diff --git a/dev/atc.dev.sh b/dev/atc.dev.sh index 9d3a819c87..128f3e52c6 100644 --- a/dev/atc.dev.sh +++ b/dev/atc.dev.sh @@ -137,7 +137,7 @@ function atc { return "$?"; } -export t3cDir="/root/go/src/github.com/apache/trafficcontrol/cache-config"; +export t3cDir="/go/src/github.com/apache/trafficcontrol/cache-config"; function t3c { trap 'atc-exec t3c ps | grep dlv | tr -s " " | cut -d " " -f1 | xargs docker exec trafficcontrol_t3c_1 kill' INT; diff --git a/dev/t3c/Dockerfile b/dev/t3c/Dockerfile index 411dc029fb..6f2f384450 100644 --- a/dev/t3c/Dockerfile +++ b/dev/t3c/Dockerfile @@ -23,7 +23,7 @@ ENV PATH=/usr/local/go/bin:${PATH} \ GOPATH=/go ENV PATH=${GOPATH}/bin:${PATH} -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" GOFLAGS="--buildvcs=false" +ENV TC="/go/src/github.com/apache/trafficcontrol" GOFLAGS="--buildvcs=false" VOLUME $TC EXPOSE 80 8081 @@ -35,8 +35,9 @@ RUN apk add --no-cache \ make \ # gcc and musl-dev are used to build packages using CGO gcc musl-dev && \ - go install github.com/go-delve/delve/cmd/dlv@latest + go install github.com/go-delve/delve/cmd/dlv@latest && \ + rm -rf $GOPATH/pkg/* RUN echo "stats_over_http.so" >> /etc/trafficserver/plugin.config && echo "system_stats.so" >> /etc/trafficserver/plugin.config -CMD /root/go/src/github.com/apache/trafficcontrol/dev/t3c/run.sh +CMD ${TC}/dev/t3c/run.sh diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 9f1c2e36c6..e6e22a1f2f 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -18,9 +18,27 @@ # under the License. set -o errexit +set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT cd "$TC/tc-health-client" + +user=ats +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" +if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + + sed -Ei "s/^(${user}:.*:)([0-9]+:){2}(.*)/\1${uid}:${gid}:\3/" /etc/passwd + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown -R "${uid}:${gid}" /usr/bin "/home/${user}" /etc/trafficserver /var/log/trafficserver /var/trafficserver + exec su "$user" -- "$0" +fi + go build --gcflags "all=-N -l" . cd "$TC/cache-config" @@ -38,11 +56,11 @@ if [[ ! -f /usr/bin/tc-health-client ]]; then ln -s "$TC/tc-health-client/tc-health-client" /usr/bin/ fi -su -c traffic_server ats & +traffic_server & while inotifywait --exclude '.*(\.md|\.json|\.pl|\.rst|_test\.go|\.gitignore|__debug_bin|-logrotate|.service)$|^\./(build|t3c-check-refs/test-files|testing|t3util/testing|tm-health-client/(config|tmagent)/test_files)/.*' -e modify -r . ; do T3C_PID="$(ps | grep t3c | grep -v grep | grep -v inotifywait | grep -v run.sh | tr -s ' ' | cut -d ' ' -f2)" - if [[ ! -z "$T3"]]; then + if [[ ! -z "$T3" ]]; then echo "$T3C_PID" | xargs kill; fi # TODO: is it even necessary to restart ATS? @@ -50,7 +68,7 @@ while inotifywait --exclude '.*(\.md|\.json|\.pl|\.rst|_test\.go|\.gitignore|__d rm /var/trafficserver/server.lock; fi ps | grep traffic_server | grep -v grep | tr -s ' ' | cut -d ' ' -f2 | xargs kill - su -c traffic_server ats & + traffic_server & # for whatever reason, without this the repeated call to inotifywait will # sometimes lose track of th current directory. It spits out: # Couldn't watch .: No such file or directory diff --git a/dev/tpv2/Dockerfile b/dev/tpv2/Dockerfile index b771b5da25..11dbd280a3 100644 --- a/dev/tpv2/Dockerfile +++ b/dev/tpv2/Dockerfile @@ -20,14 +20,15 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ - openssl rand 32 | base64 > /aes.key + openssl rand 32 | base64 > /aes.key && \ + chmod 644 /server.key /aes.key FROM node:14-bullseye AS tpv2-dev -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC="/go/src/github.com/apache/trafficcontrol" +VOLUME $TC EXPOSE 443 COPY --from=certbuilder /server.key /server.crt / -CMD /root/go/src/github.com/apache/trafficcontrol/dev/tpv2/run.sh +CMD ${TC}/dev/tpv2/run.sh diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 35da81bda9..26f01eaf50 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,5 +16,24 @@ set -o errexit cd "$TC/experimental/traffic-portal" + +user=tpv2 +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" +if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${TC}/.npm" .angular node_modules; do + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + + if ! adduser --disabled-password -u "$uid" "$user"; then + user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" + fi + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown "${uid}:${gid}" /usr/bin + exec su "$user" -- "$0" +fi + npm ci --ignore-scripts ./node_modules/.bin/ng serve --ssl --ssl-cert /server.crt --ssl-key /server.key --watch --proxy-config "$TC/dev/tpv2/proxy.json" --port 443 --host "::0" --live-reload diff --git a/dev/traffic_monitor/Dockerfile b/dev/traffic_monitor/Dockerfile index 6c7428b79b..623f5487bd 100644 --- a/dev/traffic_monitor/Dockerfile +++ b/dev/traffic_monitor/Dockerfile @@ -14,11 +14,13 @@ ARG GO_VERSION FROM golang:${GO_VERSION}-alpine AS trafficmonitor-dev -ENV TC=/root/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC=/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false" +VOLUME $TC EXPOSE 80 81 -RUN apk add --no-cache inotify-tools gcc libc-dev && go install github.com/go-delve/delve/cmd/dlv@latest && ln -s /root/go/bin/dlv /usr/bin/dlv +RUN apk add --no-cache inotify-tools gcc libc-dev && \ + go install github.com/go-delve/delve/cmd/dlv@latest && \ + rm -rf $GOPATH/pkg/* RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 -CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/run.sh +CMD ${TC}/dev/traffic_monitor/run.sh diff --git a/dev/traffic_monitor/run.sh b/dev/traffic_monitor/run.sh index cd3b655ad6..0ce89e5e51 100755 --- a/dev/traffic_monitor/run.sh +++ b/dev/traffic_monitor/run.sh @@ -17,9 +17,24 @@ # under the License. set -o errexit +set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT cd "$TC/traffic_monitor" +user=trafficmonitor +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" +if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + + adduser -Du"$uid" "$user" + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + exec su "$user" -- "$0" +fi dlv --accept-multiclient --continue --listen=:81 --headless --api-version=2 debug -- --opsCfg="$TC/dev/traffic_monitor/ops.config.json" --config="$TC/dev/traffic_monitor/tm.config.json" & diff --git a/dev/traffic_monitor/tm.config.json b/dev/traffic_monitor/tm.config.json index 3834cf6ac4..e778226b0f 100644 --- a/dev/traffic_monitor/tm.config.json +++ b/dev/traffic_monitor/tm.config.json @@ -12,7 +12,7 @@ "log_location_debug": "stdout", "serve_read_timeout_ms": 86400000, "serve_write_timeout_ms": 86400000, - "static_file_dir": "/root/go/src/github.com/apache/trafficcontrol/traffic_monitor/static/", - "crconfig_backup_file": "/root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/snapshot.backup.json", - "tmconfig_backup_file": "/root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/monitoring.snapshot.backup.json" + "static_file_dir": "/go/src/github.com/apache/trafficcontrol/traffic_monitor/static/", + "crconfig_backup_file": "/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/snapshot.backup.json", + "tmconfig_backup_file": "/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/monitoring.snapshot.backup.json" } diff --git a/dev/traffic_ops/Dockerfile b/dev/traffic_ops/Dockerfile index 195eab2856..5e68bf2ef3 100644 --- a/dev/traffic_ops/Dockerfile +++ b/dev/traffic_ops/Dockerfile @@ -20,22 +20,23 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ - openssl rand 32 | base64 > /aes.key + openssl rand 32 | base64 > /aes.key && \ + chmod 644 /server.key /aes.key FROM golang:${GO_VERSION}-alpine AS trafficops-dev -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" GOFLAGS="--buildvcs=false" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC="/go/src/github.com/apache/trafficcontrol" GOFLAGS="--buildvcs=false" +VOLUME $TC ENV ADMIN="$TC/traffic_ops/app/db/admin" EXPOSE 443 6444 COPY --from=certbuilder /server.key /server.crt /aes.key / RUN apk add --no-cache make inotify-tools postgresql-client gcc libc-dev && \ go install github.com/go-delve/delve/cmd/dlv@latest && \ - ln -s /root/go/bin/dlv /usr/bin/dlv + rm -rf $GOPATH/pkg/* RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 COPY .pgpass /root/.pgpass RUN chmod 0600 /root/.pgpass -CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_ops/run.sh +CMD $TC/dev/traffic_ops/run.sh diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index 6da2320ebc..69ddecd350 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -17,14 +17,31 @@ # under the License. set -o errexit +set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT +user=trafficops +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" +if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + + adduser -Du"$uid" "$user" + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + exec su "$user" -- "$0" +fi + +cd "$TC" + while ! pg_isready -h db -p 5432 -d postgres; do echo "waiting for db on postgresql://db:5432/postgres"; sleep 3; done -cd "$TC" make traffic_ops/app/db/admin cd "$TC/dev/traffic_ops" @@ -33,8 +50,10 @@ cd "$TC/dev/traffic_ops" "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" upgrade + psql -d 'postgres://traffic_ops:twelve12@db:5432/traffic_ops_development?sslmode=disable' -f ./seed.psql + cd "$TC/traffic_ops/traffic_ops_golang" dlv --accept-multiclient --continue --listen=:6444 --headless --api-version=2 debug -- --cfg=../../dev/traffic_ops/cdn.json --dbcfg=../../dev/traffic_ops/db.config.json & diff --git a/dev/traffic_portal/Dockerfile b/dev/traffic_portal/Dockerfile index 6cd5327eaf..25da3b3905 100644 --- a/dev/traffic_portal/Dockerfile +++ b/dev/traffic_portal/Dockerfile @@ -19,15 +19,16 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ - openssl rand 32 | base64 > /aes.key + openssl rand 32 | base64 > /aes.key && \ + chmod 644 /server.key /aes.key FROM node:14-bullseye AS trafficportal-dev -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC="/go/src/github.com/apache/trafficcontrol" +VOLUME $TC EXPOSE 443 ENV TP_SERVER_CONFIG_FILE="$TC/dev/traffic_portal/config.js" COPY --from=certbuilder /server.key /server.crt / -CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_portal/run.sh +CMD ${TC}/dev/traffic_portal/run.sh diff --git a/dev/traffic_portal/config.js b/dev/traffic_portal/config.js index dcca20abda..4ba146db27 100644 --- a/dev/traffic_portal/config.js +++ b/dev/traffic_portal/config.js @@ -31,7 +31,7 @@ module.exports = { base_url: 'https://trafficops:443/api/' }, files: { - static: '/root/go/src/github.com/apache/trafficcontrol/traffic_portal/app/dist/public' + static: '/go/src/github.com/apache/trafficcontrol/traffic_portal/app/dist/public' }, log: null, reject_unauthorized: 0 diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index 6f45c18435..3874c71d76 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,8 +13,27 @@ # limitations under the License. # -set -o errexit +set -o errexit -o nounset cd "$TC/traffic_portal" + +user=trafficportal +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" +if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${TC}/.npm" .[a-z]* app/dist app/dist/public node_modules; do + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + + if ! adduser --disabled-password -u "$uid" "$user"; then + user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" + fi + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown "${uid}:${gid}" /usr/bin + exec su "$user" -- "$0" +fi + npm ci ./node_modules/.bin/grunt diff --git a/dev/traffic_router/run.sh b/dev/traffic_router/run.sh index 9ec211f188..0e1907d519 100755 --- a/dev/traffic_router/run.sh +++ b/dev/traffic_router/run.sh @@ -16,20 +16,27 @@ # specific language governing permissions and limitations # under the License. -set -o errexit - - - +set -o errexit -o nounset cd "$TC/traffic_router" + user=trafficrouter -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" -adduser -Du"$uid" "$user" -sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group -chown -R "${uid}:${gid}" /opt +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" +if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${TC}/.m2" */target; do + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + + adduser -Du"$uid" "$user" + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown -R "${uid}:${gid}" /opt + exec su "$user" -- "$0" +fi -su "$user" -- /usr/bin/mvn -Dmaven.test.skip=true compile package -P \!rpm-build +mvn -Dmaven.test.skip=true compile package -P \!rpm-build cd "$TC/dev/traffic_router" -exec su "$user" -- /opt/tomcat/bin/catalina.sh jpda run +exec /opt/tomcat/bin/catalina.sh jpda run diff --git a/docker-compose.yml b/docker-compose.yml index cb5ce192c2..d9da0325cc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -33,8 +33,10 @@ services: ports: - 6443:443 - 6444:6444 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol/ + - .:/go/src/github.com/apache/trafficcontrol db: image: postgres:13.2-alpine @@ -57,9 +59,11 @@ services: image: trafficportal-dev ports: - 444:443 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol - - ./.npm:/root/.npm + - .:/go/src/github.com/apache/trafficcontrol + - ./.npm:/trafficportal/.npm tpv2: build: @@ -72,8 +76,11 @@ services: image: tpv2-dev ports: - 443:443 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol + - ./.npm:/trafficportal/.npm trafficmonitor: build: @@ -89,8 +96,10 @@ services: ports: - 80:80 - 81:81 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol t3c: build: @@ -107,8 +116,10 @@ services: ports: - 8080:80 - 8081:8081 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol trafficrouter: build: @@ -127,8 +138,11 @@ services: - 3333:3333 - 2222:3443 - 5005:5005 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol + - ./.m2:/home/trafficrouter/.m2 networks: ciab: name: dev.ciab.test diff --git a/traffic_ops/app/db/admin.go b/traffic_ops/app/db/admin.go index 01529c8eae..50607739be 100644 --- a/traffic_ops/app/db/admin.go +++ b/traffic_ops/app/db/admin.go @@ -466,7 +466,6 @@ func seed() { } cmd := exec.Command("psql", "-h", hostIP, "-p", hostPort, "-d", dbName, "-U", dbUser, "-e", "-v", "ON_ERROR_STOP=1") cmd.Stdin = bytes.NewBuffer(seedsBytes) - cmd.Env = append(os.Environ(), "PGPASSWORD="+dbPassword) out, err := cmd.CombinedOutput() fmt.Println(string(out)) if err != nil { @@ -486,7 +485,6 @@ func loadSchema() { } cmd := exec.Command("psql", "-h", hostIP, "-p", hostPort, "-d", dbName, "-U", dbUser, "-e", "-v", "ON_ERROR_STOP=1") cmd.Stdin = bytes.NewBuffer(schemaBytes) - cmd.Env = append(os.Environ(), "PGPASSWORD="+dbPassword) out, err := cmd.CombinedOutput() fmt.Println(string(out)) if err != nil { @@ -505,7 +503,6 @@ func patch() { } cmd := exec.Command("psql", "-h", hostIP, "-p", hostPort, "-d", dbName, "-U", dbUser, "-e", "-v", "ON_ERROR_STOP=1") cmd.Stdin = bytes.NewBuffer(patchesBytes) - cmd.Env = append(os.Environ(), "PGPASSWORD="+dbPassword) out, err := cmd.CombinedOutput() fmt.Printf(string(out)) if err != nil { @@ -661,6 +658,10 @@ func main() { if err := parseDBConfig(); err != nil { die(err.Error()) } + if err := os.Setenv("PGPASSWORD", dbPassword); err != nil { + die("Setting PGPASSWORD: " + err.Error()) + } + commands := make(map[string]func()) commands[cmdCreateDB] = createDB