From 488b1af50c40f14e6b47d420ba0983f81487972d Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 24 May 2024 11:58:04 +0100 Subject: [PATCH 1/4] fix: dynamic gids for openshift --- dockerfiles/base/Dockerfile.ubi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dockerfiles/base/Dockerfile.ubi b/dockerfiles/base/Dockerfile.ubi index db16d14dc..8921d309c 100644 --- a/dockerfiles/base/Dockerfile.ubi +++ b/dockerfiles/base/Dockerfile.ubi @@ -91,8 +91,9 @@ EOF COPY --from=broker-builder /opt/app-root/src/.npm-global /opt/app-root/src/.npm-global COPY --from=node-base /tmp/node/bin/node /usr/bin/node -COPY --chown=snyk:snyk config.default.json /home/snyk/config.default.json -COPY --chown=snyk:snyk defaultFilters /home/snyk/defaultFilters +COPY --chown=snyk:root config.default.json /home/snyk/config.default.json +COPY --chown=snyk:root defaultFilters /home/snyk/defaultFilters +RUN chown -R snyk:root /home/snyk WORKDIR /home/snyk USER snyk From 1c0f6ac4612a55c7f2bc70594eac1c2440af511a Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 24 May 2024 13:27:44 +0100 Subject: [PATCH 2/4] fix: ensure read/execute permissions for root group --- dockerfiles/base/Dockerfile.ubi | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dockerfiles/base/Dockerfile.ubi b/dockerfiles/base/Dockerfile.ubi index 8921d309c..20b24b59d 100644 --- a/dockerfiles/base/Dockerfile.ubi +++ b/dockerfiles/base/Dockerfile.ubi @@ -11,8 +11,6 @@ RUN mkdir -p /tmp/node && \ curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" && \ tar -xJf "node-v$NODE_VERSION-linux-x64.tar.xz" -C /tmp/node --strip-components=1 - - FROM node-base as broker-builder ARG BROKER_VERSION @@ -93,7 +91,6 @@ COPY --from=broker-builder /opt/app-root/src/.npm-global /opt/app-root/src/.npm- COPY --from=node-base /tmp/node/bin/node /usr/bin/node COPY --chown=snyk:root config.default.json /home/snyk/config.default.json COPY --chown=snyk:root defaultFilters /home/snyk/defaultFilters -RUN chown -R snyk:root /home/snyk +RUN chgrp -R 0 /home/snyk && chmod -R 775 /home/snyk WORKDIR /home/snyk -USER snyk From c39364aa25c8257f6a1a1984d82bd6ba68fba936 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 24 May 2024 13:54:13 +0100 Subject: [PATCH 3/4] fix: move ownership changes from base to SCM dockerfiles --- dockerfiles/Dockerfile.ubi | 3 +++ dockerfiles/base/Dockerfile.ubi | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dockerfiles/Dockerfile.ubi b/dockerfiles/Dockerfile.ubi index ea11db970..540d5cdd3 100644 --- a/dockerfiles/Dockerfile.ubi +++ b/dockerfiles/Dockerfile.ubi @@ -10,6 +10,9 @@ ENV BROKER_TYPE=${BROKER_TYPE} # Generate default accept filter RUN broker init $BROKER_TYPE +# Ensure OpenShift compatibility +USER root +RUN chgrp -R 0 /home/snyk && chmod -R 755 /home/snyk USER snyk CMD ["broker", "--verbose"] diff --git a/dockerfiles/base/Dockerfile.ubi b/dockerfiles/base/Dockerfile.ubi index 20b24b59d..8d6850fe8 100644 --- a/dockerfiles/base/Dockerfile.ubi +++ b/dockerfiles/base/Dockerfile.ubi @@ -89,8 +89,8 @@ EOF COPY --from=broker-builder /opt/app-root/src/.npm-global /opt/app-root/src/.npm-global COPY --from=node-base /tmp/node/bin/node /usr/bin/node -COPY --chown=snyk:root config.default.json /home/snyk/config.default.json -COPY --chown=snyk:root defaultFilters /home/snyk/defaultFilters -RUN chgrp -R 0 /home/snyk && chmod -R 775 /home/snyk +COPY --chown=snyk:snyk config.default.json /home/snyk/config.default.json +COPY --chown=snyk:snyk defaultFilters /home/snyk/defaultFilters WORKDIR /home/snyk +USER snyk From 73106d157e28458fed504be48fc6ea5cf4fc22e6 Mon Sep 17 00:00:00 2001 From: Matthew Rogers Date: Fri, 24 May 2024 13:55:05 +0100 Subject: [PATCH 4/4] fix: revert spacing changes --- dockerfiles/base/Dockerfile.ubi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dockerfiles/base/Dockerfile.ubi b/dockerfiles/base/Dockerfile.ubi index 8d6850fe8..db16d14dc 100644 --- a/dockerfiles/base/Dockerfile.ubi +++ b/dockerfiles/base/Dockerfile.ubi @@ -11,6 +11,8 @@ RUN mkdir -p /tmp/node && \ curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" && \ tar -xJf "node-v$NODE_VERSION-linux-x64.tar.xz" -C /tmp/node --strip-components=1 + + FROM node-base as broker-builder ARG BROKER_VERSION