From 5dc7e5651dca608dfecf419d4d65481f56e38b66 Mon Sep 17 00:00:00 2001 From: Lenny Goodell <44779287+lenny-intel@users.noreply.github.com> Date: Wed, 24 Mar 2021 09:12:40 -0700 Subject: [PATCH] refactor: Rework entry point scripts to run 'listenTcp' command as non-root (#3292) * refactor: Rework entry point scripts to run 'listenTcp' command as non-root closes #3221 Signed-off-by: lenny --- .../entrypoint-scripts/consul_wait_install.sh | 2 +- .../entrypoint-scripts/postgres_wait_install.sh | 2 +- cmd/security-secretstore-setup/Dockerfile | 2 +- cmd/security-secretstore-setup/entrypoint.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh b/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh index 5fc58b5a01..ed5dffa00a 100755 --- a/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh +++ b/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh @@ -111,7 +111,7 @@ else fi # Signal that Consul is ready for services blocked waiting on Consul -/edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \ +exec su-exec consul /edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \ --port="${STAGEGATE_REGISTRY_READYPORT}" --host="${STAGEGATE_REGISTRY_HOST}" if [ $? -ne 0 ]; then echo "$(date) failed to gating the consul ready port, exits" diff --git a/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh b/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh index 3579d0ba4a..10925d9ec1 100755 --- a/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh +++ b/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh @@ -93,7 +93,7 @@ done echo "$(date) ${STAGEGATE_KONGDB_HOST} is initialized" # Signal that Postgres is ready for services blocked waiting on Postgres -/edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \ +exec su-exec postgres /edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \ --port="${STAGEGATE_KONGDB_READYPORT}" --host="${STAGEGATE_KONGDB_HOST}" if [ $? -ne 0 ]; then echo "$(date) failed to gating the postgres ready port, exits" diff --git a/cmd/security-secretstore-setup/Dockerfile b/cmd/security-secretstore-setup/Dockerfile index 806ed825b5..cee3f8c21f 100644 --- a/cmd/security-secretstore-setup/Dockerfile +++ b/cmd/security-secretstore-setup/Dockerfile @@ -36,7 +36,7 @@ RUN make cmd/security-file-token-provider/security-file-token-provider \ FROM alpine:3.12 -RUN apk add --update --no-cache ca-certificates dumb-init curl +RUN apk add --update --no-cache ca-certificates dumb-init curl su-exec LABEL license='SPDX-License-Identifier: Apache-2.0' \ copyright='Copyright (c) 2019: Dell Technologies, Inc.' diff --git a/cmd/security-secretstore-setup/entrypoint.sh b/cmd/security-secretstore-setup/entrypoint.sh index d3ecf2b3a1..090902fbbe 100644 --- a/cmd/security-secretstore-setup/entrypoint.sh +++ b/cmd/security-secretstore-setup/entrypoint.sh @@ -36,7 +36,7 @@ echo "$(date) Changing ownership of secrets to ${EDGEX_USER}:${EDGEX_GROUP}" chown -Rh ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets # Signal tokens ready port for other services waiting on -/edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \ +exec su-exec ${EDGEX_USER} /edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \ --port="${STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT}" --host="${STAGEGATE_SECRETSTORESETUP_HOST}" if [ $? -ne 0 ]; then echo "$(date) failed to gating the tokens ready port"