From 6da36e8a3e4847de2b023965549f5d5748cd5554 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Fri, 13 Mar 2020 15:05:57 -0500 Subject: [PATCH] Revert abitrary uid support This code was already reverted in the zuul images, it doesn't actually provide the value is claims to add and it breaks the running under podman. Revert "Dockerfile: add support for arbritary uid" This reverts commit da2701e0b19cbe75cdbd79cfeafaf7c643546fc7. Revert "Dockerfile: add user to shadow file too" This reverts commit 747e95726362dc5d57c35a9bdcd806d3ab1d7d32. Change-Id: Iff606c65c6a3223f13d963d90455fa895193cce8 --- Dockerfile | 18 +----------------- tools/uid_entrypoint.sh | 23 ----------------------- 2 files changed, 1 insertion(+), 40 deletions(-) delete mode 100755 tools/uid_entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 83afe247f..3a01cc501 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,32 +26,16 @@ FROM docker.io/opendevorg/python-base as nodepool-base COPY --from=builder /output/ /output RUN /output/install-from-bindep -### Containers should NOT run as root as a good practice RUN useradd -u 10001 -m -d /var/lib/nodepool -c "Nodepool Daemon" nodepool -# although this feels odd ... by default has group "shadow", meaning -# uid_entrypoint can't update it. This is necessary for things like -# sudo to work. -RUN chown root:root /etc/shadow - -RUN chmod g=u /etc/passwd /etc/shadow -ENV APP_ROOT=/var/lib/nodepool -ENV HOME=${APP_ROOT} -ENV USER_NAME=nodepool -RUN chown 10001:1001 ${APP_ROOT} -COPY tools/uid_entrypoint.sh /uid_entrypoint -ENTRYPOINT ["/uid_entrypoint"] - FROM nodepool-base as nodepool # ============================================================================ -USER 10001 CMD ["/usr/local/bin/nodepool"] FROM nodepool-base as nodepool-launcher # ============================================================================ -USER 10001 CMD _DAEMON_FLAG=${DEBUG:+-d} && \ _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \ /usr/local/bin/nodepool-launcher ${_DAEMON_FLAG} @@ -62,6 +46,7 @@ FROM nodepool-base as nodepool-builder # dib needs sudo RUN echo "nodepool ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nodepool-sudo \ && chmod 0440 /etc/sudoers.d/nodepool-sudo + # binary deps; see # https://docs.openstack.org/diskimage-builder/latest/developer/vhd_creation.html # about the vhd-util deps @@ -87,7 +72,6 @@ RUN \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -USER 10001 CMD _DAEMON_FLAG=${DEBUG:+-d} && \ _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \ /usr/local/bin/nodepool-builder ${_DAEMON_FLAG} diff --git a/tools/uid_entrypoint.sh b/tools/uid_entrypoint.sh deleted file mode 100755 index b1b21aaf4..000000000 --- a/tools/uid_entrypoint.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -# Copyright 2019 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if ! whoami 2>&1 >/dev/null; then - if [ -w /etc/passwd ]; then - echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd - echo "${USER_NAME:-default}:!:18211:0:99999:7:::" >> /etc/shadow - fi -fi -exec dumb-init "$@"