feat: openshift compatible containers by enabling arbitrary UIDs

openvoxdb/Containerfile

@@ -28,7 +28,7 @@
 ARG SSLDIR
 ENV SSLDIR=${SSLDIR:-/opt/puppetlabs/server/data/puppetdb/certs}
 
 ENV \
     CERTNAME="openvoxdb" \
     DEBIAN_FRONTEND=noninteractive \
     DNS_ALT_NAMES="" \
@@ -87,6 +87,29 @@
 # up in the worst case. The other timing parameters are set so that it
 # takes at most a minute to realize that PuppetDB has failed.
 # Probe failure during --start-period will not be counted towards the maximum number of retries
+
+# mirror user permissions to group, set group to root, and set gid bit on dirs
+RUN for d in \
+    /etc/puppetlabs \
+    /var/log/puppetlabs \
+    /var/run/puppetlabs \
+    /opt/puppetlabs/ \
+  ; do \
+    mkdir -p "$d"; \
+    chgrp -R 0 "$d"; \
+    chmod -R g=u "$d"; \
+    find "$d" -type d -exec chmod g+s {} +; \
+  done
+
+# the startup script has a check if the current user is puppetdb, this won't work with arbitrary UIDs
+# we can workaround the check by not setting a USER
+RUN sed -i 's/^USER="puppetdb"/USER=""/' /etc/default/puppetdb
+USER puppetdb:0
+
+# the foreground script that starts puppetdb tries to install a restartfile with a certain user.
+# we don't need it in a container and it also is incompatible with arbitrary UIDs
+RUN sed -i 's/^init_restart_file/#init_restart_file/' /opt/puppetlabs/server/apps/puppetdb/cli/apps/foreground
+
 # NOTE: k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
 HEALTHCHECK --start-period=5m --interval=10s --timeout=10s --retries=6 CMD ["/healthcheck.sh"]
 

openvoxdb/container-entrypoint.d/20-configure-ssl.sh

@@ -10,9 +10,3 @@ if [ "$USE_OPENVOXSERVER" = true ]; then
   # enable SSL in Jetty
   sed -i '/^# ssl-/s/^# //g' /etc/puppetlabs/puppetdb/conf.d/jetty.ini
 fi
-
-if [ -w "$SSLDIR" ] && [ "$(id -un)" = "root" ]; then
-  # make sure Java apps running as puppetdb can read these files
-  echo "Setting ownership for $SSLDIR to puppetdb:puppetdb"
-  chown -R puppetdb:puppetdb ${SSLDIR}
-fi

openvoxdb/ssl.sh

@@ -152,14 +152,6 @@ ca_running() {
         httpsreq_insecure "$(get "${CA}/certificate/ca")" > /dev/null
 }
 
-set_file_perms() {
-    msg "Securing permissions on ${SSLDIR}"
-
-    # 700 for directories, 600 for files
-    find "${SSLDIR}/." -type d -exec chmod u=rwx,g=,o= -- {} +
-    find "${SSLDIR}/." -type f -exec chmod u=rw,g=,o= -- {} +
-}
-
 ### Verify we got a signed certificate
 verify_cert() {
     if [ -f "${CERTFILE}" ] && [ "$(head -1 "${CERTFILE}")" = "${CERTHEADER}" ]; then
@@ -260,7 +252,6 @@ msg "* WAITFORCERT: '${WAITFORCERT}' seconds"
 certnames=$(cd "${PRIVKEYDIR}" && ls -A -m -- *.pem 2> /dev/null)
 if [ -s "${CERTFILE}" ]; then
     msg "Certificates (${certnames}) have already been generated - exiting!"
-    set_file_perms
     exit 0
 # warn when rekeying an existing host as it's typically user error
 elif [ -n "${certnames}" ]; then
@@ -373,6 +364,4 @@ if ! cert=$(retry_httpsreq "$CERTREQ" $((WAITFORCERT)) 10); then
 fi
 printf "%s\n" "${cert}" > "${CERTFILE}"
 
-set_file_perms
-
 verify_cert