Merge pull request #1469 from amaltaro/fix-11944-take2

Set WMAgent/MariaDB/CouchDB user during container runtime
dmwm · May 2, 2024 · ffa1a61 · ffa1a61
2 parents f4a43f8 + f1c11d6
commit ffa1a61
Show file tree

Hide file tree

Showing 14 changed files with 235 additions and 217 deletions.
diff --git a/docker/pypi/wmagent-couchdb/Dockerfile b/docker/pypi/wmagent-couchdb/Dockerfile
@@ -13,16 +13,7 @@ RUN apt-get install -y hostname net-tools iputils-ping procps emacs-nox tcpdump
 
 RUN pip install CMSCouchapp
 
-# ENV USER=couchdb
-# ENV GROUP=couchdb
-ENV USER=cmst1
-ENV GROUP=zh
-ENV COUCH_UID=31961
-ENV COUCH_GID=1399
 ENV COUCH_PORT=5984
-# ENV COUCH_UID=5984
-# ENV COUCH_GID=5984
-
 ENV COUCH_ROOT_DIR=/data
 
 ENV COUCH_BASE_DIR=$COUCH_ROOT_DIR/srv/couchdb
@@ -46,16 +37,6 @@ ENV WMA_SECRETS_FILE=$WMA_ADMIN_DIR/WMAgent.secrets
 
 # RUN mkdir -p /etc/grid-security
 
-# # Setting up users and previleges
-# # THIS MUST HAPPEN MANUALLY ON THE HOST:
-RUN groupadd -g ${COUCH_GID} ${GROUP}
-RUN useradd -u ${COUCH_UID} -g ${COUCH_GID} -m ${USER}
-RUN install -o ${USER} -g ${COUCH_GID} -d ${COUCH_ROOT_DIR}
-
-
-# add user to sudoers file
-RUN echo "$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-
 # start the setup
 RUN mkdir -p $COUCH_ROOT_DIR
 
@@ -64,37 +45,26 @@ ENV PATH="${COUCH_ROOT_DIR}:${PATH}"
 RUN mkdir -p $COUCH_CURRENT_DIR $COUCH_CONFIG_DIR $COUCH_MANAGE_DIR $COUCH_LOG_DIR $COUCH_DATABASE_DIR $COUCH_STATE_DIR $COUCH_AUTH_DIR
 RUN ln -s $COUCH_CURRENT_DIR $COUCH_BASE_DIR/current
 
-# ENV COUCHDB_USER=admin
-# ENV COUCHDB_PASSWORD=adminpass
-
 # add necessary scripts
 ADD run.sh ${COUCH_ROOT_DIR}/
 ADD manage ${COUCH_MANAGE_DIR}/manage
 RUN ln -s ${COUCH_MANAGE_DIR}/manage ${COUCH_ROOT_DIR}/manage
 
 # The $COUCH_CONFIG_DIR is to be mounted from the host and locla.ini read from there
-ADD local.ini ${COUCH_CONFIG_DIR}/local.ini
+ADD local.ini ${COUCH_DEPLOY_DIR}/local.ini
 RUN ln -s ${COUCH_CONFIG_DIR}/local.ini /opt/couchdb/etc/local.d/
 
 ENV PATH="/opt/couchdb/bin:/usr/local/bin/:${PATH}"
 ENV CRYPTOGRAPHY_ALLOW_OPENSSL_102=true
 
-# RUN <<EOF cat >> /opt/couchdb/.bashrc
-RUN <<EOF cat >> /home/$USER/.bashrc
-
-alias lll="ls -lathr"
-alias ls="ls --color=auto"
-alias ll='ls -la --color=auto'
-
-alias manage=$COUCH_MANAGE_DIR/manage
-
-# set CouchDB docker specific bash prompt:
-export PS1="(CouchDB-$TAG) [\u@\h:\W]\$ "
+# Set command prompt for root
+RUN <<EOF cat >> /root/.bashrc
+export PS1="(CouchDB-$TAG) [\u@\h:\W]# "
 EOF
 
-RUN chown -R ${USER}:${GROUP} ${COUCH_ROOT_DIR}
+# allow dynamic users to create homefolders and .bashrc
+RUN chmod 777 /home
 
 # setup final environment
-USER $USER
 WORKDIR $COUCH_ROOT_DIR
 ENTRYPOINT ["./run.sh"]
diff --git a/docker/pypi/wmagent-couchdb/couchdb-docker-run.sh b/docker/pypi/wmagent-couchdb/couchdb-docker-run.sh
@@ -49,39 +49,62 @@ while getopts ":t:hp" opt; do
     esac
 done
 
-
-couchdbUser=cmst1
-couchOpts=" --user $couchdbUser"
-
 # This is the root at the host only, it may differ from the root inside the container.
 # NOTE: this may be parameterized, so that the container can run on a different mount point.
 HOST_MOUNT_DIR=/data/dockerMount
 
+thisUser=$(id -un)
+thisGroup=$(id -gn)
+
+# create the passwd and group mount point dynamically at runtime
+passwdEntry=$(getent passwd $thisUser | awk -F : -v thisHome="/home/$thisUser" '{print $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" thisHome ":" $7}')
+groupEntry=$(getent group $thisGroup)
+
+# workaround case where Unix account is not in the local system (e.g. sssd)
+[[ -d $HOST_MOUNT_DIR/admin/etc/ ]] || (mkdir -p $HOST_MOUNT_DIR/admin/etc) || exit $?
+[[ -f $HOST_MOUNT_DIR/admin/etc/passwd ]] || {
+    echo "Creating passwd file"
+    getent passwd > $HOST_MOUNT_DIR/admin/etc/passwd
+    echo $passwdEntry >> $HOST_MOUNT_DIR/admin/etc/passwd
+}
+[[ -f $HOST_MOUNT_DIR/admin/etc/group ]] || {
+    echo "Creating group file"
+    getent group > $HOST_MOUNT_DIR/admin/etc/group
+    echo $groupEntry >> $HOST_MOUNT_DIR/admin/etc/group
+}
+
 [[ -d $HOST_MOUNT_DIR/certs ]] || mkdir -p $HOST_MOUNT_DIR/certs || exit $?
 [[ -d $HOST_MOUNT_DIR/admin/couchdb ]] || mkdir -p $HOST_MOUNT_DIR/admin/couchdb || exit $?
-# [[ -d $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/config  ]] || mkdir -p $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/config  || exit $?
-[[ -d $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install/database ]] || mkdir -p $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install/database || exit $?
+[[ -d $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/config  ]] || mkdir -p $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/config  || exit $?
+[[ -d $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install ]] || mkdir -p $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install || exit $?
 [[ -d $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/logs ]] || mkdir -p $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/logs || exit $?
+[[ -d $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/state ]] || mkdir -p $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/state || exit $?
 
-# sudo chown -R $couchdbUser:$couchdbUser $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG
 
 dockerOpts="
 --detach \
 --network=host \
 --rm \
---hostname=`hostname -f` \
+--hostname=$(hostname -f) \
+--user $(id -u):$(id -g) \
 --name=couchdb \
 --mount type=bind,source=/tmp,target=/tmp \
 --mount type=bind,source=$HOST_MOUNT_DIR/certs,target=/data/certs \
---mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install/database,target=/data/srv/couchdb/current/install/database \
+--mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install,target=/data/srv/couchdb/current/install \
 --mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/logs,target=/data/srv/couchdb/current/logs \
+--mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/state,target=/data/srv/couchdb/current/state \
+--mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/config,target=/data/srv/couchdb/current/config \
 --mount type=bind,source=$HOST_MOUNT_DIR/admin/wmagent,target=/data/admin/wmagent/ \
 --mount type=bind,source=$HOST_MOUNT_DIR/admin/couchdb,target=/data/admin/couchdb/ \
+--mount type=bind,source=$HOST_MOUNT_DIR/admin/etc/passwd,target=/etc/passwd,readonly \
+--mount type=bind,source=$HOST_MOUNT_DIR/admin/etc/group,target=/etc/group,readonly \
+--mount type=bind,source=/etc/sudoers,target=/etc/sudoers,readonly \
+--mount type=bind,source=/etc/sudoers.d,target=/etc/sudoers.d,readonly \
 "
 
 # --mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/config,target=/data/srv/couchdb/current/config \
-# couchOpts=$*
-# couchOpts="$couchOpts --user couchdb -e COUCHDB_USER=TestAdmin -e COUCHDB_PASSWORD=TestPass"
+# --mount type=bind,source=$HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG/install/database,target=/data/srv/couchdb/current/install/database \
+
 registry=local
 repository=wmagent-couchdb
 
@@ -94,7 +117,7 @@ $PULL && {
     docker tag  $registry/$project/$repository:$COUCH_TAG $registry/$repository:latest
 }
 
-echo "Starting the couchdb:$COUCH_TAG docker container with the following parameters: $couchOpts"
-docker run $dockerOpts $couchOpts $registry/$repository:$COUCH_TAG && (
+echo "Starting couchdb:$COUCH_TAG docker container with user: $thisUser:$thisGroup"
+docker run $dockerOpts $registry/$repository:$COUCH_TAG && (
     [[ -h $HOST_MOUNT_DIR/srv/couchdb/current ]] && rm -f $HOST_MOUNT_DIR/srv/couchdb/current
     ln -s $HOST_MOUNT_DIR/srv/couchdb/$COUCH_TAG $HOST_MOUNT_DIR/srv/couchdb/current )
diff --git a/docker/pypi/wmagent-couchdb/manage b/docker/pypi/wmagent-couchdb/manage
@@ -680,6 +680,8 @@ init_couchdb() {
     # i.e. check if COUCHDB_SECRETS_FILE and WMAGENT_SECRETS_FILE from the host
     # have been parsed correctly and the passwords propagated to local.ini
 
+    [[ -f $COUCH_CONFIG_DIR/local.ini ]] || cp -v $COUCH_DEPLOY_DIR/local.ini $COUCH_CONFIG_DIR/local.ini
+
     # First check if all variables in the local.ini file are properly set
     local parseOk=true
     _parse_localini $COUCH_CONFIG_DIR/local.ini || parseOk=false

diff --git a/docker/pypi/wmagent-couchdb/run.sh b/docker/pypi/wmagent-couchdb/run.sh
@@ -1,60 +1,36 @@
 #!/bin/bash
 
-manage init      | tee -a $COUCH_LOG_DIR/run.log
-manage start     | tee -a $COUCH_LOG_DIR/run.log
-manage pushapps  | tee -a $COUCH_LOG_DIR/run.log
+# Basic initialization for CouchDB
+thisUser=$(id -un)
+thisGroup=$(id -gn)
+thisUserID=$(id -u)
+thisGroupID=$(id -g)
+echo "Running CouchDB container with user: $thisUser (ID: $thisUserID) and group: $thisGroup (ID: $thisGroupID)"
 
-echo "start sleeping....zzz"
-while true; do sleep 10; done
+export USER=$thisUser
+[[ -d ${HOME} ]] || mkdir -p ${HOME}
 
+<<EOF cat >> ~/.bashrc
+export USER=$thisUser
 
-# # start the service
-# manage start
+alias lll="ls -lathr"
+alias ls="ls --color=auto"
+alias ll='ls -la --color=auto'
+alias scurl='curl -k --cert ${COUCH_CERTS_DIR}/servicecert.pem --key ${COUCH_CERTS_DIR}/servicekey.pem'
 
+alias manage=$COUCH_MANAGE_DIR/manage
 
+# Set command prompt for the running user inside the container
+export PS1="(CouchDB-$TAG) [\u@\h:\W]\$ "
+EOF
+source ${HOME}/.bashrc
 
+manage init      | tee -a $COUCH_LOG_DIR/run.log
+manage start     | tee -a $COUCH_LOG_DIR/run.log
+manage pushapps  | tee -a $COUCH_LOG_DIR/run.log
 
+echo "start sleeping....zzz"
+sleep infinity
 
-# ###########################################################################################
-# # NOTE: Leftovers - to be adopted/reimplemented in the GH issue dealing with CouchDB setup
-# #       all of those steps were previously done with the old wmagent deployment procedures
-# ###########################################################################################
-
-# DATA_SIZE=`lsblk -bo SIZE,MOUNTPOINT | grep ' /data1' | sort | uniq | awk '{print $1}'`
-# DATA_SIZE_GB=`lsblk -o SIZE,MOUNTPOINT | grep ' /data1' | sort | uniq | awk '{print $1}'`
-# if [[ $DATA_SIZE -gt 200000000000 ]]; then  # greater than ~200GB
-# echo "Partition /data1 available! Total size: $DATA_SIZE_GB"
-# sleep 0.5
-# while true; do
-# read -p "Would you like to deploy couchdb in this /data1 partition (yes/no)? " yn
-# case $yn in
-# [Y/y]* ) DATA1=true; break;;
-# [N/n]* ) DATA1=false; break;;
-# * ) echo "Please answer yes or no.";;
-# esac
-# done
-# else
-# DATA1=false
-# fi && echo
-
-# echo -e "\n*** Applying (for couchdb1.6, etc) cert file permission ***"
-# chmod 600 /data/certs/service{cert,key}.pem
-# echo "Done!"
-
-# echo "*** Checking if couchdb migration is needed ***"
-# echo -e "\n[query_server_config]\nos_process_limit = 50" >> $WMA_CURRENT_DIR/config/couchdb/local.ini
-# if [ "$DATA1" = true ]; then
-# ./manage stop-services
-# sleep 5
-# if [ -d "/data1/database/" ]; then
-# echo "Moving old database away... "
-# mv /data1/database/ /data1/database_old/
-# FINAL_MSG="5) Remove the old database when possible (/data1/database_old/)"
-# fi
-# rsync --remove-source-files -avr /data/srv/wmagent/current/install/couchdb/database /data1
-# sed -i "s+database_dir = .*+database_dir = /data1/database+" $WMA_CURRENT_DIR/config/couchdb/local.ini
-# sed -i "s+view_index_dir = .*+view_index_dir = /data1/database+" $WMA_CURRENT_DIR/config/couchdb/local.ini
-# ./manage start-services
-# fi
-# echo "Done!" && echo
-# ###########################################################################################
+# # start the service
+# manage start
diff --git a/docker/pypi/wmagent-mariadb/Dockerfile b/docker/pypi/wmagent-mariadb/Dockerfile
@@ -32,10 +32,6 @@ ENV MDB_SECRETS_FILE=$MDB_ADMIN_DIR/MariaDB.secrets
 ENV WMA_SECRETS_FILE=$WMA_ADMIN_DIR/WMAgent.secrets
 ENV WMA_DATABASE=wmagent
 
-# create the system user to run the database
-RUN groupadd -g 1399 zh
-RUN useradd -u 31961  -g 1399 -G 999 -m cmst1
-
 # start the setup
 RUN mkdir -p $MDB_ROOT_DIR $MDB_CURRENT_DIR $MDB_CONFIG_DIR $MDB_MANAGE_DIR \
     $MDB_LOG_DIR $MDB_DATABASE_DIR $MDB_STATE_DIR $MDB_AUTH_DIR
@@ -52,20 +48,14 @@ ADD my.cnf ${MDB_CONFIG_DIR}/my.cnf
 
 ENV PATH="/usr/local/bin/:${MDB_ROOT_DIR}:${PATH}"
 
-# set MariaDB docker specific bash prompt and manage alias for all users:
-RUN <<EOF cat >>/root/.bashrc
-alias manage=$MDB_MANAGE_DIR/manage
-export PS1="(MariaDB-$MDB_TAG) [\u@\h:\W]\$([[ \$(id -u) -eq 0 ]] && echo \# || echo \$) "
-EOF
-
-RUN <<EOF cat >>/home/cmst1/.bashrc
-alias manage=$MDB_MANAGE_DIR/manage
-export PS1="(MariaDB-$MDB_TAG) [\u@\h:\W]\$([[ \$(id -u) -eq 0 ]] && echo \# || echo \$) "
+# Set command prompt for root
+RUN <<EOF cat >> /root/.bashrc
+export PS1="(MariaDB-$MDB_TAG) [\u@\h:\W]# "
 EOF
 
-# RUN chown -R ${USER} ${MDB_ROOT_DIR}
+# allow dynamic users to create homefolders and .bashrc
+RUN chmod 777 /home
 
 # setup final environment
-# USER $USER
 WORKDIR $MDB_ROOT_DIR
 ENTRYPOINT ["./run.sh", "2>&1"]
diff --git a/docker/pypi/wmagent-mariadb/mariadb-docker-run.sh b/docker/pypi/wmagent-mariadb/mariadb-docker-run.sh
@@ -49,34 +49,54 @@ while getopts ":t:hp" opt; do
     esac
 done
 
-
-mariadbUser=`id -un`
-mariadbOpts=" --user $mariadbUser -e USER=$mariadbUser"
-
 # This is the root at the host only, it may differ from the root inside the container.
 # NOTE: this may be parametriesed, so that the container can run on a different mount point.
 HOST_MOUNT_DIR=/data/dockerMount
 
+thisUser=$(id -un)
+thisGroup=$(id -gn)
+
+# create the passwd and group mount point dynamically at runtime
+passwdEntry=$(getent passwd $thisUser | awk -F : -v thisHome="/home/$thisUser" '{print $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" thisHome ":" $7}')
+groupEntry=$(getent group $thisGroup)
+
+# workaround case where Unix account is not in the local system (e.g. sssd)
+[[ -d $HOST_MOUNT_DIR/admin/etc/ ]] || (mkdir -p $HOST_MOUNT_DIR/admin/etc) || exit $?
+[[ -f $HOST_MOUNT_DIR/admin/etc/passwd ]] || {
+    echo "Creating passwd file"
+    getent passwd > $HOST_MOUNT_DIR/admin/etc/passwd
+    echo $passwdEntry >> $HOST_MOUNT_DIR/admin/etc/passwd
+}
+[[ -f $HOST_MOUNT_DIR/admin/etc/group ]] || {
+    echo "Creating group file"
+    getent group > $HOST_MOUNT_DIR/admin/etc/group
+    echo $groupEntry >> $HOST_MOUNT_DIR/admin/etc/group
+}
+
 [[ -d $HOST_MOUNT_DIR/certs ]] || (mkdir -p $HOST_MOUNT_DIR/certs) || exit $?
 [[ -d $HOST_MOUNT_DIR/admin/mariadb ]] || (mkdir -p $HOST_MOUNT_DIR/admin/mariadb) || exit $?
 # [[ -d $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/config  ]] || (mkdir -p $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/config)  || exit $?
 [[ -d $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/install/database ]] || { mkdir -p $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/install/database ;} || exit $?
 [[ -d $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/logs ]] || { mkdir -p $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/logs ;} || exit $?
 
-# sudo chown -R $mariadbUser $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG
 
 dockerOpts="
 --detach \
 --network=host \
 --rm \
---hostname=`hostname -f` \
+--hostname=$(hostname -f) \
+--user $(id -u):$(id -g) \
 --name=mariadb \
 --mount type=bind,source=/tmp,target=/tmp \
 --mount type=bind,source=$HOST_MOUNT_DIR/certs,target=/data/certs \
 --mount type=bind,source=$HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/install/database,target=/data/srv/mariadb/current/install/database \
 --mount type=bind,source=$HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/logs,target=/data/srv/mariadb/current/logs \
 --mount type=bind,source=$HOST_MOUNT_DIR/admin/mariadb,target=/data/admin/mariadb/ \
 --mount type=bind,source=$HOST_MOUNT_DIR/admin/wmagent,target=/data/admin/wmagent/ \
+--mount type=bind,source=$HOST_MOUNT_DIR/admin/etc/passwd,target=/etc/passwd,readonly \
+--mount type=bind,source=$HOST_MOUNT_DIR/admin/etc/group,target=/etc/group,readonly \
+--mount type=bind,source=/etc/sudoers,target=/etc/sudoers,readonly \
+--mount type=bind,source=/etc/sudoers.d,target=/etc/sudoers.d,readonly \
 "
 
 # --mount type=bind,source=$HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG/config,target=/data/srv/mariadb/current/config \
@@ -94,7 +114,7 @@ $PULL && {
     docker tag  $registry/$project/$repository:$MDB_TAG $registry/$repository:latest
 }
 
-echo "Starting the $registry/$repository:$MDB_TAG docker container with the following parameters: $mariadbOpts"
-docker run $dockerOpts $mariadbOpts $registry/$repository:$MDB_TAG && (
+echo "Starting $repository:$MDB_TAG docker container with user: $thisUser:$thisGroup"
+docker run $dockerOpts $registry/$repository:$MDB_TAG && (
     [[ -h $HOST_MOUNT_DIR/srv/mariadb/current ]] && rm -f $HOST_MOUNT_DIR/srv/mariadb/current
     ln -s $HOST_MOUNT_DIR/srv/mariadb/$MDB_TAG $HOST_MOUNT_DIR/srv/mariadb/current )
diff --git a/docker/pypi/wmagent-mariadb/run.sh b/docker/pypi/wmagent-mariadb/run.sh
@@ -1,7 +1,31 @@
 #!/bin/bash
 
+# Basic initialization for MariaDB
+thisUser=$(id -un)
+thisGroup=$(id -gn)
+thisUserID=$(id -u)
+thisGroupID=$(id -g)
+echo "Running MariaDB container with user: $thisUser (ID: $thisUserID) and group: $thisGroup (ID: $thisGroupID)"
+
+export USER=$thisUser
+[[ -d ${HOME} ]] || mkdir -p ${HOME}
+
+<<EOF cat >> ~/.bashrc
+export USER=$thisUser
+
+alias lll="ls -lathr"
+alias ls="ls --color=auto"
+alias ll='ls -la --color=auto'
+
+alias manage=$MDB_MANAGE_DIR/manage
+
+# Set command prompt for the running user inside the container
+export PS1="(MariaDB-$MDB_TAG) [\u@\h:\W]\$ "
+EOF
+source ${HOME}/.bashrc
+
 manage init-mariadb  2>&1 | tee -a $MDB_LOG_DIR/run.log
 manage start-mariadb 2>&1 | tee -a $MDB_LOG_DIR/run.log
 
 echo "Start sleeping....zzz"
-while true; do sleep 10; done
+sleep infinity