against the minio server # ports: # - "127.0.0.1:9000:9000" volumes: - - "openc3-minio-v:/data" + - "openc3-bucket-v:/data" - "./cacert.pem:/devel/cacert.pem:z" command: server --address ":9000" --console-address ":9001" /data restart: "unless-stopped" @@ -55,6 +56,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-redis: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" volumes: - "openc3-redis-v:/data" @@ -73,6 +75,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-redis-ephemeral: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" volumes: - "openc3-redis-ephemeral-v:/data" @@ -92,9 +95,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-cosmos-cmd-tlm-api: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-cmd-tlm-api${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" restart: "unless-stopped" depends_on: @@ -123,9 +124,7 @@ services: - ".env" openc3-cosmos-script-runner-api: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-script-runner-api${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" restart: "unless-stopped" depends_on: @@ -158,9 +157,7 @@ services: - ".env" openc3-operator: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-operator${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" restart: "unless-stopped" # ports: @@ -194,6 +191,7 @@ services: - host.docker.internal:host-gateway openc3-traefik: + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-traefik${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" volumes: - "./cacert.pem:/devel/cacert.pem:z" @@ -225,9 +223,7 @@ services: NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" openc3-cosmos-init: - # For rootless podman - Uncomment this user line and comment out the next - # user: 0:0 - user: "${OPENC3_USER_ID:-1000}:${OPENC3_GROUP_ID:-1000}" + user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-init${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" restart: on-failure depends_on: @@ -259,5 +255,5 @@ services: volumes: openc3-redis-v: {} openc3-redis-ephemeral-v: {} - openc3-minio-v: {} + openc3-bucket-v: {} openc3-gems-v: {} diff --git a/openc3-minio/Dockerfile b/openc3-minio/Dockerfile index 46de1b5a38..cbf2294d4d 100644 --- a/openc3-minio/Dockerfile +++ b/openc3-minio/Dockerfile @@ -14,4 +14,11 @@ ENV NODE_EXTRA_CA_CERTS=/devel/cacert.pem # Update packages to eliminate CVEs if we're on docker.io (not ironbank) RUN if [[ $OPENC3_DEPENDENCY_REGISTRY == 'docker.io' ]]; then \ microdnf update --nodocs -y && microdnf clean all; \ + groupadd -g 1001 minio; \ + useradd -r -u 1001 -m -g minio minio; \ fi + +RUN mkdir -p /data && chown 1001:1001 /data +RUN ["chmod", "-R", "777", "/data/"] + +USER 1001 diff --git a/openc3-redis/Dockerfile b/openc3-redis/Dockerfile index a1a53e015b..ee0d857d82 100644 --- a/openc3-redis/Dockerfile +++ b/openc3-redis/Dockerfile @@ -16,8 +16,13 @@ ENV REQUESTS_CA_BUNDLE=/devel/cacert.pem ENV NODE_EXTRA_CA_CERTS=/devel/cacert.pem USER root + # Update packages to eliminate CVEs if we're on docker.io (not ironbank) RUN if [[ $OPENC3_DEPENDENCY_REGISTRY == 'docker.io' ]]; then \ + # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added + set -eux; \ + groupadd -r -g 1001 redis; \ + useradd -r -g redis -u 1001 redis; \ apt update && apt upgrade -y; \ fi @@ -25,8 +30,12 @@ RUN mkdir /config COPY redis.conf /config/. COPY redis_ephemeral.conf /config/. COPY users.acl /config/. +COPY --chmod=0755 ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +RUN mkdir -p /data && chown 1001:1001 /data +RUN ["chmod", "-R", "777", "/data/"] EXPOSE 3680 -USER redis +USER 1001 CMD [ "redis-server", "/config/redis.conf" ] diff --git a/openc3-redis/docker-entrypoint.sh b/openc3-redis/docker-entrypoint.sh new file mode 100644 index 0000000000..7eeb264dde --- /dev/null +++ b/openc3-redis/docker-entrypoint.sh @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +# first arg is `-f` or `--some-option` +# or first arg is `something.conf` +if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then + set -- redis-server "$@" +fi + +um="$(umask)" +if [ "$um" = '0022' ]; then + umask 0077 +fi + +exec "$@" diff --git a/openc3-ruby/Dockerfile b/openc3-ruby/Dockerfile index 8058387d89..4effc88ed5 100644 --- a/openc3-ruby/Dockerfile +++ b/openc3-ruby/Dockerfile @@ -75,8 +75,8 @@ RUN apk update \ # Set user and group ENV IMAGE_USER=openc3 ENV IMAGE_GROUP=openc3 -ENV USER_ID=1000 -ENV GROUP_ID=1000 +ENV USER_ID=1001 +ENV GROUP_ID=1001 RUN addgroup -g ${GROUP_ID} -S ${IMAGE_GROUP} RUN adduser -u ${USER_ID} -G ${IMAGE_GROUP} -s /bin/ash -S ${IMAGE_USER} diff --git a/openc3-ruby/Dockerfile-ubi b/openc3-ruby/Dockerfile-ubi index c47b898aac..ba218225fd 100644 --- a/openc3-ruby/Dockerfile-ubi +++ b/openc3-ruby/Dockerfile-ubi @@ -77,8 +77,8 @@ RUN gem update uri --default \ # Set user and group ENV IMAGE_USER=openc3 ENV IMAGE_GROUP=openc3 -ENV USER_ID=1000 -ENV GROUP_ID=1000 +ENV USER_ID=1001 +ENV GROUP_ID=1001 RUN groupadd -g ${GROUP_ID} ${IMAGE_GROUP} RUN useradd -u ${USER_ID} -g ${IMAGE_GROUP} -s /bin/sh ${IMAGE_USER} diff --git a/openc3-traefik/Dockerfile b/openc3-traefik/Dockerfile index 48c2e9dce0..ec1063abdb 100644 --- a/openc3-traefik/Dockerfile +++ b/openc3-traefik/Dockerfile @@ -1,5 +1,5 @@ ARG OPENC3_DEPENDENCY_REGISTRY=docker.io -FROM ${OPENC3_DEPENDENCY_REGISTRY}/traefik:v2.10.7 +FROM ${OPENC3_DEPENDENCY_REGISTRY}/traefik:v2.10.6 # An ARG declared before a FROM is outside of a build stage, so it can’t be # used in any instruction after a FROM. So we need to re-ARG OPENC3_DEPENDENCY_REGISTRY @@ -17,9 +17,19 @@ EXPOSE 80 # This default config needs to be removed for traefik to use our custom config instead USER root RUN rm /etc/traefik/traefik.toml || true -USER ${USER_ID}:${GROUP_ID} -# Update packages to eliminate CVEs if we're on docker.io (not ironbank) +# Set user and group +ENV IMAGE_USER=openc3 +ENV IMAGE_GROUP=openc3 +ENV USER_ID=1001 +ENV GROUP_ID=1001 + +# Create non-root user and update packages if we're on docker.io (not ironbank) RUN if [[ $OPENC3_DEPENDENCY_REGISTRY == 'docker.io' ]]; then \ + addgroup -g ${GROUP_ID} -S ${IMAGE_GROUP}; \ + adduser -u ${USER_ID} -G ${IMAGE_GROUP} -s /bin/ash -S ${IMAGE_USER}; \ apk update && apk upgrade; \ fi + +# Switch to user +USER ${USER_ID} diff --git a/openc3-traefik/Dockerfile-dev b/openc3-traefik/Dockerfile-dev index d92e4700a7..32a25921a0 100644 --- a/openc3-traefik/Dockerfile-dev +++ b/openc3-traefik/Dockerfile-dev @@ -1,5 +1,5 @@ ARG OPENC3_DEPENDENCY_REGISTRY=docker.io -FROM ${OPENC3_DEPENDENCY_REGISTRY}/traefik:v2.10.7 +FROM ${OPENC3_DEPENDENCY_REGISTRY}/traefik:v2.10.6 # An ARG declared before a FROM is outside of a build stage, so it can’t be # used in any instruction after a FROM. So we need to re-ARG OPENC3_DEPENDENCY_REGISTRY @@ -17,9 +17,19 @@ EXPOSE 80 # This default config needs to be removed for traefik to use our custom config instead USER root RUN rm /etc/traefik/traefik.toml || true -USER ${USER_ID}:${GROUP_ID} -# Update packages to eliminate CVEs if we're on docker.io (not ironbank) +# Set user and group +ENV IMAGE_USER=openc3 +ENV IMAGE_GROUP=openc3 +ENV USER_ID=1001 +ENV GROUP_ID=1001 + +# Create non-root user and update packages if we're on docker.io (not ironbank) RUN if [[ $OPENC3_DEPENDENCY_REGISTRY == 'docker.io' ]]; then \ + addgroup -g ${GROUP_ID} -S ${IMAGE_GROUP}; \ + adduser -u ${USER_ID} -G ${IMAGE_GROUP} -s /bin/ash -S ${IMAGE_USER}; \ apk update && apk upgrade; \ fi + +# Switch to user +USER ${USER_ID} diff --git a/openc3-traefik/Dockerfile-dev-base b/openc3-traefik/Dockerfile-dev-base index 7aceacfcf3..14afbf7a36 100644 --- a/openc3-traefik/Dockerfile-dev-base +++ b/openc3-traefik/Dockerfile-dev-base @@ -1,5 +1,5 @@ ARG OPENC3_DEPENDENCY_REGISTRY=docker.io -FROM ${OPENC3_DEPENDENCY_REGISTRY}/traefik:v2.10.7 +FROM ${OPENC3_DEPENDENCY_REGISTRY}/traefik:v2.10.6 # An ARG declared before a FROM is outside of a build stage, so it can’t be # used in any instruction after a FROM. So we need to re-ARG OPENC3_DEPENDENCY_REGISTRY @@ -17,9 +17,19 @@ EXPOSE 80 # This default config needs to be removed for traefik to use our custom config instead USER root RUN rm /etc/traefik/traefik.toml || true -USER ${USER_ID}:${GROUP_ID} -# Update packages to eliminate CVEs if we're on docker.io (not ironbank) +# Set user and group +ENV IMAGE_USER=openc3 +ENV IMAGE_GROUP=openc3 +ENV USER_ID=1001 +ENV GROUP_ID=1001 + +# Create non-root user and update packages if we're on docker.io (not ironbank) RUN if [[ $OPENC3_DEPENDENCY_REGISTRY == 'docker.io' ]]; then \ + addgroup -g ${GROUP_ID} -S ${IMAGE_GROUP}; \ + adduser -u ${USER_ID} -G ${IMAGE_GROUP} -s /bin/ash -S ${IMAGE_USER}; \ apk update && apk upgrade; \ fi + +# Switch to user +USER ${USER_ID} From b3e389799e4fe16bde82f3cd9e0e344e64439906 Mon Sep 17 00:00:00 2001 From: Ryan Melton Date: Fri, 15 Dec 2023 08:27:22 -0700 Subject: [PATCH 2/3] continue no-root --- compose-ubi.yaml | 259 ----------------------------------------------- openc3.sh | 6 -- 2 files changed, 265 deletions(-) delete mode 100644 compose-ubi.yaml diff --git a/compose-ubi.yaml b/compose-ubi.yaml deleted file mode 100644 index d38c798bbc..0000000000 --- a/compose-ubi.yaml +++ /dev/null @@ -1,259 +0,0 @@ -# encoding: ascii-8bit - -# Copyright 2022 Ball Aerospace & Technologies Corp. -# All Rights Reserved. -# -# This program is free software; you can modify and/or redistribute it -# under the terms of the GNU Affero General Public License -# as published by the Free Software Foundation; version 3 with -# attribution addendums as found in the LICENSE.txt -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. - -# Modified by OpenC3, Inc. -# All changes Copyright 2023, OpenC3, Inc. -# All Rights Reserved -# -# This file may also be used under the terms of a commercial license -# if purchased from OpenC3, Inc. - -version: "3.5" - -networks: - default: - name: openc3-cosmos-network - -services: - openc3-minio: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-minio:${OPENC3_TAG}" - # Uncomment to run unit tests against the minio server - # ports: - # - "127.0.0.1:9000:9000" - volumes: - - "openc3-bucket-v:/data" - - "./cacert.pem:/devel/cacert.pem:z" - command: server --address ":9000" --console-address ":9001" /data - restart: "unless-stopped" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - MINIO_ROOT_USER: "${OPENC3_BUCKET_USERNAME}" - MINIO_ROOT_PASSWORD: "${OPENC3_BUCKET_PASSWORD}" - # Domain doesn't really matter but it's required. We really want the /minio path. - # This is handled by our traefik configuration via rule: PathPrefix(`/minio`) - # and forwarded on to the console at http://openc3-minio:9001 - MINIO_BROWSER_REDIRECT_URL: "http://openc3.com/minio" - SSL_CERT_FILE: "/devel/cacert.pem" - CURL_CA_BUNDLE: "/devel/cacert.pem" - REQUESTS_CA_BUNDLE: "/devel/cacert.pem" - NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" - - openc3-redis: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis:${OPENC3_TAG}" - volumes: - - "openc3-redis-v:/data" - - "./cacert.pem:/devel/cacert.pem:z" - - "./openc3-redis/users.acl:/config/users.acl:z" - restart: "unless-stopped" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - SSL_CERT_FILE: "/devel/cacert.pem" - CURL_CA_BUNDLE: "/devel/cacert.pem" - REQUESTS_CA_BUNDLE: "/devel/cacert.pem" - NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" - - openc3-redis-ephemeral: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis:${OPENC3_TAG}" - volumes: - - "openc3-redis-ephemeral-v:/data" - - "./cacert.pem:/devel/cacert.pem:z" - - "./openc3-redis/users.acl:/config/users.acl:z" - restart: "unless-stopped" - command: ["redis-server", "/config/redis_ephemeral.conf"] - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - SSL_CERT_FILE: "/devel/cacert.pem" - CURL_CA_BUNDLE: "/devel/cacert.pem" - REQUESTS_CA_BUNDLE: "/devel/cacert.pem" - NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" - - openc3-cosmos-cmd-tlm-api: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-cmd-tlm-api:${OPENC3_TAG}" - restart: "unless-stopped" - depends_on: - - "openc3-redis" - - "openc3-redis-ephemeral" - - "openc3-minio" - volumes: - - "openc3-gems-v:/gems" - - "./plugins:/plugins:z" - - "./cacert.pem:/devel/cacert.pem:z" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - RAILS_ENV: "production" - GEM_HOME: "/gems" - PYTHONUSERBASE: "/gems/python_packages" - OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}" - OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}" - OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}" - OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}" - OPENC3_SERVICE_PASSWORD: "${OPENC3_SERVICE_PASSWORD}" - env_file: - - ".env" - - openc3-cosmos-script-runner-api: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-script-runner-api:${OPENC3_TAG}" - restart: "unless-stopped" - depends_on: - - "openc3-redis" - - "openc3-redis-ephemeral" - - "openc3-minio" - volumes: - - "openc3-gems-v:/gems:ro" - - "./plugins:/plugins:z" - - "./cacert.pem:/devel/cacert.pem:z" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - RAILS_ENV: "production" - GEM_HOME: "/gems" - PYTHONUSERBASE: "/gems/python_packages" - OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}" - OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}" - OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}" - OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}" - OPENC3_SR_REDIS_USERNAME: "${OPENC3_SR_REDIS_USERNAME}" - OPENC3_SR_REDIS_PASSWORD: "${OPENC3_SR_REDIS_PASSWORD}" - OPENC3_SR_BUCKET_USERNAME: "${OPENC3_SR_BUCKET_USERNAME}" - OPENC3_SR_BUCKET_PASSWORD: "${OPENC3_SR_BUCKET_PASSWORD}" - OPENC3_SERVICE_PASSWORD: "${OPENC3_SERVICE_PASSWORD}" - env_file: - - ".env" - - openc3-operator: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-operator:${OPENC3_TAG}" - restart: "unless-stopped" - # ports: - # - "127.0.0.1:7779:7779" # Open port for the demo router - depends_on: - - "openc3-redis" - - "openc3-redis-ephemeral" - - "openc3-minio" - volumes: - - "openc3-gems-v:/gems:ro" - - "./plugins:/plugins:z" - - "./cacert.pem:/devel/cacert.pem:z" - # Add access to the entire C drive on Windows - # - "/c:/c" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - GEM_HOME: "/gems" - PYTHONUSERBASE: "/gems/python_packages" - OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}" - OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}" - OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}" - OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}" - OPENC3_SERVICE_PASSWORD: "${OPENC3_SERVICE_PASSWORD}" - env_file: - - ".env" - extra_hosts: - - host.docker.internal:host-gateway - - openc3-traefik: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-traefik:${OPENC3_TAG}" - volumes: - - "./cacert.pem:/devel/cacert.pem:z" - - "./openc3-traefik/traefik.yaml:/etc/traefik/traefik.yaml:z" - # - "./openc3-traefik/traefik-allow-http.yaml:/etc/traefik/traefik.yaml:z" - # - "./openc3-traefik/traefik-ssl.yaml:/etc/traefik/traefik.yaml:z" - # - "./openc3-traefik/traefik-letsencrypt.yaml:/etc/traefik/traefik.yaml:z" - # - "./openc3-traefik/cert.key:/etc/traefik/cert.key:z" - # - "./openc3-traefik/cert.crt:/etc/traefik/cert.crt:z" - ports: - - "127.0.0.1:2900:80" - - "127.0.0.1:2943:443" - # - "80:80" - # - "443:443" - restart: "unless-stopped" - depends_on: - - "openc3-redis" - - "openc3-redis-ephemeral" - - "openc3-minio" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - SSL_CERT_FILE: "/devel/cacert.pem" - CURL_CA_BUNDLE: "/devel/cacert.pem" - REQUESTS_CA_BUNDLE: "/devel/cacert.pem" - NODE_EXTRA_CA_CERTS: "/devel/cacert.pem" - - openc3-cosmos-init: - user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" - image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-cosmos-init:${OPENC3_TAG}" - restart: on-failure - depends_on: - - "openc3-traefik" - - "openc3-redis" - - "openc3-redis-ephemeral" - - "openc3-minio" - volumes: - - "openc3-gems-v:/gems" - - "./plugins:/plugins:z" - - "./cacert.pem:/devel/cacert.pem:z" - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - environment: - GEM_HOME: "/gems" - PYTHONUSERBASE: "/gems/python_packages" - OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}" - OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}" - OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}" - OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}" - OPENC3_SR_BUCKET_USERNAME: "${OPENC3_SR_BUCKET_USERNAME}" - OPENC3_SR_BUCKET_PASSWORD: "${OPENC3_SR_BUCKET_PASSWORD}" - env_file: - - ".env" - -volumes: - openc3-redis-v: {} - openc3-redis-ephemeral-v: {} - openc3-bucket-v: {} - openc3-gems-v: {} diff --git a/openc3.sh b/openc3.sh index 0a488e3d03..709bb19c96 100755 --- a/openc3.sh +++ b/openc3.sh @@ -127,15 +127,9 @@ case $1 in set +a ;; run ) - # Redis config must be world readable - Remove this after fixing Redis process user-id - umask 0022 - chmod +r openc3-redis/* ${DOCKER_COMPOSE_COMMAND} -f compose.yaml up -d ;; run-ubi ) - # Redis config must be world readable - Remove this after fixing Redis process user-id - umask 0022 - chmod +r openc3-redis/* OPENC3_IMAGE_SUFFIX=-ubi ${DOCKER_COMPOSE_COMMAND} -f compose.yaml up -d ;; dev ) From a6dd6fc1274c2e53dc85202baf4827297c2c0b60 Mon Sep 17 00:00:00 2001 From: Ryan Melton Date: Fri, 15 Dec 2023 15:07:15 -0700 Subject: [PATCH 3/3] proper redis volume mount for ubi --- compose.yaml | 4 ++-- openc3-redis/Dockerfile | 2 ++ openc3.sh | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/compose.yaml b/compose.yaml index ae1e597605..5053259b22 100644 --- a/compose.yaml +++ b/compose.yaml @@ -59,7 +59,7 @@ services: user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" volumes: - - "openc3-redis-v:/data" + - "openc3-redis-v:${OPENC3_REDIS_VOLUME:-/data}" - "./cacert.pem:/devel/cacert.pem:z" - "./openc3-redis/users.acl:/config/users.acl:z" restart: "unless-stopped" @@ -78,7 +78,7 @@ services: user: "${OPENC3_USER_ID:-1001}:${OPENC3_GROUP_ID:-1001}" image: "${OPENC3_REGISTRY}/${OPENC3_NAMESPACE}/openc3-redis${OPENC3_IMAGE_SUFFIX}:${OPENC3_TAG}" volumes: - - "openc3-redis-ephemeral-v:/data" + - "openc3-redis-ephemeral-v:${OPENC3_REDIS_VOLUME:-/data}" - "./cacert.pem:/devel/cacert.pem:z" - "./openc3-redis/users.acl:/config/users.acl:z" restart: "unless-stopped" diff --git a/openc3-redis/Dockerfile b/openc3-redis/Dockerfile index ee0d857d82..9783d03b27 100644 --- a/openc3-redis/Dockerfile +++ b/openc3-redis/Dockerfile @@ -34,6 +34,8 @@ COPY --chmod=0755 ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh RUN mkdir -p /data && chown 1001:1001 /data RUN ["chmod", "-R", "777", "/data/"] +RUN mkdir -p /home/data && chown 1001:1001 /home/data +RUN ["chmod", "-R", "777", "/home/data/"] EXPOSE 3680 USER 1001 diff --git a/openc3.sh b/openc3.sh index 709bb19c96..a8789d3cb2 100755 --- a/openc3.sh +++ b/openc3.sh @@ -130,7 +130,7 @@ case $1 in ${DOCKER_COMPOSE_COMMAND} -f compose.yaml up -d ;; run-ubi ) - OPENC3_IMAGE_SUFFIX=-ubi ${DOCKER_COMPOSE_COMMAND} -f compose.yaml up -d + OPENC3_IMAGE_SUFFIX=-ubi OPENC3_REDIS_VOLUME=/home/data ${DOCKER_COMPOSE_COMMAND} -f compose.yaml up -d ;; dev ) ${DOCKER_COMPOSE_COMMAND} -f compose.yaml -f compose-dev.yaml up -d