Switch to safer bootstrap method & skip locked down files

This commit is contained in:
Dave Chevell 2019-09-06 10:34:36 +10:00
parent 4067f473d1
commit 0ab1700523
No known key found for this signature in database
GPG Key ID: 279DF1B52C7C44DC
4 changed files with 10 additions and 18 deletions

View File

@ -40,9 +40,6 @@ RUN groupadd --gid ${RUN_GID} ${RUN_GROUP} \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/logs \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/logs \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/temp \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/temp \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/work \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/work \
&& chown ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/conf/server.xml \
&& chown ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/confluence/WEB-INF/classes/seraph-config.xml \
&& chown ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/confluence/WEB-INF/classes/confluence-init.properties \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_HOME} \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_HOME} \
\ \
&& sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh && sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh

View File

@ -39,9 +39,6 @@ RUN addgroup -g ${RUN_GID} ${RUN_GROUP} \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/logs \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/logs \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/temp \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/temp \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/work \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/work \
&& chown ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/conf/server.xml \
&& chown ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/confluence/WEB-INF/classes/seraph-config.xml \
&& chown ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_INSTALL_DIR}/confluence/WEB-INF/classes/confluence-init.properties \
&& chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_HOME} \ && chown -R ${RUN_USER}:${RUN_GROUP} ${CONFLUENCE_HOME} \
\ \
&& sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh && sed -i -e 's/-Xms\([0-9]\+[kmg]\) -Xmx\([0-9]\+[kmg]\)/-Xms\${JVM_MINIMUM_MEMORY:=\1} -Xmx\${JVM_MAXIMUM_MEMORY:=\2} \${JVM_SUPPORT_RECOMMENDED_ARGS} -Dconfluence.home=\${CONFLUENCE_HOME}/g' ${CONFLUENCE_INSTALL_DIR}/bin/setenv.sh

View File

@ -48,17 +48,17 @@ env = {k.lower(): v
###################################################################### ######################################################################
# Generate all configuration files for Confluence # Generate all configuration files for Confluence
gen_cfg('server.xml.j2', if os.getuid() == 0:
f"{env['confluence_install_dir']}/conf/server.xml", env, gen_cfg('server.xml.j2',
user=env['run_user'], group=env['run_group']) f"{env['confluence_install_dir']}/conf/server.xml", env)
gen_cfg('seraph-config.xml.j2', gen_cfg('seraph-config.xml.j2',
f"{env['confluence_install_dir']}/confluence/WEB-INF/classes/seraph-config.xml", env, f"{env['confluence_install_dir']}/confluence/WEB-INF/classes/seraph-config.xml", env)
user=env['run_user'], group=env['run_group'])
gen_cfg('confluence-init.properties.j2', gen_cfg('confluence-init.properties.j2',
f"{env['confluence_install_dir']}/confluence/WEB-INF/classes/confluence-init.properties", env, f"{env['confluence_install_dir']}/confluence/WEB-INF/classes/confluence-init.properties", env)
user=env['run_user'], group=env['run_group']) else:
logging.warning("Container not started as root. Tomcat, seraph-config.xml, confluence-init.properties boostrapping will be skipped.")
gen_cfg('confluence.cfg.xml.j2', gen_cfg('confluence.cfg.xml.j2',
f"{env['confluence_home']}/confluence.cfg.xml", env, f"{env['confluence_home']}/confluence.cfg.xml", env,

View File

@ -67,9 +67,7 @@ def test_install_permissions(docker_cli, image):
assert container.file(f'{CONF_INSTALL}').user == 'root' assert container.file(f'{CONF_INSTALL}').user == 'root'
for d in ['logs', 'work', 'temp', 'conf/server.xml', for d in ['logs', 'work', 'temp']:
'confluence/WEB-INF/classes/seraph-config.xml',
'confluence/WEB-INF/classes/confluence-init.properties']:
path = f'{CONF_INSTALL}/{d}' path = f'{CONF_INSTALL}/{d}'
assert container.file(path).user == 'confluence' assert container.file(path).user == 'confluence'