[Libreoffice-commits] online.git: docker/Dockerfile docker/scripts

Andras Timar (via logerrit) logerrit at kemper.freedesktop.org
Mon Feb 17 17:31:55 UTC 2020 

 docker/Dockerfile          |   12 +++++++++---
 docker/scripts/run-lool.sh |    5 ++---
 2 files changed, 11 insertions(+), 6 deletions(-)

New commits:
commit 0009343003f6aabd9883597148c505f3a20a553a
Author:     Andras Timar <andras.timar at collabora.com>
AuthorDate: Tue Feb 11 11:05:21 2020 +0100
Commit:     Andras Timar <andras.timar at collabora.com>
CommitDate: Mon Feb 17 18:31:36 2020 +0100

    docker: non-root container
    
    Change-Id: I30b48fa193fe06ee42752e8ba4883c5221b28924
    Reviewed-on: https://gerrit.libreoffice.org/c/online/+/88435
    Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice at gmail.com>
    Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
    Reviewed-by: Andras Timar <andras.timar at collabora.com>

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 6651b29f9..c82cdee4c 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -30,10 +30,16 @@ RUN mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd
 RUN rm -rf /var/cache/loolwsd/*
 RUN rm -rf /opt/lool
 RUN mkdir -p /opt/lool/child-roots
-RUN chown lool: /opt/lool
-RUN chown lool: /opt/lool/child-roots
 RUN loolwsd-systemplate-setup /opt/lool/systemplate /opt/libreoffice >/dev/null 2>&1
 RUN touch /var/log/loolwsd.log
-RUN chown lool /var/log/loolwsd.log
+# Fix permissions
+RUN chown lool:lool /var/log/loolwsd.log
+RUN chown -R lool:lool /opt/
+RUN chown -R lool:lool /etc/loolwsd
+
 EXPOSE 9980
+
+# switch to lool user (use numeric user id to be compatible with Kubernetes Pod Security Policies)
+USER 101
+
 CMD bash /run-lool.sh
diff --git a/docker/scripts/run-lool.sh b/docker/scripts/run-lool.sh
index 227eb5116..7fca8a15d 100755
--- a/docker/scripts/run-lool.sh
+++ b/docker/scripts/run-lool.sh
@@ -15,7 +15,7 @@ if test "${DONT_GEN_SSL_CERT-set}" == set; then
 mkdir -p /opt/ssl/
 cd /opt/ssl/
 mkdir -p certs/ca
-openssl rand -writerand /root/.rnd
+openssl rand -writerand /opt/lool/.rnd
 openssl genrsa -out certs/ca/root.key.pem 2048
 openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority"
 mkdir -p certs/{servers,tmp}
@@ -24,7 +24,6 @@ openssl genrsa -out certs/servers/localhost/privkey.pem 2048
 openssl req -key certs/servers/localhost/privkey.pem -new -sha256 -out certs/tmp/localhost.csr.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost"
 openssl x509 -req -in certs/tmp/localhost.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/localhost/cert.pem -days 9131
 mv certs/servers/localhost/privkey.pem /etc/loolwsd/key.pem
-chown lool: /etc/loolwsd/key.pem
 mv certs/servers/localhost/cert.pem /etc/loolwsd/cert.pem
 mv certs/ca/root.crt.pem /etc/loolwsd/ca-chain.cert.pem
 fi
@@ -43,4 +42,4 @@ perl -pi -e "s/<password (.*)>.*<\/password>/<password \1>${password}<\/password
 ) &
 
 # Start loolwsd
-su -c "/usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd ${extra_params}" -s /bin/bash lool
+/bin/bash -c "/usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd ${extra_params}"

More information about the Libreoffice-commits mailing list