From f5df62d83648725ef1b33e67ea097e2aea2d3a59 Mon Sep 17 00:00:00 2001
From: "BARTRA, RICK" <rb560u@att.com>
Date: Fri, 26 Apr 2019 15:43:00 -0400
Subject: [PATCH] Run rabbitmq container with rabbitmq user

This change makes rabbitmq container run with the rabbitmq user
instead of the root user. As the rabbitmq user doesn't have write
access to '/run' directory, the templates are updated to use the
'/tmp' directory instead which the rabbitmq user has write access
to.

Change-Id: Ia35c3f741fefe3172c93bb042bf8d26bf7672cfc
---
 rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl  | 2 +-
 rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl | 2 +-
 rabbitmq/templates/bin/_rabbitmq-start.sh.tpl     | 6 +++---
 rabbitmq/values.yaml                              | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl
index 2f5109fd3..bfb2f77b1 100644
--- a/rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl
+++ b/rabbitmq/templates/bin/_rabbitmq-liveness.sh.tpl
@@ -18,7 +18,7 @@ limitations under the License.
 
 set -e
 
-if [ -f /run/rabbit-disable-liveness-probe ]; then
+if [ -f /tmp/rabbit-disable-liveness-probe ]; then
    exit 0
 else
    exec rabbitmqctl status
diff --git a/rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl
index 63e1cc3e7..bf66465c1 100644
--- a/rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl
+++ b/rabbitmq/templates/bin/_rabbitmq-readiness.sh.tpl
@@ -18,7 +18,7 @@ limitations under the License.
 
 set -e
 
-if [ -f /run/rabbit-disable-readiness ]; then
+if [ -f /tmp/rabbit-disable-readiness ]; then
    exit 1
 else
    exec rabbitmqctl status
diff --git a/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl
index 93096475c..ae0568908 100644
--- a/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl
+++ b/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl
@@ -49,7 +49,7 @@ POD_INCREMENT=$(echo "${MY_POD_NAME}" | awk -F '-' '{print $NF}')
 if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; then
   echo 'This is not the 1st rabbit pod & has not been initialised'
   # disable liveness probe as it may take some time for the pod to come online.
-  touch /run/rabbit-disable-liveness-probe
+  touch /tmp/rabbit-disable-liveness-probe
   POD_NAME_PREFIX="$(echo "${MY_POD_NAME}" | awk 'BEGIN{FS=OFS="-"}{NF--; print}')"
   for TARGET_POD in $(seq 0 +1 $((POD_INCREMENT - 1 ))); do
     END=$(($(date +%s) + 900))
@@ -70,7 +70,7 @@ if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; the
 
   # Start RabbitMQ, but disable readiness from being reported so the pod is not
   # marked as up prematurely.
-  touch /run/rabbit-disable-readiness
+  touch /tmp/rabbit-disable-readiness
   rabbitmq-server &
 
   # Wait for server to start, and reset if it does not
@@ -93,7 +93,7 @@ if ! [ "${POD_INCREMENT}" -eq "0" ] && ! [ -d "/var/lib/rabbitmq/mnesia" ] ; the
   # Shutdown the inital server
   rabbitmqctl shutdown
 
-  rm -fv /run/rabbit-disable-readiness /run/rabbit-disable-liveness-probe
+  rm -fv /tmp/rabbit-disable-readiness /tmp/rabbit-disable-liveness-probe
 fi
 
 exec rabbitmq-server
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index fda9e2321..552af4c3c 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -70,7 +70,7 @@ pod:
           runAsUser: 0
           readOnlyRootFilesystem: true
         rabbitmq:
-          runAsUser: 0
+          runAsUser: 999
           readOnlyRootFilesystem: false
     cluster_wait:
       pod: