Run CDN in a Box for Developers services as unprivileged users

dev/atc.dev.sh

@@ -137,7 +137,7 @@ function atc {
 	return "$?";
 }
 
-export t3cDir="/root/go/src/github.com/apache/trafficcontrol/cache-config";
+export t3cDir="/go/src/github.com/apache/trafficcontrol/cache-config";
 
 function t3c {
 	trap 'atc-exec t3c ps | grep dlv | tr -s " " | cut -d " " -f1 | xargs docker exec trafficcontrol_t3c_1 kill' INT;

dev/t3c/Dockerfile

@@ -23,7 +23,7 @@ ENV PATH=/usr/local/go/bin:${PATH} \
 	GOPATH=/go
 ENV PATH=${GOPATH}/bin:${PATH}
 
-ENV TC="/root/go/src/github.com/apache/trafficcontrol/" GOFLAGS="--buildvcs=false"
+ENV TC="/go/src/github.com/apache/trafficcontrol" GOFLAGS="--buildvcs=false"
 VOLUME $TC
 EXPOSE 80 8081
 
@@ -35,8 +35,9 @@ RUN apk add --no-cache \
 	make \
 	# gcc and musl-dev are used to build packages using CGO
 	gcc musl-dev && \
-	go install github.com/go-delve/delve/cmd/dlv@latest
+	go install github.com/go-delve/delve/cmd/dlv@latest && \
+	rm -rf $GOPATH/pkg/*
 
 RUN echo "stats_over_http.so" >> /etc/trafficserver/plugin.config && echo "system_stats.so" >> /etc/trafficserver/plugin.config
 
-CMD /root/go/src/github.com/apache/trafficcontrol/dev/t3c/run.sh
+CMD ${TC}/dev/t3c/run.sh

dev/t3c/run.sh

@@ -18,9 +18,27 @@
 # under the License.
 
 set -o errexit
+set -o xtrace
 trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT
 
 cd "$TC/tc-health-client"
+
+user=ats
+uid="$(stat -c%u "$TC")"
+gid="$(stat -c%g "$TC")"
+if [[ "$(id -u)" != "$uid" ]]; then
+	for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do
+		if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then
+			chown -R "${uid}:${gid}" "$dir"
+		fi
+	done
+
+	sed -Ei "s/^(${user}:.*:)([0-9]+:){2}(.*)/\1${uid}:${gid}:\3/" /etc/passwd
+	sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
+	chown -R "${uid}:${gid}" /usr/bin "/home/${user}" /etc/trafficserver /var/log/trafficserver /var/trafficserver
+	exec su "$user" -- "$0"
+fi
+
 go build --gcflags "all=-N -l" .
 
 cd "$TC/cache-config"
@@ -38,19 +56,19 @@ if [[ ! -f /usr/bin/tc-health-client ]]; then
 	ln -s "$TC/tc-health-client/tc-health-client" /usr/bin/
 fi
 
-su -c traffic_server ats &
+traffic_server &
 
 while inotifywait --exclude '.*(\.md|\.json|\.pl|\.rst|_test\.go|\.gitignore|__debug_bin|-logrotate|.service)$|^\./(build|t3c-check-refs/test-files|testing|t3util/testing|tm-health-client/(config|tmagent)/test_files)/.*' -e modify -r . ; do
 	T3C_PID="$(ps | grep t3c | grep -v grep | grep -v inotifywait | grep -v run.sh | tr -s ' ' | cut -d ' ' -f2)"
-	if [[ ! -z "$T3"]]; then
+	if [[ ! -z "$T3" ]]; then
 		echo "$T3C_PID" | xargs kill;
 	fi
 	# TODO: is it even necessary to restart ATS?
 	if [[ -f /var/trafficserver/server.lock ]]; then
 		rm /var/trafficserver/server.lock;
 	fi
 	ps | grep traffic_server | grep -v grep | tr -s ' ' | cut -d ' ' -f2 | xargs kill
-	su -c traffic_server ats &
+	traffic_server &
 	# for whatever reason, without this the repeated call to inotifywait will
 	# sometimes lose track of th current directory. It spits out:
 	# Couldn't watch .: No such file or directory

dev/tpv2/Dockerfile

@@ -20,14 +20,15 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \
 	openssl req -new -key server.key -out server.csr \
 		-subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \
 	openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \
-	openssl rand 32 | base64 > /aes.key
+	openssl rand 32 | base64 > /aes.key && \
+    chmod 644 /server.key /aes.key
 
 FROM node:14-bullseye AS tpv2-dev
 
-ENV TC="/root/go/src/github.com/apache/trafficcontrol/"
-VOLUME /root/go/src/github.com/apache/trafficcontrol
+ENV TC="/go/src/github.com/apache/trafficcontrol"
+VOLUME $TC
 EXPOSE 443
 
 COPY --from=certbuilder /server.key /server.crt /
 
-CMD /root/go/src/github.com/apache/trafficcontrol/dev/tpv2/run.sh
+CMD ${TC}/dev/tpv2/run.sh

dev/tpv2/run.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -16,5 +16,24 @@
 set -o errexit
 
 cd "$TC/experimental/traffic-portal"
+
+user=tpv2
+uid="$(stat -c%u "$TC")"
+gid="$(stat -c%g "$TC")"
+if [[ "$(id -u)" != "$uid" ]]; then
+	for dir in "${TC}/.npm" .angular node_modules; do
+		if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then
+			chown -R "${uid}:${gid}" "$dir"
+		fi
+	done
+
+	if ! adduser --disabled-password -u "$uid" "$user"; then
+		user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)"
+	fi
+	sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
+	chown "${uid}:${gid}" /usr/bin
+	exec su "$user" -- "$0"
+fi
+
 npm ci --ignore-scripts
 ./node_modules/.bin/ng serve --ssl --ssl-cert /server.crt --ssl-key /server.key --watch --proxy-config "$TC/dev/tpv2/proxy.json" --port 443 --host "::0" --live-reload

dev/traffic_monitor/Dockerfile

@@ -14,11 +14,13 @@
 ARG GO_VERSION
 FROM golang:${GO_VERSION}-alpine AS trafficmonitor-dev
 
-ENV TC=/root/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false"
-VOLUME /root/go/src/github.com/apache/trafficcontrol
+ENV TC=/go/src/github.com/apache/trafficcontrol GOFLAGS="--buildvcs=false"
+VOLUME $TC
 EXPOSE 80 81
 
-RUN apk add --no-cache inotify-tools gcc libc-dev && go install github.com/go-delve/delve/cmd/dlv@latest && ln -s /root/go/bin/dlv /usr/bin/dlv
+RUN apk add --no-cache inotify-tools gcc libc-dev && \
+	go install github.com/go-delve/delve/cmd/dlv@latest && \
+	rm -rf $GOPATH/pkg/*
 RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
 
-CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/run.sh
+CMD ${TC}/dev/traffic_monitor/run.sh

dev/traffic_monitor/run.sh

@@ -17,9 +17,24 @@
 # under the License.
 
 set -o errexit
+set -o xtrace
 trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT
 
 cd "$TC/traffic_monitor"
+user=trafficmonitor
+uid="$(stat -c%u "$TC")"
+gid="$(stat -c%g "$TC")"
+if [[ "$(id -u)" != "$uid" ]]; then
+	for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do
+		if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then
+			chown -R "${uid}:${gid}" "$dir"
+		fi
+	done
+
+	adduser -Du"$uid" "$user"
+	sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
+	exec su "$user" -- "$0"
+fi
 
 dlv --accept-multiclient --continue --listen=:81 --headless --api-version=2 debug -- --opsCfg="$TC/dev/traffic_monitor/ops.config.json" --config="$TC/dev/traffic_monitor/tm.config.json" &
 

dev/traffic_monitor/tm.config.json

@@ -12,7 +12,7 @@
 	"log_location_debug": "stdout",
 	"serve_read_timeout_ms": 86400000,
 	"serve_write_timeout_ms": 86400000,
-	"static_file_dir": "/root/go/src/github.com/apache/trafficcontrol/traffic_monitor/static/",
-	"crconfig_backup_file": "/root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/snapshot.backup.json",
-	"tmconfig_backup_file": "/root/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/monitoring.snapshot.backup.json"
+	"static_file_dir": "/go/src/github.com/apache/trafficcontrol/traffic_monitor/static/",
+	"crconfig_backup_file": "/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/snapshot.backup.json",
+	"tmconfig_backup_file": "/go/src/github.com/apache/trafficcontrol/dev/traffic_monitor/monitoring.snapshot.backup.json"
 }

dev/traffic_ops/Dockerfile

@@ -20,22 +20,23 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \
 	openssl req -new -key server.key -out server.csr \
 		-subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \
 	openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \
-	openssl rand 32 | base64 > /aes.key
+	openssl rand 32 | base64 > /aes.key && \
+	chmod 644 /server.key /aes.key
 
 FROM golang:${GO_VERSION}-alpine AS trafficops-dev
 
-ENV TC="/root/go/src/github.com/apache/trafficcontrol/" GOFLAGS="--buildvcs=false"
-VOLUME /root/go/src/github.com/apache/trafficcontrol
+ENV TC="/go/src/github.com/apache/trafficcontrol" GOFLAGS="--buildvcs=false"
+VOLUME $TC
 ENV ADMIN="$TC/traffic_ops/app/db/admin"
 EXPOSE 443 6444
 
 COPY --from=certbuilder /server.key /server.crt /aes.key /
 RUN apk add --no-cache make inotify-tools postgresql-client gcc libc-dev && \
 	go install github.com/go-delve/delve/cmd/dlv@latest && \
-	ln -s /root/go/bin/dlv /usr/bin/dlv
+	rm -rf $GOPATH/pkg/*
 RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
 
 COPY .pgpass /root/.pgpass
 RUN chmod 0600 /root/.pgpass
 
-CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_ops/run.sh
+CMD $TC/dev/traffic_ops/run.sh

dev/traffic_ops/run.sh

@@ -17,14 +17,31 @@
 # under the License.
 
 set -o errexit
+set -o xtrace
 trap '[ $? -eq 0 ] && exit 0 || echo "Error on line ${LINENO} of ${0}"; exit 1' EXIT
 
+user=trafficops
+uid="$(stat -c%u "$TC")"
+gid="$(stat -c%g "$TC")"
+if [[ "$(id -u)" != "$uid" ]]; then
+	for dir in "${GOPATH}/bin" "${GOPATH}/pkg"; do
+		if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then
+			chown -R "${uid}:${gid}" "$dir"
+		fi
+	done
+
+	adduser -Du"$uid" "$user"
+	sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
+	exec su "$user" -- "$0"
+fi
+
+cd "$TC"
+
 while ! pg_isready -h db -p 5432 -d postgres; do
 	echo "waiting for db on postgresql://db:5432/postgres";
 	sleep 3;
 done
 
-cd "$TC"
 make traffic_ops/app/db/admin
 cd "$TC/dev/traffic_ops"
 
@@ -33,8 +50,10 @@ cd "$TC/dev/traffic_ops"
 "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" reset
 "$ADMIN" -v -c ./traffic.vault.dbconf.yml -s "$TC/traffic_ops/app/db/trafficvault/create_tables.sql" -m "$TC/traffic_ops/app/db/trafficvault/migrations" upgrade
 
+
 psql -d 'postgres://traffic_ops:twelve12@db:5432/traffic_ops_development?sslmode=disable' -f ./seed.psql
 
+
 cd "$TC/traffic_ops/traffic_ops_golang"
 
 dlv --accept-multiclient --continue --listen=:6444 --headless --api-version=2 debug -- --cfg=../../dev/traffic_ops/cdn.json --dbcfg=../../dev/traffic_ops/db.config.json &

dev/traffic_portal/Dockerfile

@@ -19,15 +19,16 @@ RUN openssl genrsa -passout pass:x -out server.pass.key 2048 && \
 	openssl req -new -key server.key -out server.csr \
 		-subj "/C=US/ST=CO/L=Denver/O=Apache/OU=Traffic Control/CN=trafficops.dev.ciab.test" && \
 	openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt && \
-	openssl rand 32 | base64 > /aes.key
+	openssl rand 32 | base64 > /aes.key && \
+    chmod 644 /server.key /aes.key
 
 FROM node:14-bullseye AS trafficportal-dev
 
-ENV TC="/root/go/src/github.com/apache/trafficcontrol/"
-VOLUME /root/go/src/github.com/apache/trafficcontrol
+ENV TC="/go/src/github.com/apache/trafficcontrol"
+VOLUME $TC
 EXPOSE 443
 ENV TP_SERVER_CONFIG_FILE="$TC/dev/traffic_portal/config.js"
 
 COPY --from=certbuilder /server.key /server.crt /
 
-CMD /root/go/src/github.com/apache/trafficcontrol/dev/traffic_portal/run.sh
+CMD ${TC}/dev/traffic_portal/run.sh

dev/traffic_portal/config.js

@@ -31,7 +31,7 @@ module.exports = {
         base_url: 'https://trafficops:443/api/'
     },
     files: {
-        static: '/root/go/src/github.com/apache/trafficcontrol/traffic_portal/app/dist/public'
+        static: '/go/src/github.com/apache/trafficcontrol/traffic_portal/app/dist/public'
     },
     log: null,
     reject_unauthorized: 0

dev/traffic_portal/run.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -13,8 +13,27 @@
 #  limitations under the License.
 #
 
-set -o errexit
+set -o errexit -o nounset
 
 cd "$TC/traffic_portal"
+
+user=trafficportal
+uid="$(stat -c%u "$TC")"
+gid="$(stat -c%g "$TC")"
+if [[ "$(id -u)" != "$uid" ]]; then
+	for dir in "${TC}/.npm"  .[a-z]* app/dist app/dist/public node_modules; do
+		if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then
+			chown -R "${uid}:${gid}" "$dir"
+		fi
+	done
+
+	if ! adduser --disabled-password -u "$uid" "$user"; then
+		user="$(cat /etc/passwd | grep :x:${uid}: | cut -d: -f1)"
+	fi
+	sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
+	chown "${uid}:${gid}" /usr/bin
+	exec su "$user" -- "$0"
+fi
+
 npm ci
 ./node_modules/.bin/grunt

dev/traffic_router/run.sh

@@ -16,20 +16,27 @@
 # specific language governing permissions and limitations
 # under the License.
 
-set -o errexit
-
-
-
+set -o errexit -o nounset
 
 cd "$TC/traffic_router"
+
 user=trafficrouter
-uid="$(stat -c%u .)"
-gid="$(stat -c%g .)"
-adduser -Du"$uid" "$user"
-sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
-chown -R "${uid}:${gid}" /opt
+uid="$(stat -c%u "$TC")"
+gid="$(stat -c%g "$TC")"
+if [[ "$(id -u)" != "$uid" ]]; then
+	for dir in "${TC}/.m2"  */target; do
+		if [[ -e "$dir" ]] && [[ "$(stat -c%u "$dir")" -ne "$uid" || "$(stat -c%g "$dir")" -ne "$gid" ]] ; then
+			chown -R "${uid}:${gid}" "$dir"
+		fi
+	done
+
+	adduser -Du"$uid" "$user"
+	sed -Ei "s/^(${user}:.*:)[0-9]+(:)$/\1${gid}\2/" /etc/group
+	chown -R "${uid}:${gid}" /opt
+	exec su "$user" -- "$0"
+fi
 
-su "$user" -- /usr/bin/mvn -Dmaven.test.skip=true compile package -P \!rpm-build
+mvn -Dmaven.test.skip=true compile package -P \!rpm-build
 
 cd "$TC/dev/traffic_router"
-exec su "$user" -- /opt/tomcat/bin/catalina.sh jpda run
+exec /opt/tomcat/bin/catalina.sh jpda run