refactor(ct): change security related variable names for clarity

Variable names related to user, password, and domain in Dockerfile and scripts have been modified for better clarity and consistency. This includes changing the names of admin user and password, domain master password, and Linux password and user.
IQSS · Jul 15, 2024 · c1c6b16 · c1c6b16
1 parent 904229f
commit c1c6b16
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 38 deletions.
diff --git a/modules/container-base/src/main/docker/Dockerfile b/modules/container-base/src/main/docker/Dockerfile
@@ -41,16 +41,18 @@ ENV PAYARA_DIR="${HOME_DIR}/appserver" \
     STORAGE_DIR="/dv" \
     SECRETS_DIR="/secrets" \
     DUMPS_DIR="/dumps" \
-    ADMIN_USER="admin" \
+    PAYARA_ADMIN_USER="admin" \
     # This is a public default, easy to change via this env var at runtime
-    ADMIN_PASSWORD="admin" \
+    PAYARA_ADMIN_PASSWORD="admin" \
     DOMAIN_NAME="domain1" \
     # This is the public default as per https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Security%20Guide/Administering%20System%20Security.html#to-change-the-master-password
     # Can be changed at runtime via this env var
-    DOMAIN_MASTER_PASSWORD="changeit" \
+    DOMAIN_PASSWORD="changeit" \
     PAYARA_ARGS="" \
+    LINUX_USER="payara" \
+    LINUX_GROUP="payara" \
     # This is a public default and can be changed at runtime using this env var
-    LINUX_USER_PASSWORD="payara"
+    LINUX_PASSWORD="payara"
 ENV PATH="${PATH}:${PAYARA_DIR}/bin:${SCRIPT_DIR}" \
     DOMAIN_DIR="${PAYARA_DIR}/glassfish/domains/${DOMAIN_NAME}" \
     DEPLOY_PROPS="" \
@@ -77,6 +79,7 @@ ARG GID=1000
 # Auto-populated by BuildKit / buildx
 #ARG TARGETARCH="amd64"
 ARG TARGETARCH
+
 USER root
 WORKDIR /
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
@@ -90,13 +93,13 @@ RUN <<EOF
     userdel --force --remove ubuntu || true
     groupdel -f ubuntu || true # for some reason, groupdel on Ubuntu 22.04 does not like --force
     # Create user
-    groupadd --gid ${GID} payara
-    useradd --system --uid ${UID} --no-create-home --shell /bin/false --home "${HOME_DIR}" --gid payara payara
-    echo "payara:$LINUX_USER_PASSWORD" | chpasswd
+    groupadd --gid "${GID}" "${LINUX_GROUP}"
+    useradd --system --uid "${UID}" --no-create-home --shell /bin/false --home "${HOME_DIR}" --gid "${LINUX_GROUP}" "${LINUX_USER}"
+    echo "${LINUX_USER}:$LINUX_PASSWORD" | chpasswd
     # Set permissions
     # Note: Following OpenShift best practices for arbitrary user id support:
     #       https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images
-    chown -R payara:0 "${HOME_DIR}" "${STORAGE_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
+    chown -R "${LINUX_USER}:0" "${HOME_DIR}" "${STORAGE_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
     chmod -R g=u "${HOME_DIR}" "${STORAGE_DIR}" "${SECRETS_DIR}" "${DUMPS_DIR}"
 EOF
 
@@ -132,28 +135,28 @@ EOF
 
 ### PART 2: PAYARA ###
 # After setting up system, now configure Payara
-USER payara
+USER ${LINUX_USER}
 WORKDIR ${HOME_DIR}
 
 # Copy Payara from build context (cached by Maven)
-COPY --chown=payara:payara maven/appserver ${PAYARA_DIR}/
+COPY --chown=${LINUX_USER}:${LINUX_GROUP} maven/appserver ${PAYARA_DIR}/
 
 # Copy the system (appserver level) scripts like entrypoint, etc
-COPY --chown=payara:payara maven/scripts ${SCRIPT_DIR}/
+COPY --chown=${LINUX_USER}:${LINUX_USER} maven/scripts ${SCRIPT_DIR}/
 
 # Configure the domain to be container and production ready
 # -- This is mostly inherited from the "production domain template", experience with Dataverse and
 #    https://blog.payara.fish/fine-tuning-payara-server-5-in-production
 RUN <<EOF
     # Set admin password
     echo "AS_ADMIN_PASSWORD=" > /tmp/password-change-file.txt
-    echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> /tmp/password-change-file.txt
-    asadmin --user=${ADMIN_USER} --passwordfile=/tmp/password-change-file.txt change-admin-password --domain_name=${DOMAIN_NAME}
+    echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> /tmp/password-change-file.txt
+    asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=/tmp/password-change-file.txt change-admin-password --domain_name=${DOMAIN_NAME}
 
     # Prepare shorthand
     PASSWORD_FILE=$(mktemp)
-    echo "AS_ADMIN_PASSWORD=${ADMIN_PASSWORD}" >> ${PASSWORD_FILE}
-    ASADMIN="${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE}"
+    echo "AS_ADMIN_PASSWORD=${PAYARA_ADMIN_PASSWORD}" >> ${PASSWORD_FILE}
+    ASADMIN="${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PASSWORD_FILE}"
 
     # Start domain for configuration
     ${ASADMIN} start-domain ${DOMAIN_NAME}
@@ -243,7 +246,7 @@ USER root
 RUN true && \
     chgrp -R 0 "${DOMAIN_DIR}" && \
     chmod -R g=u "${DOMAIN_DIR}"
-USER payara
+USER ${LINUX_USER}
 
 # Set the entrypoint to tini (as a process supervisor)
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]

diff --git a/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh b/modules/container-base/src/main/docker/scripts/init_1_change_passwords.sh
@@ -7,37 +7,37 @@ set -euo pipefail
 
 # Someone set the env var for passwords - get the new password in. Otherwise print warning.
 # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#avoid-default-passwords
-if [ "$LINUX_USER_PASSWORD" != "payara" ]; then
-  echo -e "payara\n$LINUX_USER_PASSWORD\n$LINUX_USER_PASSWORD" | passwd
+if [ "$LINUX_PASSWORD" != "payara" ]; then
+  echo -e "$LINUX_USER\n$LINUX_PASSWORD\n$LINUX_PASSWORD" | passwd
 else
-  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER payara! ('payara')"
-  echo "           To change the password, set the LINUX_USER_PASSWORD env var."
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR USER \"${LINUX_USER}\"! ('payara')"
+  echo "           To change the password, set the LINUX_PASSWORD env var."
 fi
 
 # Change the domain admin password if necessary
-if [ "$ADMIN_PASSWORD" != "admin" ]; then
+if [ "$PAYARA_ADMIN_PASSWORD" != "admin" ]; then
   PASSWORD_FILE=$(mktemp)
   echo "AS_ADMIN_PASSWORD=admin" > "$PASSWORD_FILE"
-  echo "AS_ADMIN_NEWPASSWORD=${ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
-  asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
+  echo "AS_ADMIN_NEWPASSWORD=${PAYARA_ADMIN_PASSWORD}" >> "$PASSWORD_FILE"
+  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-admin-password --domain_name="${DOMAIN_NAME}"
   rm "$PASSWORD_FILE"
 else
-  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ASADMIN! ('admin')"
-  echo "           To change the password, set the ADMIN_PASSWORD env var."
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT PASSWORD FOR PAYARA ADMIN \"${PAYARA_ADMIN_USER}\"! ('admin')"
+  echo "           To change the password, set the PAYARA_ADMIN_PASSWORD env var."
 fi
 
 # Change the domain master password if necessary
 # > The master password is not tied to a user account, and it is not used for authentication.
 # > Instead, Payara Server strictly uses the master password to ONLY encrypt the keystore and truststore used to store keys and certificates for the DAS and instances usage.
 # It will be requested when booting the application server!
 # https://docs.payara.fish/community/docs/Technical%20Documentation/Payara%20Server%20Documentation/Security%20Guide/Administering%20System%20Security.html#to-change-the-master-password
-if [ "$DOMAIN_MASTER_PASSWORD" != "changeit" ]; then
+if [ "$DOMAIN_PASSWORD" != "changeit" ]; then
   PASSWORD_FILE=$(mktemp)
   echo "AS_ADMIN_MASTERPASSWORD=changeit" >> "$PASSWORD_FILE"
-  echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_MASTER_PASSWORD}" >> "$PASSWORD_FILE"
-  asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
+  echo "AS_ADMIN_NEWMASTERPASSWORD=${DOMAIN_PASSWORD}" >> "$PASSWORD_FILE"
+  asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" change-master-password --savemasterpassword false "${DOMAIN_NAME}"
   rm "$PASSWORD_FILE"
 else
-  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT MASTER PASSWORD FOR THE DOMAIN! ('changeit')"
-  echo "           To change the password, set the DOMAIN_MASTER_PASSWORD env var."
+  echo "IMPORTANT: THIS CONTAINER USES THE DEFAULT DOMAIN \"MASTER\" PASSWORD! ('changeit')"
+  echo "           To change the password, set the DOMAIN_PASSWORD env var."
 fi
diff --git a/modules/container-base/src/main/docker/scripts/startInForeground.sh b/modules/container-base/src/main/docker/scripts/startInForeground.sh
@@ -32,9 +32,9 @@
 ##########################################################################################################
 
 # Check required variables are set
-if [ -z "$ADMIN_USER" ]; then echo "Variable ADMIN_USER is not set."; exit 1; fi
-if [ -z "$ADMIN_PASSWORD" ]; then echo "Variable ADMIN_PASSWORD is not set."; exit 1; fi
-if [ -z "$DOMAIN_MASTER_PASSWORD" ]; then echo "Variable DOMAIN_MASTER_PASSWORD is not set."; exit 1; fi
+if [ -z "$PAYARA_ADMIN_USER" ]; then echo "Variable ADMIN_USER is not set."; exit 1; fi
+if [ -z "$PAYARA_ADMIN_PASSWORD" ]; then echo "Variable ADMIN_PASSWORD is not set."; exit 1; fi
+if [ -z "$DOMAIN_PASSWORD" ]; then echo "Variable DOMAIN_PASSWORD is not set."; exit 1; fi
 if [ -z "$PREBOOT_COMMANDS_FILE" ]; then echo "Variable PREBOOT_COMMANDS_FILE is not set."; exit 1; fi
 if [ -z "$POSTBOOT_COMMANDS_FILE" ]; then echo "Variable POSTBOOT_COMMANDS_FILE is not set."; exit 1; fi
 if [ -z "$DOMAIN_NAME" ]; then echo "Variable DOMAIN_NAME is not set."; exit 1; fi
@@ -46,10 +46,10 @@ fi
 
 # For safety reasons, do no longer expose the passwords - malicious code could extract it!
 # (We need to save the master password for booting the server though)
-MASTER_PASSWORD="${DOMAIN_MASTER_PASSWORD}"
-export LINUX_USER_PASSWORD="have-some-scrambled-eggs"
-export ADMIN_PASSWORD="have-some-scrambled-eggs"
-export DOMAIN_MASTER_PASSWORD="have-some-scrambled-eggs"
+MASTER_PASSWORD="${DOMAIN_PASSWORD}"
+export LINUX_PASSWORD="have-some-scrambled-eggs"
+export PAYARA_ADMIN_PASSWORD="have-some-scrambled-eggs"
+export DOMAIN_PASSWORD="have-some-scrambled-eggs"
 
 # The following command gets the command line to be executed by start-domain
 # - print the command line to the server with --dry-run, each argument on a separate line
@@ -66,7 +66,7 @@ PASSWORD_FILE=$(mktemp)
 echo "AS_ADMIN_MASTERPASSWORD=$MASTER_PASSWORD" > "$PASSWORD_FILE"
 # shellcheck disable=SC2068
 #   -- Using $@ is necessary here as asadmin cannot deal with options enclosed in ""!
-OUTPUT=$("${PAYARA_DIR}"/bin/asadmin --user="${ADMIN_USER}" --passwordfile="$PASSWORD_FILE" start-domain --dry-run --prebootcommandfile="${PREBOOT_COMMANDS_FILE}" --postbootcommandfile="${POSTBOOT_COMMANDS_FILE}" $@ "$DOMAIN_NAME")
+OUTPUT=$("${PAYARA_DIR}"/bin/asadmin --user="${PAYARA_ADMIN_USER}" --passwordfile="$PASSWORD_FILE" start-domain --dry-run --prebootcommandfile="${PREBOOT_COMMANDS_FILE}" --postbootcommandfile="${POSTBOOT_COMMANDS_FILE}" $@ "$DOMAIN_NAME")
 STATUS=$?
 rm "$PASSWORD_FILE"
 if [ "$STATUS" -ne 0 ]