From 03896d8995dfd6ccfa4d73da15091c4d81905149 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 17 Oct 2022 07:50:45 -0600 Subject: [PATCH 01/20] Run CDN in a Box for Developers services as unprivileged users --- dev/t3c/Dockerfile | 4 ++-- dev/t3c/run.sh | 18 ++++++++++++++++-- dev/tpv2/Dockerfile | 9 +++++---- dev/tpv2/run.sh | 13 +++++++++++++ dev/traffic_monitor/Dockerfile | 6 +++--- dev/traffic_monitor/run.sh | 9 +++++++++ dev/traffic_monitor/tm.config.json | 6 +++--- dev/traffic_ops/Dockerfile | 9 +++++---- dev/traffic_ops/run.sh | 22 +++++++++++++++++----- dev/traffic_portal/Dockerfile | 9 +++++---- dev/traffic_portal/config.js | 2 +- dev/traffic_portal/run.sh | 13 +++++++++++++ dev/traffic_router/run.sh | 16 ++++++++++------ docker-compose.yml | 10 +++++----- 14 files changed, 107 insertions(+), 39 deletions(-) diff --git a/dev/t3c/Dockerfile b/dev/t3c/Dockerfile index 411dc029fb..ca4f6ff4ba 100644 --- a/dev/t3c/Dockerfile +++ b/dev/t3c/Dockerfile @@ -23,7 +23,7 @@ ENV PATH=/usr/local/go/bin:${PATH} \ GOPATH=/go ENV PATH=${GOPATH}/bin:${PATH} -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" GOFLAGS="--buildvcs=false" +ENV TC="/go/src/github.com/apache/trafficcontrol" GOFLAGS="--buildvcs=false" VOLUME $TC EXPOSE 80 8081 @@ -39,4 +39,4 @@ RUN apk add --no-cache \ RUN echo "stats_over_http.so" >> /etc/trafficserver/plugin.config && echo "system_stats.so" >> /etc/trafficserver/plugin.config -CMD /root/go/src/github.com/apache/trafficcontrol/dev/t3c/run.sh +CMD ${TC}/dev/t3c/run.sh diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 9f1c2e36c6..b8e15f3e5a 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -18,9 +18,23 @@ # under the License. set -o errexit +set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT cd "$TC/tc-health-client" + +user=t3c +uid="$(stat -c%u .)" +gid="$(stat -c%g .)" +if [[ "$(id -u)" != "$uid" ]]; then + if ! adduser -Du"$uid" "$user"; then + user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" + fi + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown "${uid}:${gid}" /usr/bin + exec su "$user" -- "$0" +fi + go build --gcflags "all=-N -l" . cd "$TC/cache-config" @@ -38,11 +52,11 @@ if [[ ! -f /usr/bin/tc-health-client ]]; then ln -s "$TC/tc-health-client/tc-health-client" /usr/bin/ fi -su -c traffic_server ats & +traffic_server & while inotifywait --exclude '.*(\.md|\.json|\.pl|\.rst|_test\.go|\.gitignore|__debug_bin|-logrotate|.service)$|^\./(build|t3c-check-refs/test-files|testing|t3util/testing|tm-health-client/(config|tmagent)/test_files)/.*' -e modify -r . ; do T3C_PID="$(ps | grep t3c | grep -v grep | grep -v inotifywait | grep -v run.sh | tr -s ' ' | cut -d ' ' -f2)" - if [[ ! -z "$T3"]]; then + if [[ ! -z "$T3" ]]; then echo "$T3C_PID" | xargs kill; fi # TODO: is it even necessary to restart ATS? diff --git a/dev/tpv2/Dockerfile b/dev/tpv2/Dockerfile index b771b5da25..11dbd280a3 100644 --- a/dev/tpv2/Dockerfile +++ b/dev/tpv2/Dockerfile @@ -20,14 +20,15 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ - openssl rand 32 | base64 > /aes.key + openssl rand 32 | base64 > /aes.key && \ + chmod 644 /server.key /aes.key FROM node:14-bullseye AS tpv2-dev -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC="/go/src/github.com/apache/trafficcontrol" +VOLUME $TC EXPOSE 443 COPY --from=certbuilder /server.key /server.crt / -CMD /root/go/src/github.com/apache/trafficcontrol/dev/tpv2/run.sh +CMD ${TC}/dev/tpv2/run.sh diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 35da81bda9..9b497ca33a 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -16,5 +16,18 @@ set -o errexit cd "$TC/experimental/traffic-portal" + +user=tpv2 +uid="$(stat -c%u .)" +gid="$(stat -c%g .)" +if [[ "$(id -u)" != "$uid" ]]; then + if ! adduser -Du"$uid" "$user"; then + user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" + fi + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown "${uid}:${gid}" /usr/bin + exec su "$user" -- "$0" +fi + npm ci --ignore-scripts ./node_modules/.bin/ng serve --ssl --ssl-cert /server.crt --ssl-key /server.key --watch --proxy-config "$TC/dev/tpv2/proxy.json" --port 443 --host "::0" --live-reload diff --git a/dev/traffic_monitor/Dockerfile b/dev/traffic_monitor/Dockerfile index 6c7428b79b..b3bd495f3d 100644 --- a/dev/traffic_monitor/Dockerfile +++ b/dev/traffic_monitor/Dockerfile @@ -14,11 +14,11 @@ ARG GO_VERSION FROM golang:${GO_VERSION}-alpine AS trafficmonitor-dev -ENV TC=/root/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC=/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false" +VOLUME $TC EXPOSE 80 81 RUN apk add --no-cache inotify-tools gcc libc-dev && go install github.com/go-delve/delve/cmd/dlv@latest && ln -s /root/go/bin/dlv /usr/bin/dlv RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 -CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/run.sh +CMD ${TC}/dev/traffic_monitor/run.sh diff --git a/dev/traffic_monitor/run.sh b/dev/traffic_monitor/run.sh index cd3b655ad6..b07eefb986 100755 --- a/dev/traffic_monitor/run.sh +++ b/dev/traffic_monitor/run.sh @@ -17,9 +17,18 @@ # under the License. set -o errexit +set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT cd "$TC/traffic_monitor" +user=trafficmonitor +uid="$(stat -c%u .)" +gid="$(stat -c%g .)" +if [[ "$(id -u)" != "$uid" ]]; then + adduser -Du"$uid" "$user" + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + exec su "$user" -- "$0" +fi dlv --accept-multiclient --continue --listen=:81 --headless --api-version=2 debug -- --opsCfg="$TC/dev/traffic_monitor/ops.config.json" --config="$TC/dev/traffic_monitor/tm.config.json" & diff --git a/dev/traffic_monitor/tm.config.json b/dev/traffic_monitor/tm.config.json index 3834cf6ac4..e778226b0f 100644 --- a/dev/traffic_monitor/tm.config.json +++ b/dev/traffic_monitor/tm.config.json @@ -12,7 +12,7 @@ "log_location_debug": "stdout", "serve_read_timeout_ms": 86400000, "serve_write_timeout_ms": 86400000, - "static_file_dir": "/root/go/src/github.com/apache/trafficcontrol/traffic_monitor/static/", - "crconfig_backup_file": "/root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/snapshot.backup.json", - "tmconfig_backup_file": "/root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/monitoring.snapshot.backup.json" + "static_file_dir": "/go/src/github.com/apache/trafficcontrol/traffic_monitor/static/", + "crconfig_backup_file": "/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/snapshot.backup.json", + "tmconfig_backup_file": "/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/monitoring.snapshot.backup.json" } diff --git a/dev/traffic_ops/Dockerfile b/dev/traffic_ops/Dockerfile index 195eab2856..d027c4fe42 100644 --- a/dev/traffic_ops/Dockerfile +++ b/dev/traffic_ops/Dockerfile @@ -20,12 +20,13 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ - openssl rand 32 | base64 > /aes.key + openssl rand 32 | base64 > /aes.key && \ + chmod 644 /server.key /aes.key FROM golang:${GO_VERSION}-alpine AS trafficops-dev -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" GOFLAGS="--buildvcs=false" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC="/go/src/github.com/apache/trafficcontrol" GOFLAGS="--buildvcs=false" +VOLUME $TC ENV ADMIN="$TC/traffic_ops/app/db/admin" EXPOSE 443 6444 @@ -38,4 +39,4 @@ RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 COPY .pgpass /root/.pgpass RUN chmod 0600 /root/.pgpass -CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_ops/run.sh +CMD $TC/dev/traffic_ops/run.sh diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index 6da2320ebc..6f41d2a3d9 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -17,24 +17,36 @@ # under the License. set -o errexit +set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT +cd "$TC" + while ! pg_isready -h db -p 5432 -d postgres; do echo "waiting for db on postgresql://db:5432/postgres"; sleep 3; done -cd "$TC" make traffic_ops/app/db/admin cd "$TC/dev/traffic_ops" -"$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset -"$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade -"$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset -"$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" upgrade +user=trafficops +uid="$(stat -c%u .)" +gid="$(stat -c%g .)" +if [[ "$(id -u)" != "$uid" ]]; then + "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset + "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade + "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset + "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" upgrade + + adduser -Du"$uid" "$user" + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + exec su "$user" -- "$0" +fi psql -d 'postgres://traffic_ops:twelve12@db:5432/traffic_ops_development?sslmode=disable' -f ./seed.psql + cd "$TC/traffic_ops/traffic_ops_golang" dlv --accept-multiclient --continue --listen=:6444 --headless --api-version=2 debug -- --cfg=../../dev/traffic_ops/cdn.json --dbcfg=../../dev/traffic_ops/db.config.json & diff --git a/dev/traffic_portal/Dockerfile b/dev/traffic_portal/Dockerfile index 6cd5327eaf..25da3b3905 100644 --- a/dev/traffic_portal/Dockerfile +++ b/dev/traffic_portal/Dockerfile @@ -19,15 +19,16 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ - openssl rand 32 | base64 > /aes.key + openssl rand 32 | base64 > /aes.key && \ + chmod 644 /server.key /aes.key FROM node:14-bullseye AS trafficportal-dev -ENV TC="/root/go/src/github.com/apache/trafficcontrol/" -VOLUME /root/go/src/github.com/apache/trafficcontrol +ENV TC="/go/src/github.com/apache/trafficcontrol" +VOLUME $TC EXPOSE 443 ENV TP_SERVER_CONFIG_FILE="$TC/dev/traffic_portal/config.js" COPY --from=certbuilder /server.key /server.crt / -CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_portal/run.sh +CMD ${TC}/dev/traffic_portal/run.sh diff --git a/dev/traffic_portal/config.js b/dev/traffic_portal/config.js index dcca20abda..4ba146db27 100644 --- a/dev/traffic_portal/config.js +++ b/dev/traffic_portal/config.js @@ -31,7 +31,7 @@ module.exports = { base_url: 'https://trafficops:443/api/' }, files: { - static: '/root/go/src/github.com/apache/trafficcontrol/traffic_portal/app/dist/public' + static: '/go/src/github.com/apache/trafficcontrol/traffic_portal/app/dist/public' }, log: null, reject_unauthorized: 0 diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index 6f45c18435..cb3d83807d 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -16,5 +16,18 @@ set -o errexit cd "$TC/traffic_portal" + +user=trafficportal +uid="$(stat -c%u .)" +gid="$(stat -c%g .)" +if [[ "$(id -u)" != "$uid" ]]; then + if ! adduser -Du"$uid" "$user"; then + user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" + fi + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown "${uid}:${gid}" /usr/bin + exec su "$user" -- "$0" +fi + npm ci ./node_modules/.bin/grunt diff --git a/dev/traffic_router/run.sh b/dev/traffic_router/run.sh index 9ec211f188..422da1f433 100755 --- a/dev/traffic_router/run.sh +++ b/dev/traffic_router/run.sh @@ -22,14 +22,18 @@ set -o errexit cd "$TC/traffic_router" -user=trafficrouter + +user=trafficportal uid="$(stat -c%u .)" gid="$(stat -c%g .)" -adduser -Du"$uid" "$user" -sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group -chown -R "${uid}:${gid}" /opt +if [[ "$(id -u)" != "$uid" ]]; then + adduser -Du"$uid" "$user" + sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group + chown -R "${uid}:${gid}" /opt + exec su "$user" -- "$0" +fi -su "$user" -- /usr/bin/mvn -Dmaven.test.skip=true compile package -P \!rpm-build +mvn -Dmaven.test.skip=true compile package -P \!rpm-build cd "$TC/dev/traffic_router" -exec su "$user" -- /opt/tomcat/bin/catalina.sh jpda run +exec /opt/tomcat/bin/catalina.sh jpda run diff --git a/docker-compose.yml b/docker-compose.yml index cb5ce192c2..3221da2870 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -34,7 +34,7 @@ services: - 6443:443 - 6444:6444 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol/ + - .:/go/src/github.com/apache/trafficcontrol db: image: postgres:13.2-alpine @@ -58,7 +58,7 @@ services: ports: - 444:443 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol - ./.npm:/root/.npm tpv2: @@ -73,7 +73,7 @@ services: ports: - 443:443 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol trafficmonitor: build: @@ -90,7 +90,7 @@ services: - 80:80 - 81:81 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol t3c: build: @@ -108,7 +108,7 @@ services: - 8080:80 - 8081:8081 volumes: - - .:/root/go/src/github.com/apache/trafficcontrol + - .:/go/src/github.com/apache/trafficcontrol trafficrouter: build: From 20019a8f381c004f4e8b0c161546b01a9e8a59ff Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Wed, 19 Oct 2022 13:19:58 -0600 Subject: [PATCH 02/20] Reuse ats user for running t3c --- dev/t3c/run.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index b8e15f3e5a..2e0edccbc9 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -23,15 +23,13 @@ trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' cd "$TC/tc-health-client" -user=t3c +user=ats uid="$(stat -c%u .)" gid="$(stat -c%g .)" -if [[ "$(id -u)" != "$uid" ]]; then - if ! adduser -Du"$uid" "$user"; then - user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" - fi +if [[ "$(id -u "$user")" != "$uid" ]]; then + sed -Ei "s/^(${user}:.*:)([0-9]+:){2}(.*)/\1${uid}:${gid}:\3/" /etc/passwd sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group - chown "${uid}:${gid}" /usr/bin + chown -R "${uid}:${gid}" /usr/bin "/home/${user}" /etc/trafficserver /var/log/trafficserver /var/trafficserver exec su "$user" -- "$0" fi From 308bc045fdf4a35ce3b1308c7ed2ebac2a02b3f7 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Thu, 20 Oct 2022 16:07:02 -0600 Subject: [PATCH 03/20] trafficrouter user for traffic_router --- dev/traffic_router/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/traffic_router/run.sh b/dev/traffic_router/run.sh index 422da1f433..fba957de60 100755 --- a/dev/traffic_router/run.sh +++ b/dev/traffic_router/run.sh @@ -23,7 +23,7 @@ set -o errexit cd "$TC/traffic_router" -user=trafficportal +user=trafficrouter uid="$(stat -c%u .)" gid="$(stat -c%g .)" if [[ "$(id -u)" != "$uid" ]]; then From 375650594ec57d5dde53bfa7f855cb66c7d1d4c6 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Thu, 20 Oct 2022 16:09:01 -0600 Subject: [PATCH 04/20] Use local cache for NPM dependencies --- docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3221da2870..f4e9d205e5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -59,7 +59,7 @@ services: - 444:443 volumes: - .:/go/src/github.com/apache/trafficcontrol - - ./.npm:/root/.npm + - ./.npm:/trafficportal/.npm tpv2: build: @@ -74,6 +74,7 @@ services: - 443:443 volumes: - .:/go/src/github.com/apache/trafficcontrol + - ./.npm:/trafficportal/.npm trafficmonitor: build: From fccced9da312a145860faa8701600bec382e4bf6 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Thu, 20 Oct 2022 16:12:06 -0600 Subject: [PATCH 05/20] Use local cache for Maven dependencies --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index f4e9d205e5..f2b7b5a066 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -130,6 +130,7 @@ services: - 5005:5005 volumes: - .:/go/src/github.com/apache/trafficcontrol + - ./.m2:/home/trafficrouter/.m2 networks: ciab: name: dev.ciab.test From c6b953b1f0afb6967262ac19e64d7e1a5f907d32 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 7 Nov 2022 14:57:33 -0700 Subject: [PATCH 06/20] Always use trafficcontrol directory to get ownership --- dev/t3c/run.sh | 4 ++-- dev/tpv2/run.sh | 4 ++-- dev/traffic_monitor/run.sh | 4 ++-- dev/traffic_ops/run.sh | 4 ++-- dev/traffic_portal/run.sh | 4 ++-- dev/traffic_router/run.sh | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 2e0edccbc9..535ad2ae56 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -24,8 +24,8 @@ trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' cd "$TC/tc-health-client" user=ats -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" if [[ "$(id -u "$user")" != "$uid" ]]; then sed -Ei "s/^(${user}:.*:)([0-9]+:){2}(.*)/\1${uid}:${gid}:\3/" /etc/passwd sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 9b497ca33a..7d99f45bb6 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -18,8 +18,8 @@ set -o errexit cd "$TC/experimental/traffic-portal" user=tpv2 -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then if ! adduser -Du"$uid" "$user"; then user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" diff --git a/dev/traffic_monitor/run.sh b/dev/traffic_monitor/run.sh index b07eefb986..8080999ba5 100755 --- a/dev/traffic_monitor/run.sh +++ b/dev/traffic_monitor/run.sh @@ -22,8 +22,8 @@ trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' cd "$TC/traffic_monitor" user=trafficmonitor -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then adduser -Du"$uid" "$user" sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index 6f41d2a3d9..ab7e1418eb 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -31,8 +31,8 @@ make traffic_ops/app/db/admin cd "$TC/dev/traffic_ops" user=trafficops -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index cb3d83807d..d91ffabc86 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -18,8 +18,8 @@ set -o errexit cd "$TC/traffic_portal" user=trafficportal -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then if ! adduser -Du"$uid" "$user"; then user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" diff --git a/dev/traffic_router/run.sh b/dev/traffic_router/run.sh index fba957de60..035f713cf1 100755 --- a/dev/traffic_router/run.sh +++ b/dev/traffic_router/run.sh @@ -24,8 +24,8 @@ set -o errexit cd "$TC/traffic_router" user=trafficrouter -uid="$(stat -c%u .)" -gid="$(stat -c%g .)" +uid="$(stat -c%u "$TC")" +gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then adduser -Du"$uid" "$user" sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group From 24013446fe58bfaa7fb1b76e860616da028920ec Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 7 Nov 2022 15:35:00 -0700 Subject: [PATCH 07/20] Change owner to the unprivileged user if files are owned as root from a previous run --- dev/traffic_portal/run.sh | 8 +++++++- dev/traffic_router/run.sh | 11 +++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index d91ffabc86..bfb5d9c886 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -13,7 +13,7 @@ # limitations under the License. # -set -o errexit +set -o errexit -o nounset cd "$TC/traffic_portal" @@ -21,6 +21,12 @@ user=trafficportal uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${TC}/.npm" .[a-z]* app/dist app/dist/public node_modules; do + if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + if ! adduser -Du"$uid" "$user"; then user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" fi diff --git a/dev/traffic_router/run.sh b/dev/traffic_router/run.sh index 035f713cf1..3fd69ecad7 100755 --- a/dev/traffic_router/run.sh +++ b/dev/traffic_router/run.sh @@ -16,10 +16,7 @@ # specific language governing permissions and limitations # under the License. -set -o errexit - - - +set -o errexit -o nounset cd "$TC/traffic_router" @@ -27,6 +24,12 @@ user=trafficrouter uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${TC}/.m2" */target; do + if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + adduser -Du"$uid" "$user" sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group chown -R "${uid}:${gid}" /opt From 2b442c14df617ccffd3e0995dc222a69608e0d01 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 7 Nov 2022 22:56:10 -0700 Subject: [PATCH 08/20] Use bash shell on Debian Bullseye, not dash --- dev/tpv2/run.sh | 2 +- dev/traffic_portal/run.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 7d99f45bb6..6ea1736132 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index bfb5d9c886..97c9f924ff 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From 485cd3688a5104127ec478c0653f37b40e1a2d31 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 7 Nov 2022 22:57:52 -0700 Subject: [PATCH 09/20] Do not hard-code user id 1000 --- dev/tpv2/run.sh | 2 +- dev/traffic_portal/run.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 6ea1736132..0d85312a42 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -22,7 +22,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then if ! adduser -Du"$uid" "$user"; then - user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" + user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" fi sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group chown "${uid}:${gid}" /usr/bin diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index 97c9f924ff..47034f7100 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -28,7 +28,7 @@ if [[ "$(id -u)" != "$uid" ]]; then done if ! adduser -Du"$uid" "$user"; then - user="$(cat /etc/passwd | grep :x:1000: | cut -d: -f1)" + user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" fi sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group chown "${uid}:${gid}" /usr/bin From 80e27431de7eb6aa7d0174943648f49c0706f451 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 7 Nov 2022 22:59:39 -0700 Subject: [PATCH 10/20] Use Debian adduser syntax in trafficportal and tpv2 run scripts --- dev/tpv2/run.sh | 2 +- dev/traffic_portal/run.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 0d85312a42..9dd14be860 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -21,7 +21,7 @@ user=tpv2 uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then - if ! adduser -Du"$uid" "$user"; then + if ! adduser --disabled-password -u "$uid" "$user"; then user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" fi sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index 47034f7100..7bcc960c45 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -27,7 +27,7 @@ if [[ "$(id -u)" != "$uid" ]]; then fi done - if ! adduser -Du"$uid" "$user"; then + if ! adduser --disabled-password -u "$uid" "$user"; then user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" fi sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group From d54d9ccc349a33be999478bc8d6803d23018ca5a Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Mon, 7 Nov 2022 23:08:19 -0700 Subject: [PATCH 11/20] TPv2: Change owner to the unprivileged user if files are owned as root from a previous run --- dev/tpv2/run.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index 9dd14be860..f5f155949a 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -21,6 +21,12 @@ user=tpv2 uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${TC}/.npm" .angular node_modules; do + if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + if ! adduser --disabled-password -u "$uid" "$user"; then user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)" fi From e8dad16f7803081ffa703a6614113d7f61207d3a Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Tue, 8 Nov 2022 03:08:28 -0700 Subject: [PATCH 12/20] Chown Go bin and pkg directories as unprivileged user --- dev/t3c/run.sh | 6 ++++++ dev/traffic_monitor/run.sh | 6 ++++++ dev/traffic_ops/run.sh | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 535ad2ae56..4b7fa05c44 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -27,6 +27,12 @@ user=ats uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u "$user")" != "$uid" ]]; then + for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do + if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + sed -Ei "s/^(${user}:.*:)([0-9]+:){2}(.*)/\1${uid}:${gid}:\3/" /etc/passwd sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group chown -R "${uid}:${gid}" /usr/bin "/home/${user}" /etc/trafficserver /var/log/trafficserver /var/trafficserver diff --git a/dev/traffic_monitor/run.sh b/dev/traffic_monitor/run.sh index 8080999ba5..cb9f095e1e 100755 --- a/dev/traffic_monitor/run.sh +++ b/dev/traffic_monitor/run.sh @@ -25,6 +25,12 @@ user=trafficmonitor uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do + if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + adduser -Du"$uid" "$user" sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group exec su "$user" -- "$0" diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index ab7e1418eb..475e65cc12 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -34,6 +34,12 @@ user=trafficops uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then + for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do + if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + chown -R "${uid}:${gid}" "$dir" + fi + done + "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset From 25483428a53b3a2f0fdc1ca5e28f7992b91cb716 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Tue, 8 Nov 2022 14:03:23 -0700 Subject: [PATCH 13/20] Set PGPASSWORD for db/admin process --- dev/t3c/Dockerfile | 3 ++- dev/traffic_monitor/Dockerfile | 4 +++- dev/traffic_ops/Dockerfile | 4 ++-- traffic_ops/app/db/admin.go | 7 ++++--- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/dev/t3c/Dockerfile b/dev/t3c/Dockerfile index ca4f6ff4ba..6f2f384450 100644 --- a/dev/t3c/Dockerfile +++ b/dev/t3c/Dockerfile @@ -35,7 +35,8 @@ RUN apk add --no-cache \ make \ # gcc and musl-dev are used to build packages using CGO gcc musl-dev && \ - go install github.com/go-delve/delve/cmd/dlv@latest + go install github.com/go-delve/delve/cmd/dlv@latest && \ + rm -rf $GOPATH/pkg/* RUN echo "stats_over_http.so" >> /etc/trafficserver/plugin.config && echo "system_stats.so" >> /etc/trafficserver/plugin.config diff --git a/dev/traffic_monitor/Dockerfile b/dev/traffic_monitor/Dockerfile index b3bd495f3d..623f5487bd 100644 --- a/dev/traffic_monitor/Dockerfile +++ b/dev/traffic_monitor/Dockerfile @@ -18,7 +18,9 @@ ENV TC=/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false" VOLUME $TC EXPOSE 80 81 -RUN apk add --no-cache inotify-tools gcc libc-dev && go install github.com/go-delve/delve/cmd/dlv@latest && ln -s /root/go/bin/dlv /usr/bin/dlv +RUN apk add --no-cache inotify-tools gcc libc-dev && \ + go install github.com/go-delve/delve/cmd/dlv@latest && \ + rm -rf $GOPATH/pkg/* RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 CMD ${TC}/dev/traffic_monitor/run.sh diff --git a/dev/traffic_ops/Dockerfile b/dev/traffic_ops/Dockerfile index d027c4fe42..5e68bf2ef3 100644 --- a/dev/traffic_ops/Dockerfile +++ b/dev/traffic_ops/Dockerfile @@ -21,7 +21,7 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \ -subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \ openssl rand 32 | base64 > /aes.key && \ - chmod 644 /server.key /aes.key + chmod 644 /server.key /aes.key FROM golang:${GO_VERSION}-alpine AS trafficops-dev @@ -33,7 +33,7 @@ EXPOSE 443 6444 COPY --from=certbuilder /server.key /server.crt /aes.key / RUN apk add --no-cache make inotify-tools postgresql-client gcc libc-dev && \ go install github.com/go-delve/delve/cmd/dlv@latest && \ - ln -s /root/go/bin/dlv /usr/bin/dlv + rm -rf $GOPATH/pkg/* RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 COPY .pgpass /root/.pgpass diff --git a/traffic_ops/app/db/admin.go b/traffic_ops/app/db/admin.go index 01529c8eae..50607739be 100644 --- a/traffic_ops/app/db/admin.go +++ b/traffic_ops/app/db/admin.go @@ -466,7 +466,6 @@ func seed() { } cmd := exec.Command("psql", "-h", hostIP, "-p", hostPort, "-d", dbName, "-U", dbUser, "-e", "-v", "ON_ERROR_STOP=1") cmd.Stdin = bytes.NewBuffer(seedsBytes) - cmd.Env = append(os.Environ(), "PGPASSWORD="+dbPassword) out, err := cmd.CombinedOutput() fmt.Println(string(out)) if err != nil { @@ -486,7 +485,6 @@ func loadSchema() { } cmd := exec.Command("psql", "-h", hostIP, "-p", hostPort, "-d", dbName, "-U", dbUser, "-e", "-v", "ON_ERROR_STOP=1") cmd.Stdin = bytes.NewBuffer(schemaBytes) - cmd.Env = append(os.Environ(), "PGPASSWORD="+dbPassword) out, err := cmd.CombinedOutput() fmt.Println(string(out)) if err != nil { @@ -505,7 +503,6 @@ func patch() { } cmd := exec.Command("psql", "-h", hostIP, "-p", hostPort, "-d", dbName, "-U", dbUser, "-e", "-v", "ON_ERROR_STOP=1") cmd.Stdin = bytes.NewBuffer(patchesBytes) - cmd.Env = append(os.Environ(), "PGPASSWORD="+dbPassword) out, err := cmd.CombinedOutput() fmt.Printf(string(out)) if err != nil { @@ -661,6 +658,10 @@ func main() { if err := parseDBConfig(); err != nil { die(err.Error()) } + if err := os.Setenv("PGPASSWORD", dbPassword); err != nil { + die("Setting PGPASSWORD: " + err.Error()) + } + commands := make(map[string]func()) commands[cmdCreateDB] = createDB From ffdc5f342d63869ac6179046960da50cda870c5f Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Tue, 8 Nov 2022 14:05:18 -0700 Subject: [PATCH 14/20] Run db/admin as the unprivileged user --- dev/traffic_ops/run.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index 475e65cc12..df9da92ed0 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -40,16 +40,17 @@ if [[ "$(id -u)" != "$uid" ]]; then fi done - "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset - "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade - "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset - "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" upgrade - adduser -Du"$uid" "$user" sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group exec su "$user" -- "$0" fi +"$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset +"$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade +"$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset +"$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" upgrade + + psql -d 'postgres://traffic_ops:twelve12@db:5432/traffic_ops_development?sslmode=disable' -f ./seed.psql From ec0651f0e2203cb21f4ba746ce86b6e3bd7a7612 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Tue, 8 Nov 2022 15:02:39 -0700 Subject: [PATCH 15/20] Check if directory exists before checking ownership --- dev/t3c/run.sh | 2 +- dev/tpv2/run.sh | 2 +- dev/traffic_monitor/run.sh | 2 +- dev/traffic_ops/run.sh | 2 +- dev/traffic_portal/run.sh | 2 +- dev/traffic_router/run.sh | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 4b7fa05c44..540d9078e7 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -28,7 +28,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u "$user")" != "$uid" ]]; then for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do - if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" fi done diff --git a/dev/tpv2/run.sh b/dev/tpv2/run.sh index f5f155949a..26f01eaf50 100755 --- a/dev/tpv2/run.sh +++ b/dev/tpv2/run.sh @@ -22,7 +22,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then for dir in "${TC}/.npm" .angular node_modules; do - if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" fi done diff --git a/dev/traffic_monitor/run.sh b/dev/traffic_monitor/run.sh index cb9f095e1e..0ce89e5e51 100755 --- a/dev/traffic_monitor/run.sh +++ b/dev/traffic_monitor/run.sh @@ -26,7 +26,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do - if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" fi done diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index df9da92ed0..f65c029ab1 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -35,7 +35,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do - if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" fi done diff --git a/dev/traffic_portal/run.sh b/dev/traffic_portal/run.sh index 7bcc960c45..3874c71d76 100755 --- a/dev/traffic_portal/run.sh +++ b/dev/traffic_portal/run.sh @@ -22,7 +22,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then for dir in "${TC}/.npm" .[a-z]* app/dist app/dist/public node_modules; do - if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" fi done diff --git a/dev/traffic_router/run.sh b/dev/traffic_router/run.sh index 3fd69ecad7..0e1907d519 100755 --- a/dev/traffic_router/run.sh +++ b/dev/traffic_router/run.sh @@ -25,7 +25,7 @@ uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" if [[ "$(id -u)" != "$uid" ]]; then for dir in "${TC}/.m2" */target; do - if [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then + if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" fi done From 6b495ee66074041011124142a84d7b30e49f1bc1 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Tue, 8 Nov 2022 15:04:23 -0700 Subject: [PATCH 16/20] Remove /root GOPATH prefix --- dev/atc.dev.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/atc.dev.sh b/dev/atc.dev.sh index 9d3a819c87..128f3e52c6 100644 --- a/dev/atc.dev.sh +++ b/dev/atc.dev.sh @@ -137,7 +137,7 @@ function atc { return "$?"; } -export t3cDir="/root/go/src/github.com/apache/trafficcontrol/cache-config"; +export t3cDir="/go/src/github.com/apache/trafficcontrol/cache-config"; function t3c { trap 'atc-exec t3c ps | grep dlv | tr -s " " | cut -d " " -f1 | xargs docker exec trafficcontrol_t3c_1 kill' INT; From a8ee3be92b3d3aad778a3ae82941393521c7e1c9 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Wed, 9 Nov 2022 02:59:49 -0700 Subject: [PATCH 17/20] Explicitly allow non-root users to bind ports under 1024 to preserve nerdctl support --- docker-compose.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index f2b7b5a066..d9da0325cc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -33,6 +33,8 @@ services: ports: - 6443:443 - 6444:6444 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol @@ -57,6 +59,8 @@ services: image: trafficportal-dev ports: - 444:443 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol - ./.npm:/trafficportal/.npm @@ -72,6 +76,8 @@ services: image: tpv2-dev ports: - 443:443 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol - ./.npm:/trafficportal/.npm @@ -90,6 +96,8 @@ services: ports: - 80:80 - 81:81 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol @@ -108,6 +116,8 @@ services: ports: - 8080:80 - 8081:8081 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol @@ -128,6 +138,8 @@ services: - 3333:3333 - 2222:3443 - 5005:5005 + sysctls: + - net.ipv4.ip_unprivileged_port_start=0 volumes: - .:/go/src/github.com/apache/trafficcontrol - ./.m2:/home/trafficrouter/.m2 From 0150a2228918d7a9b4bd40a48ba31d9c03515a0f Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Thu, 10 Nov 2022 15:48:03 -0700 Subject: [PATCH 18/20] Get the user id of the current user, not explicitly the unprivileged user --- dev/t3c/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 540d9078e7..50cc6e95bc 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -26,7 +26,7 @@ cd "$TC/tc-health-client" user=ats uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" -if [[ "$(id -u "$user")" != "$uid" ]]; then +if [[ "$(id -u)" != "$uid" ]]; then for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then chown -R "${uid}:${gid}" "$dir" From fae6523eecadf4d6403b42a0c5f85227f17300b2 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Thu, 10 Nov 2022 15:49:33 -0700 Subject: [PATCH 19/20] Run traffic_server without su --- dev/t3c/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/t3c/run.sh b/dev/t3c/run.sh index 50cc6e95bc..e6e22a1f2f 100755 --- a/dev/t3c/run.sh +++ b/dev/t3c/run.sh @@ -68,7 +68,7 @@ while inotifywait --exclude '.*(\.md|\.json|\.pl|\.rst|_test\.go|\.gitignore|__d rm /var/trafficserver/server.lock; fi ps | grep traffic_server | grep -v grep | tr -s ' ' | cut -d ' ' -f2 | xargs kill - su -c traffic_server ats & + traffic_server & # for whatever reason, without this the repeated call to inotifywait will # sometimes lose track of th current directory. It spits out: # Couldn't watch .: No such file or directory From a1c83b0c544cc8e186e4e0849ab6220a73ffddb8 Mon Sep 17 00:00:00 2001 From: Zach Hoffman Date: Thu, 10 Nov 2022 20:46:19 -0700 Subject: [PATCH 20/20] Run as unprivileged user before building db/admin --- dev/traffic_ops/run.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/dev/traffic_ops/run.sh b/dev/traffic_ops/run.sh index f65c029ab1..69ddecd350 100755 --- a/dev/traffic_ops/run.sh +++ b/dev/traffic_ops/run.sh @@ -20,16 +20,6 @@ set -o errexit set -o xtrace trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT -cd "$TC" - -while ! pg_isready -h db -p 5432 -d postgres; do - echo "waiting for db on postgresql://db:5432/postgres"; - sleep 3; -done - -make traffic_ops/app/db/admin -cd "$TC/dev/traffic_ops" - user=trafficops uid="$(stat -c%u "$TC")" gid="$(stat -c%g "$TC")" @@ -45,6 +35,16 @@ if [[ "$(id -u)" != "$uid" ]]; then exec su "$user" -- "$0" fi +cd "$TC" + +while ! pg_isready -h db -p 5432 -d postgres; do + echo "waiting for db on postgresql://db:5432/postgres"; + sleep 3; +done + +make traffic_ops/app/db/admin +cd "$TC/dev/traffic_ops" + "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" reset "$ADMIN" -c ./dbconf.yml -s "$TC/traffic_ops/app/db/create_tables.sql" -S "$TC/traffic_ops/app/db/seeds.sql" -p "$TC/traffic_ops/app/db/patches.sql" -m "$TC/traffic_ops/app/db/migrations" upgrade "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset