Merge "Revert abitrary uid support"

2020-03-17 21:36:59 +00:00 · 2020-03-17 21:36:59 +00:00 · 16cb5c1952
commit 16cb5c1952
parent a0e542d4ff 6da36e8a3e
2 changed files with 1 additions and 40 deletions
--- a/18
+++ b/18
@ -26,32 +26,16 @@ FROM docker.io/opendevorg/python-base as nodepool-base
 COPY --from=builder /output/ /output
 RUN /output/install-from-bindep

-### Containers should NOT run as root as a good practice
 RUN useradd -u 10001 -m -d /var/lib/nodepool -c "Nodepool Daemon" nodepool

-# although this feels odd ... by default has group "shadow", meaning
-# uid_entrypoint can't update it.  This is necessary for things like
-# sudo to work.
-RUN chown root:root /etc/shadow
-
-RUN chmod g=u /etc/passwd /etc/shadow
-ENV APP_ROOT=/var/lib/nodepool
-ENV HOME=${APP_ROOT}
-ENV USER_NAME=nodepool
-RUN chown 10001:1001 ${APP_ROOT}
-COPY tools/uid_entrypoint.sh /uid_entrypoint
-ENTRYPOINT ["/uid_entrypoint"]
-
 FROM nodepool-base as nodepool
 # ============================================================================

-USER 10001
 CMD ["/usr/local/bin/nodepool"]

 FROM nodepool-base as nodepool-launcher
 # ============================================================================

-USER 10001
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
    _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
    /usr/local/bin/nodepool-launcher ${_DAEMON_FLAG}
@ -62,6 +46,7 @@ FROM nodepool-base as nodepool-builder
 # dib needs sudo
 RUN echo "nodepool ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nodepool-sudo \
  && chmod 0440 /etc/sudoers.d/nodepool-sudo
+
 # binary deps; see
 #  https://docs.openstack.org/diskimage-builder/latest/developer/vhd_creation.html
 # about the vhd-util deps
@ -87,7 +72,6 @@ RUN \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

-USER 10001
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
    _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
    /usr/local/bin/nodepool-builder ${_DAEMON_FLAG}
--- a/tools/uid_entrypoint.sh
+++ b/tools/uid_entrypoint.sh
@ -1,23 +0,0 @@
-#!/bin/sh
-# Copyright 2019 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-# implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if ! whoami 2>&1 >/dev/null; then
-  if [ -w /etc/passwd ]; then
-     echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
-     echo "${USER_NAME:-default}:!:18211:0:99999:7:::" >> /etc/shadow
-  fi
-fi
-exec dumb-init "$@"