Merge pull request #466 from carbonin/dont_run_app_as_root

Don't run the app as root (cherry picked from commit 4208109)
ManageIQ · May 1, 2020 · fbc1931 · fbc1931
1 parent 6a74bd0
commit fbc1931
Show file tree

Hide file tree

Showing 8 changed files with 9 additions and 53 deletions.
diff --git a/README.md b/README.md
@@ -46,25 +46,6 @@ _**Note:**_ This section assumes you have a basic user.
 $ oc new-project <project_name>
 ```
 
-### Add the anyuid and orchestrator service accounts to the anyuid security context
-
-_**Note:**_ The current MIQ images require the root user.
-
-These service accounts for your namespace (project) must be added to the anyuid SCC before pods using the service accounts can run as root.
-
-_**As admin**_
-
-```bash
-$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:<app-name>-anyuid
-$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:<app-name>-orchestrator
-```
-
-Verify that the service accounts are now included in the anyuid scc
-```
-$ oc describe scc anyuid | grep Users
-Users:					system:serviceaccount:<your-namespace>:miq-anyuid,system:serviceaccount:<your-namespace>:miq-orchestrator
-```
-
 ### Set up the httpd service account
 
 #### If running without OCI systemd hooks (Minishift)
@@ -212,7 +193,7 @@ $ oc describe pods | egrep "^Name:|openshift.io/scc"
 Name:               httpd-754985464b-4dzzx
 Annotations:        openshift.io/scc=anyuid
 Name:               manageiq-orchestrator-5997776478-vx4v9
-Annotations:        openshift.io/scc=anyuid
+Annotations:        openshift.io/scc=restricted
 Name:               memcached-696479b955-67fs6
 Annotations:        openshift.io/scc=restricted
 Name:               postgresql-5f954fdbd5-tnlmf

diff --git a/bin/deploy_on_minishift b/bin/deploy_on_minishift
@@ -30,20 +30,6 @@ then
 	$(oc new-project $project >/dev/null)
 fi
 
-$(oc describe scc anyuid | grep Users | awk '{print $2}' | grep -q $project:miq-anyuid)
-if [ $? -ne 0 ];
-then
-	echo "Assigning SCC anyuid to miq-anyuid Service Account..."
-	$(oc adm policy add-scc-to-user anyuid system:serviceaccount:$project:miq-anyuid >/dev/null)
-fi
-
-$(oc describe scc anyuid | grep Users | awk '{print $2}' | grep -q miq-orchestrator)
-if [ $? -ne 0 ];
-then
-	echo "Assigning SCC anyuid to miq-orchestrator Service Account..."
-	$(oc adm policy add-scc-to-user anyuid system:serviceaccount:$project:miq-orchestrator >/dev/null)
-fi
-
 $(oc get scc miq-sysadmin >/dev/null 2>&1)
 if [ $? -ne 0 ];
 then

diff --git a/bin/teardown b/bin/teardown
@@ -9,7 +9,6 @@ oc get pvc -o name |xargs oc delete
 oc delete secret -l app=$APP_NAME
 oc delete secret tls-secret
 
-oc delete serviceaccount $APP_NAME-anyuid
 oc delete serviceaccount $APP_NAME-orchestrator
 oc delete serviceaccount $APP_NAME-httpd
 

diff --git a/images/manageiq-base/Dockerfile b/images/manageiq-base/Dockerfile
@@ -156,6 +156,9 @@ RUN source /etc/default/evm && \
     rm -rvf ${APP_ROOT}/tmp/cache/assets && \
     rm -vf ${APP_ROOT}/log/*.log
 
+RUN chgrp -R 0 $APP_ROOT && \
+    chmod -R g=u $APP_ROOT
+
 ADD container-assets/container_env ${APP_ROOT}
 
 RUN wget -O /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_${ARCH} && \

diff --git a/images/manageiq-ui-worker/Dockerfile b/images/manageiq-ui-worker/Dockerfile
@@ -54,4 +54,9 @@ RUN source /etc/default/evm && \
     rm -vf ${APP_ROOT}/log/*.log
 
 
+# Configure httpd to run without root privileges
+RUN chgrp root /var/run/httpd && chmod g+rwx /var/run/httpd && \
+    chgrp root /var/log/httpd && chmod g+rwx /var/log/httpd
+RUN sed -i '/^Listen 80/d' /etc/httpd/conf/httpd.conf
+
 COPY container-assets/manageiq-http.conf /etc/httpd/conf.d
diff --git a/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go b/manageiq-operator/pkg/controller/manageiq/manageiq_controller.go
@@ -327,11 +327,6 @@ func (r *ReconcileManageIQ) generateRbacResources(cr *miqv1alpha1.ManageIQ) erro
 		return err
 	}
 
-	anyuidServiceAccount := miqtool.AnyuidServiceAccount(cr)
-	if err := r.createk8sResIfNotExist(cr, anyuidServiceAccount, &corev1.ServiceAccount{}); err != nil {
-		return err
-	}
-
 	return nil
 }
 

diff --git a/manageiq-operator/pkg/helpers/miq-components/rbac.go b/manageiq-operator/pkg/helpers/miq-components/rbac.go
@@ -25,15 +25,6 @@ func OrchestratorServiceAccount(cr *miqv1alpha1.ManageIQ) *corev1.ServiceAccount
 	}
 }
 
-func AnyuidServiceAccount(cr *miqv1alpha1.ManageIQ) *corev1.ServiceAccount {
-	return &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      cr.Spec.AppName + "-anyuid",
-			Namespace: cr.ObjectMeta.Namespace,
-		},
-	}
-}
-
 func OrchestratorRole(cr *miqv1alpha1.ManageIQ) *rbacv1.Role {
 	return &rbacv1.Role{
 		ObjectMeta: metav1.ObjectMeta{

diff --git a/templates/app/rbac.yaml b/templates/app/rbac.yaml
@@ -7,10 +7,6 @@ objects:
   kind: ServiceAccount
   metadata:
     name: "${APP_NAME}-orchestrator"
-- apiVersion: v1
-  kind: ServiceAccount
-  metadata:
-    name: "${APP_NAME}-anyuid"
 - apiVersion: v1
   kind: ServiceAccount
   metadata: