Details
-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Fix Version/s: None
-
Labels:None
-
Story Points:3
-
Epic Link:
-
Sprint:SUIT Sprint 2018-08, SUIT Sprint 2018-09
-
Team:Science User Interface
Description
There are two Firefly servers running in lsst-lspdev k8s cluster environment. IT was discovered that the Firefly server were running as root after they were deployed by k8s. The container settings need to be changed so that the server is not started as root.
Also configure the proxy to not require the trailing slash in URL https://lsst-pdac.ncsa.illinois.edu/portal/suit/
Attachments
Activity
Basically, it's going to come down to running the Tomcat user as someone other than root, and making sure that /scratch/firefly is owned by that UID.
The quick-and-dirty way would be to just add a Tomcat user with a fixed UID by adding something like
RUN adduser -u 91 tomcat
in the Dockerfile (UID 91 used to be the Tomcat user in old Red Hat; I don't know if that's still the convention in modern times)
and then
USER tomcat
Before running the entrypoint.
There might also have to be a chown -R tomcat of whatever local (not NFS-mounted) directories Tomcat needs to write to.
The slightly better way to make this more generic is to pass in, say, TOMCAT_USER and TOMCAT_UID as environment variables. Do the useradd with those values, and then the filesystem chown, in a startup wrapper script that does a sudo to the tomcat user and execs the tomcat startup at the end.
That would let us choose a username and UID that NCSA likes, but keep it flexible enough to not tie ourselves to their LDAP. You could even make the defaults "root" and "0" (with appropriate conditionals in the startup wrapper), so the existing behavior was preserved if the variables are left unspecified.
Adam Thornton @loi is back form vacation and swamped by many things. I would appreciate it very much if you could give some instructions as to what need to be done for the docker image not run as root.