feat: changing owner while creating container for download support (#…

…2056)

Signed-off-by: Viet Nguyen Duc <[email protected]>

Base/Dockerfile

@@ -1,8 +1,19 @@
 FROM ubuntu:jammy-20231004
 LABEL authors="Selenium <[email protected]>"
 
+# Arguments to define the version of dependencies to download
 ARG VERSION
 ARG RELEASE=selenium-${VERSION}
+ARG OPENTELEMETRY_VERSION=1.31.0
+ARG GRPC_VERSION=1.59.0
+
+#Arguments to define the user running Selenium
+ARG SEL_USER=seluser
+ARG SEL_PASSWD=secret
+ARG SEL_UID=1200
+ARG SEL_GID=1201
+
+USER root
 #================================================
 # Customize sources for apt-get
 #================================================
@@ -33,6 +44,7 @@ RUN apt-get -qqy update \
     curl \
     supervisor \
     gnupg2 \
+    libnss3-tools \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/* \
   && sed -i 's/securerandom\.source=file:\/dev\/random/securerandom\.source=file:\/dev\/urandom/' ./usr/lib/jvm/java-11-openjdk-amd64/conf/security/java.security
 
@@ -45,64 +57,92 @@ RUN ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
     dpkg-reconfigure -f noninteractive tzdata && \
     cat /etc/timezone
 
+#======================================
+# Configure environement
+#======================================
+ENV SEL_USER=${SEL_USER}
+ENV SEL_UID=${SEL_UID}
+ENV SEL_GID=${SEL_GID}
+ENV HOME=/home/${SEL_USER}
+ENV SEL_DIR=/opt/selenium
+ENV EXTERNAL_JARS=/external_jars
+ENV SE_DOWNLOAD_DIR=${HOME}/Downloads
+
+# Copy a script that we will use to correct permissions after running certain commands
+COPY fix-permissions /usr/local/bin/fix-permissions
+RUN chmod a+rx /usr/local/bin/fix-permissions
+
 #========================================
 # Add normal user and group with passwordless sudo
 #========================================
-RUN groupadd seluser \
-         --gid 1201 \
-  && useradd seluser \
-         --create-home \
-         --gid 1201 \
-         --shell /bin/bash \
-         --uid 1200 \
-  && usermod -a -G sudo seluser \
-  && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
-  && echo 'seluser:secret' | chpasswd
-ENV HOME=/home/seluser
+RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su \
+    && sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers \
+    && sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers \
+    && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers
+
+RUN groupadd ${SEL_USER} \
+        --gid ${SEL_GID} \
+    && useradd ${SEL_USER} \
+        --no-log-init \
+        --create-home \
+        --gid ${SEL_GID} \
+        --shell /bin/bash \
+        --uid ${SEL_UID} \
+    && chmod g+w /etc/passwd \
+    && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd
+
+#======================================
+# Create directories needed
+#======================================
+RUN mkdir -p ${HOME}/.mozilla ${HOME}/.cache \
+      ${SEL_DIR} ${SEL_DIR}/assets \
+      /var/run/supervisor /var/log/supervisor \
+      ${EXTERNAL_JARS} \
+      ${SE_DOWNLOAD_DIR}
 
 #======================================
 # Add Grid check script
 #======================================
-COPY check-grid.sh entry_point.sh /opt/bin/
+COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh /opt/bin/
 
 #======================================
 # Add Supervisor configuration file
 #======================================
 COPY supervisord.conf /etc
 
 #==========
-# Selenium & relaxing permissions for OpenShift and other non-sudo environments
+# Selenium
 #==========
-RUN  mkdir -p /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
-  && touch /opt/selenium/config.toml \
-  && chmod -R 777 /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor /etc/passwd \
+RUN touch ${SEL_DIR}/config.toml \
   && wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
-    -O /opt/selenium/selenium-server.jar \
-  && chgrp -R 0 /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
-  && chmod -R g=u /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
-  && setfacl -Rm u:seluser:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor
+    -O ${SEL_DIR}/selenium-server.jar
 
 #=====
 # Download observability related jaegar jars and make them available in a separate directory
 # so that the container can skip downloading them everytime it comes up
 #=====
 RUN curl -fLo /tmp/cs https://github.com/coursier/launchers/raw/master/coursier \
-  && chmod +x /tmp/cs \
-  && mkdir -p /external_jars \
-  && chmod -R 775 /external_jars
+  && chmod +x /tmp/cs
 
-RUN /tmp/cs fetch --classpath --cache /external_jars \
-    io.opentelemetry:opentelemetry-exporter-otlp:1.31.0 \
-    io.opentelemetry:opentelemetry-exporter-jaeger:1.31.0 \
-    io.grpc:grpc-netty:1.59.0 > /external_jars/.classpath.txt
-
-RUN chmod 664 /external_jars/.classpath.txt
+RUN /tmp/cs fetch --classpath --cache ${EXTERNAL_JARS} \
+    io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \
+    io.opentelemetry:opentelemetry-exporter-jaeger:${OPENTELEMETRY_VERSION} \
+    io.grpc:grpc-netty:${GRPC_VERSION} > ${EXTERNAL_JARS}/.classpath.txt
 RUN rm -fr /root/.cache/*
 
+# Change ownership of directories
+RUN chown -R "${SEL_USER}:${SEL_GID}" ${HOME} ${SEL_DIR} ${SEL_DIR}/assets ${EXTERNAL_JARS} ${SE_DOWNLOAD_DIR} /var/run/supervisor /var/log/supervisor \
+    && fix-permissions ${HOME} ${SEL_DIR} ${SEL_DIR}/assets ${EXTERNAL_JARS} ${SE_DOWNLOAD_DIR} /var/run/supervisor /var/log/supervisor
+
+#==========
+# Relaxing permissions for OpenShift and other non-sudo environments
+#==========
+RUN chmod g=u /etc/passwd
+
 #===================================================
 # Run the following commands as non-privileged user
 #===================================================
-USER 1200:1201
+USER ${SEL_UID}:${SEL_GID}
 
 # Boolean value, maps "--bind-host"
 ENV SE_BIND_HOST false

Base/entry_point.sh

@@ -1,4 +1,9 @@
 #!/usr/bin/env bash
+_log () {
+    if [[ "$*" == "ERROR:"* ]] || [[ "$*" == "WARNING:"* ]] || [[ "${CONTAINER_LOGS_QUIET}" == "" ]]; then
+        echo "$@"
+    fi
+}
 
 #==============================================
 # OpenShift or non-sudo environments support
@@ -7,10 +12,39 @@
 
 if ! whoami &> /dev/null; then
   if [ -w /etc/passwd ]; then
-    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+    echo "${USER_NAME:-${SEL_USER}}:x:$(id -u):0:${USER_NAME:-${SEL_USER}} user:${HOME}:${SE_DOWNLOAD_DIR}:/var:/opt:/sbin/nologin" >> /etc/passwd
   fi
 fi
 
+MKDIR_EXTRA=${SE_DOWNLOAD_DIR}","${MKDIR_EXTRA}
+CHOWN_EXTRA=${MKDIR_EXTRA}","${CHOWN_EXTRA}
+
+if [ -n "${MKDIR_EXTRA}" ]; then
+    for extra_dir in $(echo "${MKDIR_EXTRA}" | tr ',' ' '); do
+        _log "Creating directory ${extra_dir} ${MKDIR_EXTRA_OPTS:+(mkdir options: ${MKDIR_EXTRA_OPTS})}"
+        # shellcheck disable=SC2086
+        sudo mkdir ${MKDIR_EXTRA_OPTS:-"-p"} "${extra_dir}"
+    done
+fi
+
+if [ -n "${CHOWN_EXTRA}" ]; then
+    for extra_dir in $(echo "${CHOWN_EXTRA}" | tr ',' ' '); do
+        _log "Changing ${extra_dir} ownership. ${extra_dir} is owned by ${SEL_USER} ${CHOWN_EXTRA_OPTS:+(chown options: ${CHOWN_EXTRA_OPTS})}"
+        # shellcheck disable=SC2086
+        sudo chown ${CHOWN_EXTRA_OPTS:-"-R"} "${SEL_UID}:${SEL_GID}" "${extra_dir}"
+        sudo -E fix-permissions "${extra_dir}"
+    done
+fi
+
+# Raise error if the user isn't able to write files to download dir
+if [ -n "${CHOWN_EXTRA}" ]; then
+    for extra_dir in $(echo "${CHOWN_EXTRA}" | tr ',' ' '); do
+        if [[ ! -w ${extra_dir} ]]; then
+            _log "ERROR: no write access to download dir ${SE_DOWNLOAD_DIR}. Please correct the permissions and restart."
+        fi
+    done
+fi
+
 /usr/bin/supervisord --configuration /etc/supervisord.conf &
 
 SUPERVISOR_PID=$!

Base/fix-permissions

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+# Run this with USER root only
+for d in "$@"; do
+    find "${d}" \
+        ! \( \
+            -group "${SEL_GID}" \
+            -a -perm -g+rwX \
+        \) \
+        -exec chgrp -R "${SEL_GID}" -- {} \+ \
+        -exec chmod -R g+rwX -- {} \+
+    # setuid, setgid *on directories only*
+    find "${d}" \
+        \( \
+            -type d \
+            -a ! -perm -6000 \
+        \) \
+        -exec chmod -R +6000 -- {} \+
+    # Relaxing permissions for OpenShift and other non-sudo environments
+    chmod -R u+x "${d}"
+    chgrp -R 0 "${d}"
+    chmod -R g=u "${d}"
+done

Distributor/Dockerfile

@@ -4,15 +4,15 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
-USER 1200
+USER ${SEL_UID}
 
 #========================
 # Selenium Distributor Configuration
 #========================
 
 EXPOSE 5553
 
-COPY start-selenium-grid-distributor.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-distributor.sh \
     /opt/bin/
 
 COPY selenium-grid-distributor.conf /etc/supervisor/conf.d/

EventBus/Dockerfile

@@ -4,7 +4,7 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
-USER 1200
+USER ${SEL_UID}
 
 #=================================
 # Selenium Event Bus Configuration
@@ -17,7 +17,7 @@ EXPOSE 4443
 # Event Bus port
 EXPOSE 5557
 
-COPY start-selenium-grid-eventbus.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-eventbus.sh \
     /opt/bin/
 
 COPY selenium-grid-eventbus.conf /etc/supervisor/conf.d/

Hub/Dockerfile

@@ -4,7 +4,7 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
-USER 1200
+USER ${SEL_UID}
 
 #========================
 # Selenium Hub Configuration
@@ -21,7 +21,7 @@ ENV SE_SESSION_RETRY_INTERVAL 15
 # Boolean value, maps "--relax-checks"
 ENV SE_RELAX_CHECKS true
 
-COPY start-selenium-grid-hub.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-hub.sh \
     /opt/bin/
 
 COPY selenium-grid-hub.conf /etc/supervisor/conf.d/

NodeBase/Dockerfile

@@ -112,16 +112,31 @@ RUN  wget -nv -O noVNC.zip \
 #=========================================================================================================================================
 RUN chmod +x /dev/shm
 
+# Creating base directory for Xvfb
+RUN mkdir -p /tmp/.X11-unix && \
+    fix-permissions /tmp/.X11-unix
+
+#==============================
+# Generating the VNC password based on the ${SE_VNC_PASSWORD}
+# Changing ownership to ${SEL_USER}, so the service can be started
+#==============================
+
+ENV SE_VNC_PASSWORD=secret
+RUN mkdir -p ${HOME}/.vnc \
+    && x11vnc -storepasswd ${SE_VNC_PASSWORD} ${HOME}/.vnc/passwd \
+    && chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \
+    && fix-permissions ${HOME}/.vnc
+
 #===================================================
 # Run the following commands as non-privileged user
 #===================================================
 
-USER 1200
+USER ${SEL_UID}
 
 #==============================
 # Scripts to run Selenium Node and XVFB
 #==============================
-COPY start-selenium-node.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-node.sh \
       start-xvfb.sh \
       /opt/bin/
 
@@ -130,25 +145,10 @@ COPY start-selenium-node.sh \
 #==============================
 COPY selenium.conf /etc/supervisor/conf.d/
 
-#==============================
-# Generating the VNC password as seluser
-# So the service can be started with seluser
-#==============================
-
-RUN mkdir -p ${HOME}/.vnc \
-  && x11vnc -storepasswd secret ${HOME}/.vnc/passwd
-
-#==========
-# Relaxing permissions for OpenShift and other non-sudo environments
-#==========
-RUN sudo chmod -R 775 ${HOME} \
-  && sudo chgrp -R 0 ${HOME} \
-  && sudo chmod -R g=u ${HOME}
-
 #==============================
 # Scripts to run fluxbox, x11vnc and noVNC
 #==============================
-COPY start-vnc.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-vnc.sh \
       start-novnc.sh \
       /opt/bin/
 
@@ -180,8 +180,6 @@ ENV SE_DRAIN_AFTER_SESSION_COUNT 0
 # Setting Selenium Manager to work offline
 ENV SE_OFFLINE true
 
-
-
 #========================
 # Selenium Configuration
 #========================
@@ -195,10 +193,7 @@ ENV SE_NODE_OVERRIDE_MAX_SESSIONS false
 # Following line fixes https://github.com/SeleniumHQ/docker-selenium/issues/87
 ENV DBUS_SESSION_BUS_ADDRESS=/dev/null
 
-# Creating base directory for Xvfb
-RUN  sudo mkdir -p /tmp/.X11-unix && sudo chmod 1777 /tmp/.X11-unix
-
 # Copying configuration script generator
-COPY generate_config /opt/bin/generate_config
+COPY --chown="${SEL_UID}:${SEL_GID}" generate_config /opt/bin/generate_config
 
 EXPOSE 5900

NodeChrome/Dockerfile

@@ -29,8 +29,6 @@ RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --d
 COPY wrap_chrome_binary /opt/bin/wrap_chrome_binary
 RUN /opt/bin/wrap_chrome_binary
 
-USER 1200
-
 #============================================
 # Chrome webdriver
 #============================================
@@ -52,8 +50,10 @@ RUN if [ ! -z "$CHROME_DRIVER_VERSION" ]; \
   && unzip /tmp/chromedriver_linux64.zip -d /opt/selenium \
   && rm /tmp/chromedriver_linux64.zip \
   && mv /opt/selenium/chromedriver-linux64/chromedriver /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
-  && chmod 755 /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
-  && sudo ln -fs /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION /usr/bin/chromedriver
+  && fix-permissions /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
+  && ln -fs /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION /usr/bin/chromedriver
+
+USER ${SEL_UID}
 
 #============================================
 # Dumping Browser information for config