Skip to content

Commit

Permalink
feat: changing owner while creating container for download support (#…
Browse files Browse the repository at this point in the history
…2056)

Signed-off-by: Viet Nguyen Duc <[email protected]>
  • Loading branch information
VietND96 authored Dec 11, 2023
1 parent a010cb0 commit 9f187e0
Show file tree
Hide file tree
Showing 17 changed files with 213 additions and 102 deletions.
100 changes: 70 additions & 30 deletions Base/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,19 @@
FROM ubuntu:jammy-20231004
LABEL authors="Selenium <[email protected]>"

# Arguments to define the version of dependencies to download
ARG VERSION
ARG RELEASE=selenium-${VERSION}
ARG OPENTELEMETRY_VERSION=1.31.0
ARG GRPC_VERSION=1.59.0

#Arguments to define the user running Selenium
ARG SEL_USER=seluser
ARG SEL_PASSWD=secret
ARG SEL_UID=1200
ARG SEL_GID=1201

USER root
#================================================
# Customize sources for apt-get
#================================================
Expand Down Expand Up @@ -33,6 +44,7 @@ RUN apt-get -qqy update \
curl \
supervisor \
gnupg2 \
libnss3-tools \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/* \
&& sed -i 's/securerandom\.source=file:\/dev\/random/securerandom\.source=file:\/dev\/urandom/' ./usr/lib/jvm/java-11-openjdk-amd64/conf/security/java.security

Expand All @@ -45,64 +57,92 @@ RUN ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
dpkg-reconfigure -f noninteractive tzdata && \
cat /etc/timezone

#======================================
# Configure environement
#======================================
ENV SEL_USER=${SEL_USER}
ENV SEL_UID=${SEL_UID}
ENV SEL_GID=${SEL_GID}
ENV HOME=/home/${SEL_USER}
ENV SEL_DIR=/opt/selenium
ENV EXTERNAL_JARS=/external_jars
ENV SE_DOWNLOAD_DIR=${HOME}/Downloads

# Copy a script that we will use to correct permissions after running certain commands
COPY fix-permissions /usr/local/bin/fix-permissions
RUN chmod a+rx /usr/local/bin/fix-permissions

#========================================
# Add normal user and group with passwordless sudo
#========================================
RUN groupadd seluser \
--gid 1201 \
&& useradd seluser \
--create-home \
--gid 1201 \
--shell /bin/bash \
--uid 1200 \
&& usermod -a -G sudo seluser \
&& echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
&& echo 'seluser:secret' | chpasswd
ENV HOME=/home/seluser
RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su \
&& sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers \
&& sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers \
&& echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers

RUN groupadd ${SEL_USER} \
--gid ${SEL_GID} \
&& useradd ${SEL_USER} \
--no-log-init \
--create-home \
--gid ${SEL_GID} \
--shell /bin/bash \
--uid ${SEL_UID} \
&& chmod g+w /etc/passwd \
&& echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd

#======================================
# Create directories needed
#======================================
RUN mkdir -p ${HOME}/.mozilla ${HOME}/.cache \
${SEL_DIR} ${SEL_DIR}/assets \
/var/run/supervisor /var/log/supervisor \
${EXTERNAL_JARS} \
${SE_DOWNLOAD_DIR}

#======================================
# Add Grid check script
#======================================
COPY check-grid.sh entry_point.sh /opt/bin/
COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh /opt/bin/

#======================================
# Add Supervisor configuration file
#======================================
COPY supervisord.conf /etc

#==========
# Selenium & relaxing permissions for OpenShift and other non-sudo environments
# Selenium
#==========
RUN mkdir -p /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
&& touch /opt/selenium/config.toml \
&& chmod -R 777 /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor /etc/passwd \
RUN touch ${SEL_DIR}/config.toml \
&& wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
-O /opt/selenium/selenium-server.jar \
&& chgrp -R 0 /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
&& chmod -R g=u /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
&& setfacl -Rm u:seluser:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor
-O ${SEL_DIR}/selenium-server.jar

#=====
# Download observability related jaegar jars and make them available in a separate directory
# so that the container can skip downloading them everytime it comes up
#=====
RUN curl -fLo /tmp/cs https://github.com/coursier/launchers/raw/master/coursier \
&& chmod +x /tmp/cs \
&& mkdir -p /external_jars \
&& chmod -R 775 /external_jars
&& chmod +x /tmp/cs

RUN /tmp/cs fetch --classpath --cache /external_jars \
io.opentelemetry:opentelemetry-exporter-otlp:1.31.0 \
io.opentelemetry:opentelemetry-exporter-jaeger:1.31.0 \
io.grpc:grpc-netty:1.59.0 > /external_jars/.classpath.txt

RUN chmod 664 /external_jars/.classpath.txt
RUN /tmp/cs fetch --classpath --cache ${EXTERNAL_JARS} \
io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \
io.opentelemetry:opentelemetry-exporter-jaeger:${OPENTELEMETRY_VERSION} \
io.grpc:grpc-netty:${GRPC_VERSION} > ${EXTERNAL_JARS}/.classpath.txt
RUN rm -fr /root/.cache/*

# Change ownership of directories
RUN chown -R "${SEL_USER}:${SEL_GID}" ${HOME} ${SEL_DIR} ${SEL_DIR}/assets ${EXTERNAL_JARS} ${SE_DOWNLOAD_DIR} /var/run/supervisor /var/log/supervisor \
&& fix-permissions ${HOME} ${SEL_DIR} ${SEL_DIR}/assets ${EXTERNAL_JARS} ${SE_DOWNLOAD_DIR} /var/run/supervisor /var/log/supervisor

#==========
# Relaxing permissions for OpenShift and other non-sudo environments
#==========
RUN chmod g=u /etc/passwd

#===================================================
# Run the following commands as non-privileged user
#===================================================
USER 1200:1201
USER ${SEL_UID}:${SEL_GID}

# Boolean value, maps "--bind-host"
ENV SE_BIND_HOST false
Expand Down
36 changes: 35 additions & 1 deletion Base/entry_point.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
#!/usr/bin/env bash
_log () {
if [[ "$*" == "ERROR:"* ]] || [[ "$*" == "WARNING:"* ]] || [[ "${CONTAINER_LOGS_QUIET}" == "" ]]; then
echo "$@"
fi
}

#==============================================
# OpenShift or non-sudo environments support
Expand All @@ -7,10 +12,39 @@

if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
echo "${USER_NAME:-${SEL_USER}}:x:$(id -u):0:${USER_NAME:-${SEL_USER}} user:${HOME}:${SE_DOWNLOAD_DIR}:/var:/opt:/sbin/nologin" >> /etc/passwd
fi
fi

MKDIR_EXTRA=${SE_DOWNLOAD_DIR}","${MKDIR_EXTRA}
CHOWN_EXTRA=${MKDIR_EXTRA}","${CHOWN_EXTRA}

if [ -n "${MKDIR_EXTRA}" ]; then
for extra_dir in $(echo "${MKDIR_EXTRA}" | tr ',' ' '); do
_log "Creating directory ${extra_dir} ${MKDIR_EXTRA_OPTS:+(mkdir options: ${MKDIR_EXTRA_OPTS})}"
# shellcheck disable=SC2086
sudo mkdir ${MKDIR_EXTRA_OPTS:-"-p"} "${extra_dir}"
done
fi

if [ -n "${CHOWN_EXTRA}" ]; then
for extra_dir in $(echo "${CHOWN_EXTRA}" | tr ',' ' '); do
_log "Changing ${extra_dir} ownership. ${extra_dir} is owned by ${SEL_USER} ${CHOWN_EXTRA_OPTS:+(chown options: ${CHOWN_EXTRA_OPTS})}"
# shellcheck disable=SC2086
sudo chown ${CHOWN_EXTRA_OPTS:-"-R"} "${SEL_UID}:${SEL_GID}" "${extra_dir}"
sudo -E fix-permissions "${extra_dir}"
done
fi

# Raise error if the user isn't able to write files to download dir
if [ -n "${CHOWN_EXTRA}" ]; then
for extra_dir in $(echo "${CHOWN_EXTRA}" | tr ',' ' '); do
if [[ ! -w ${extra_dir} ]]; then
_log "ERROR: no write access to download dir ${SE_DOWNLOAD_DIR}. Please correct the permissions and restart."
fi
done
fi

/usr/bin/supervisord --configuration /etc/supervisord.conf &

SUPERVISOR_PID=$!
Expand Down
23 changes: 23 additions & 0 deletions Base/fix-permissions
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/bash
set -e
# Run this with USER root only
for d in "$@"; do
find "${d}" \
! \( \
-group "${SEL_GID}" \
-a -perm -g+rwX \
\) \
-exec chgrp -R "${SEL_GID}" -- {} \+ \
-exec chmod -R g+rwX -- {} \+
# setuid, setgid *on directories only*
find "${d}" \
\( \
-type d \
-a ! -perm -6000 \
\) \
-exec chmod -R +6000 -- {} \+
# Relaxing permissions for OpenShift and other non-sudo environments
chmod -R u+x "${d}"
chgrp -R 0 "${d}"
chmod -R g=u "${d}"
done
4 changes: 2 additions & 2 deletions Distributor/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@ ARG AUTHORS
FROM ${NAMESPACE}/base:${VERSION}
LABEL authors=${AUTHORS}

USER 1200
USER ${SEL_UID}

#========================
# Selenium Distributor Configuration
#========================

EXPOSE 5553

COPY start-selenium-grid-distributor.sh \
COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-distributor.sh \
/opt/bin/

COPY selenium-grid-distributor.conf /etc/supervisor/conf.d/
4 changes: 2 additions & 2 deletions EventBus/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ ARG AUTHORS
FROM ${NAMESPACE}/base:${VERSION}
LABEL authors=${AUTHORS}

USER 1200
USER ${SEL_UID}

#=================================
# Selenium Event Bus Configuration
Expand All @@ -17,7 +17,7 @@ EXPOSE 4443
# Event Bus port
EXPOSE 5557

COPY start-selenium-grid-eventbus.sh \
COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-eventbus.sh \
/opt/bin/

COPY selenium-grid-eventbus.conf /etc/supervisor/conf.d/
4 changes: 2 additions & 2 deletions Hub/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ ARG AUTHORS
FROM ${NAMESPACE}/base:${VERSION}
LABEL authors=${AUTHORS}

USER 1200
USER ${SEL_UID}

#========================
# Selenium Hub Configuration
Expand All @@ -21,7 +21,7 @@ ENV SE_SESSION_RETRY_INTERVAL 15
# Boolean value, maps "--relax-checks"
ENV SE_RELAX_CHECKS true

COPY start-selenium-grid-hub.sh \
COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-hub.sh \
/opt/bin/

COPY selenium-grid-hub.conf /etc/supervisor/conf.d/
43 changes: 19 additions & 24 deletions NodeBase/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -112,16 +112,31 @@ RUN wget -nv -O noVNC.zip \
#=========================================================================================================================================
RUN chmod +x /dev/shm

# Creating base directory for Xvfb
RUN mkdir -p /tmp/.X11-unix && \
fix-permissions /tmp/.X11-unix

#==============================
# Generating the VNC password based on the ${SE_VNC_PASSWORD}
# Changing ownership to ${SEL_USER}, so the service can be started
#==============================

ENV SE_VNC_PASSWORD=secret
RUN mkdir -p ${HOME}/.vnc \
&& x11vnc -storepasswd ${SE_VNC_PASSWORD} ${HOME}/.vnc/passwd \
&& chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \
&& fix-permissions ${HOME}/.vnc

#===================================================
# Run the following commands as non-privileged user
#===================================================

USER 1200
USER ${SEL_UID}

#==============================
# Scripts to run Selenium Node and XVFB
#==============================
COPY start-selenium-node.sh \
COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-node.sh \
start-xvfb.sh \
/opt/bin/

Expand All @@ -130,25 +145,10 @@ COPY start-selenium-node.sh \
#==============================
COPY selenium.conf /etc/supervisor/conf.d/

#==============================
# Generating the VNC password as seluser
# So the service can be started with seluser
#==============================

RUN mkdir -p ${HOME}/.vnc \
&& x11vnc -storepasswd secret ${HOME}/.vnc/passwd

#==========
# Relaxing permissions for OpenShift and other non-sudo environments
#==========
RUN sudo chmod -R 775 ${HOME} \
&& sudo chgrp -R 0 ${HOME} \
&& sudo chmod -R g=u ${HOME}

#==============================
# Scripts to run fluxbox, x11vnc and noVNC
#==============================
COPY start-vnc.sh \
COPY --chown="${SEL_UID}:${SEL_GID}" start-vnc.sh \
start-novnc.sh \
/opt/bin/

Expand Down Expand Up @@ -180,8 +180,6 @@ ENV SE_DRAIN_AFTER_SESSION_COUNT 0
# Setting Selenium Manager to work offline
ENV SE_OFFLINE true



#========================
# Selenium Configuration
#========================
Expand All @@ -195,10 +193,7 @@ ENV SE_NODE_OVERRIDE_MAX_SESSIONS false
# Following line fixes https://github.com/SeleniumHQ/docker-selenium/issues/87
ENV DBUS_SESSION_BUS_ADDRESS=/dev/null

# Creating base directory for Xvfb
RUN sudo mkdir -p /tmp/.X11-unix && sudo chmod 1777 /tmp/.X11-unix

# Copying configuration script generator
COPY generate_config /opt/bin/generate_config
COPY --chown="${SEL_UID}:${SEL_GID}" generate_config /opt/bin/generate_config

EXPOSE 5900
8 changes: 4 additions & 4 deletions NodeChrome/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,6 @@ RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --d
COPY wrap_chrome_binary /opt/bin/wrap_chrome_binary
RUN /opt/bin/wrap_chrome_binary

USER 1200

#============================================
# Chrome webdriver
#============================================
Expand All @@ -52,8 +50,10 @@ RUN if [ ! -z "$CHROME_DRIVER_VERSION" ]; \
&& unzip /tmp/chromedriver_linux64.zip -d /opt/selenium \
&& rm /tmp/chromedriver_linux64.zip \
&& mv /opt/selenium/chromedriver-linux64/chromedriver /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
&& chmod 755 /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
&& sudo ln -fs /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION /usr/bin/chromedriver
&& fix-permissions /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
&& ln -fs /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION /usr/bin/chromedriver

USER ${SEL_UID}

#============================================
# Dumping Browser information for config
Expand Down
Loading

0 comments on commit 9f187e0

Please sign in to comment.