From 7d74d4fecd3bcce3c616cb56a9b447b1be8788bb Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Wed, 13 Dec 2023 16:26:22 +0530 Subject: [PATCH] bug: ENV variable SE_VNC_PASSWORD contains sensitive data (#2061) Signed-off-by: Viet Nguyen Duc --- Base/Dockerfile | 8 +++++--- NodeBase/Dockerfile | 20 ++++++++++---------- NodeChrome/Dockerfile | 2 +- NodeDocker/Dockerfile | 2 +- NodeEdge/Dockerfile | 2 +- README.md | 2 +- charts/selenium-grid/README.md | 2 +- 7 files changed, 20 insertions(+), 18 deletions(-) diff --git a/Base/Dockerfile b/Base/Dockerfile index f3716b9ec..6bda097b7 100644 --- a/Base/Dockerfile +++ b/Base/Dockerfile @@ -4,8 +4,9 @@ LABEL authors="Selenium " # Arguments to define the version of dependencies to download ARG VERSION ARG RELEASE=selenium-${VERSION} -ARG OPENTELEMETRY_VERSION=1.31.0 -ARG GRPC_VERSION=1.60.0 +# Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl) +ARG OPENTELEMETRY_VERSION=1.28.0 +ARG GRPC_VERSION=1.57.1 #Arguments to define the user running Selenium ARG SEL_USER=seluser @@ -115,7 +116,8 @@ COPY supervisord.conf /etc #========== RUN touch ${SEL_DIR}/config.toml \ && wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \ - -O ${SEL_DIR}/selenium-server.jar + -O ${SEL_DIR}/selenium-server.jar \ + && echo "${SEL_PASSWD}" > ${SEL_DIR}/initialPasswd #===== # Download observability related jaegar jars and make them available in a separate directory diff --git a/NodeBase/Dockerfile b/NodeBase/Dockerfile index ed42d66c0..b5770fb0a 100644 --- a/NodeBase/Dockerfile +++ b/NodeBase/Dockerfile @@ -4,13 +4,16 @@ ARG AUTHORS FROM ${NAMESPACE}/base:${VERSION} LABEL authors=${AUTHORS} +ARG NOVNC_VERSION="1.4.0" +ARG WEBSOCKIFY_VERSION="0.11.0" + USER root #============== # Xvfb #============== RUN apt-get update -qqy \ - && apt-get -qqy install \ + && apt-get -qqy --no-install-recommends install \ xvfb \ pulseaudio \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* @@ -40,7 +43,7 @@ RUN apt-get -qqy update \ # VNC #===== RUN apt-get update -qqy \ - && apt-get -qqy install \ + && apt-get -qqy --no-install-recommends install \ x11vnc \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* @@ -49,7 +52,7 @@ RUN apt-get update -qqy \ # A fast, lightweight and responsive window manager #========= RUN apt-get update -qqy \ - && apt-get -qqy install \ + && apt-get -qqy --no-install-recommends install \ fluxbox \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* @@ -92,8 +95,6 @@ RUN apt-get -qqy update \ ######################################## # noVNC exposes VNC through a web page # ######################################## -ENV NOVNC_VERSION="1.4.0" \ - WEBSOCKIFY_VERSION="0.11.0" RUN wget -nv -O noVNC.zip \ "https://github.com/novnc/noVNC/archive/refs/tags/v${NOVNC_VERSION}.zip" \ && unzip -x noVNC.zip \ @@ -104,8 +105,8 @@ RUN wget -nv -O noVNC.zip \ "https://github.com/novnc/websockify/archive/refs/tags/v${WEBSOCKIFY_VERSION}.zip" \ && unzip -x websockify.zip \ && rm websockify.zip \ - && rm -rf websockify-${WEBSOCKIFY_VERSION}/tests \ - && mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify + && mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify \ + && rm -rf /opt/bin/noVNC/utils/websockify/docker /opt/bin/noVNC/utils/websockify/tests #========================================================================================================================================= # Run this command for executable file permissions for /dev/shm when this is a "child" container running in Docker Desktop and WSL2 distro @@ -117,13 +118,12 @@ RUN mkdir -p /tmp/.X11-unix && \ fix-permissions /tmp/.X11-unix #============================== -# Generating the VNC password based on the ${SE_VNC_PASSWORD} +# Generating the VNC password using initial password in Base image # Changing ownership to ${SEL_USER}, so the service can be started #============================== -ENV SE_VNC_PASSWORD=secret RUN mkdir -p ${HOME}/.vnc \ - && x11vnc -storepasswd ${SE_VNC_PASSWORD} ${HOME}/.vnc/passwd \ + && x11vnc -storepasswd $(cat ${SEL_DIR}/initialPasswd) ${HOME}/.vnc/passwd \ && chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \ && fix-permissions ${HOME}/.vnc diff --git a/NodeChrome/Dockerfile b/NodeChrome/Dockerfile index 3282a3d05..e52dd5798 100644 --- a/NodeChrome/Dockerfile +++ b/NodeChrome/Dockerfile @@ -18,7 +18,7 @@ ARG CHROME_VERSION="google-chrome-stable" RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor | tee /etc/apt/trusted.gpg.d/google.gpg >/dev/null \ && echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list \ && apt-get update -qqy \ - && apt-get -qqy install \ + && apt-get -qqy --no-install-recommends install \ ${CHROME_VERSION:-google-chrome-stable} \ && rm /etc/apt/sources.list.d/google-chrome.list \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* diff --git a/NodeDocker/Dockerfile b/NodeDocker/Dockerfile index e7d8e0d35..b65820cec 100644 --- a/NodeDocker/Dockerfile +++ b/NodeDocker/Dockerfile @@ -10,7 +10,7 @@ USER root # Socat to proxy docker.sock when mounted #============== RUN apt-get update -qqy \ - && apt-get -qqy install socat \ + && apt-get -qqy --no-install-recommends install socat \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* USER ${SEL_UID} diff --git a/NodeEdge/Dockerfile b/NodeEdge/Dockerfile index adadec9d5..2e3c781e8 100644 --- a/NodeEdge/Dockerfile +++ b/NodeEdge/Dockerfile @@ -16,7 +16,7 @@ ARG EDGE_VERSION="microsoft-edge-stable" RUN wget -q -O - https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null \ && echo "deb https://packages.microsoft.com/repos/edge stable main" >> /etc/apt/sources.list.d/microsoft-edge.list \ && apt-get update -qqy \ - && apt-get -qqy install ${EDGE_VERSION} \ + && apt-get -qqy --no-install-recommends install ${EDGE_VERSION} \ && rm /etc/apt/sources.list.d/microsoft-edge.list \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* diff --git a/README.md b/README.md index b5e8e9cbd..56287ac3a 100644 --- a/README.md +++ b/README.md @@ -1302,7 +1302,7 @@ that directory because it is running under the user `seluser`. This happens because that is how Docker mounts volumes in Linux, more details in this [issue](https://github.com/moby/moby/issues/2259). -There was a fix in this [feature](https://github.com/SeleniumHQ/docker-selenium/issues/1947) +There was a fix in this feature [#1947](https://github.com/SeleniumHQ/docker-selenium/issues/1947) that changed ownership when staring the container. You are able to configure browser with another download directory and mount the host with it in container by overriding `SE_DOWNLOAD_DIR`. diff --git a/charts/selenium-grid/README.md b/charts/selenium-grid/README.md index 36695472a..524b497b5 100644 --- a/charts/selenium-grid/README.md +++ b/charts/selenium-grid/README.md @@ -81,7 +81,7 @@ helm uninstall selenium-grid ## Ingress Configuration -By default, ingress is enabled without annotations set. If NGINX ingress controller is used, you need to set few annotations to override the default timeout values to avoid 504 errors (see #1808). Since in Selenium Grid the default of `SE_NODE_SESSION_TIMEOUT` and `SE_SESSION_REQUEST_TIMEOUT` is `300` seconds. +By default, ingress is enabled without annotations set. If NGINX ingress controller is used, you need to set few annotations to override the default timeout values to avoid 504 errors (see [#1808](https://github.com/SeleniumHQ/docker-selenium/issues/1808)). Since in Selenium Grid the default of `SE_NODE_SESSION_TIMEOUT` and `SE_SESSION_REQUEST_TIMEOUT` is `300` seconds. In order to make user experience better, there are few annotations will be set by default if NGINX ingress controller is used. Mostly relates to timeouts and buffer sizes.