From dc8a38af12fdd72febc5de07c731e6b1e3a991ea Mon Sep 17 00:00:00 2001 From: Ivan Chvets Date: Wed, 14 Jun 2023 19:38:34 -0400 Subject: [PATCH] fix: updated rock with new non-root user config https://github.com/canonical/seldon-core-operator/issues/133 Summary of changes: - Updated rockcraft.yaml with new run-user option to run as non-root. - Updated import procedure. --- seldon-core-operator/rockcraft.yaml | 14 +------------- seldon-core-operator/tox.ini | 2 +- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/seldon-core-operator/rockcraft.yaml b/seldon-core-operator/rockcraft.yaml index 8d8042c..ffed807 100644 --- a/seldon-core-operator/rockcraft.yaml +++ b/seldon-core-operator/rockcraft.yaml @@ -14,12 +14,12 @@ version: v1.15.0_22.04_1 # version format: __ license: Apache-2.0 build-base: ubuntu:22.04 base: bare +run-user: _daemon_ services: seldon-core: override: replace summary: "seldon-core service" startup: enabled - user: ubuntu command: "/manager --enable-leader-election --webhook-port 4443" platforms: amd64: @@ -99,18 +99,6 @@ parts: wget -qO mitchellh-gox.tar.gz https://github.com/mitchellh/gox/archive/master.tar.gz wget -qO mozilla-tls-observatory.tar.gz https://github.com/mozilla/tls-observatory/archive/master.tar.gz - non-root-user: - plugin: nil - overlay-script: | - # Create a user in the $CRAFT_OVERLAY chroot - mkdir -p $CRAFT_OVERLAY/etc - chmod 755 $CRAFT_OVERLAY/etc - groupadd -R $CRAFT_OVERLAY -g 1001 ubuntu - useradd -R $CRAFT_OVERLAY -M -r -u 1001 -g ubuntu ubuntu - override-prime: | - craftctl default - chown -R 1001:1001 tmp/operator-resources - security-team-requirement: plugin: nil after: [seldon-core-operator, mpl-deps] diff --git a/seldon-core-operator/tox.ini b/seldon-core-operator/tox.ini index ce758ef..45e03ff 100644 --- a/seldon-core-operator/tox.ini +++ b/seldon-core-operator/tox.ini @@ -63,7 +63,7 @@ commands = print(CheckRock("rockcraft.yaml").get_version())'\'') && \ sudo skopeo --insecure-policy copy oci-archive:$ROCK.rock docker-daemon:$ROCK:$VERSION && \ docker save $ROCK > $ROCK.tar && \ - microk8s ctr image import $ROCK.tar && \ + microk8s ctr image import $ROCK.tar --digests=true && \ # replace upstream-source with local ROCK image \ yq e -i ".resources.oci-image.upstream-source=\"$ROCK:$VERSION\"" {env:LOCAL_CHARM_DIR}/metadata.yaml' # run charm integration test with rock