revert: changing owner while creating container for download support

Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
SeleniumHQ · Dec 17, 2023 · da6fbb1 · da6fbb1
1 parent 56fc22a
commit da6fbb1
Show file tree

Hide file tree

Showing 9 changed files with 85 additions and 201 deletions.
diff --git a/Base/Dockerfile b/Base/Dockerfile
@@ -10,9 +10,10 @@ ARG GRPC_VERSION=1.57.1
 
 #Arguments to define the user running Selenium
 ARG SEL_USER=seluser
+ARG SEL_GROUP=${SEL_USER}
 ARG SEL_PASSWD=secret
-ARG SEL_UID=1200
-ARG SEL_GID=1201
+ARG UID=1200
+ARG GID=1201
 
 USER root
 #================================================
@@ -62,44 +63,26 @@ RUN ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
 # Configure environement
 #======================================
 ENV SEL_USER=${SEL_USER}
-ENV SEL_UID=${SEL_UID}
-ENV SEL_GID=${SEL_GID}
+ENV SEL_UID=${UID}
+ENV SEL_GID=${GID}
 ENV HOME=/home/${SEL_USER}
 ENV SEL_DIR=/opt/selenium
 ENV EXTERNAL_JARS=/external_jars
-ENV SE_DOWNLOAD_DIR=${HOME}/Downloads
-
-# Copy a script that we will use to correct permissions after running certain commands
-COPY fix-permissions /usr/local/bin/fix-permissions
-RUN chmod a+rx /usr/local/bin/fix-permissions
+ENV SEL_DOWNLOAD_DIR=${HOME}/Downloads
 
 #========================================
 # Add normal user and group with passwordless sudo
 #========================================
-RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su \
-    && sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers \
-    && sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers \
-    && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers
-
-RUN groupadd ${SEL_USER} \
-        --gid ${SEL_GID} \
-    && useradd ${SEL_USER} \
-        --no-log-init \
-        --create-home \
-        --gid ${SEL_GID} \
-        --shell /bin/bash \
-        --uid ${SEL_UID} \
-    && chmod g+w /etc/passwd \
-    && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd
-
-#======================================
-# Create directories needed
-#======================================
-RUN mkdir -p ${HOME}/.mozilla ${HOME}/.cache \
-      ${SEL_DIR} ${SEL_DIR}/assets \
-      /var/run/supervisor /var/log/supervisor \
-      ${EXTERNAL_JARS} \
-      ${SE_DOWNLOAD_DIR}
+RUN groupadd ${SEL_GROUP} \
+         --gid ${SEL_GID} \
+  && useradd ${SEL_USER} \
+         --create-home \
+         --gid ${SEL_GID} \
+         --shell /bin/bash \
+         --uid ${SEL_UID} \
+  && usermod -a -G sudo ${SEL_USER} \
+  && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
+  && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd
 
 #======================================
 # Add Grid check script
@@ -112,39 +95,42 @@ COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh /opt/bin/
 COPY supervisord.conf /etc
 
 #==========
-# Selenium
+# Selenium & relaxing permissions for OpenShift and other non-sudo environments
 #==========
-RUN touch ${SEL_DIR}/config.toml \
+RUN mkdir -p ${SEL_DIR} ${SEL_DIR}/assets /var/run/supervisor /var/log/supervisor ${SEL_DOWNLOAD_DIR} ${HOME}/.mozilla ${HOME}/.vnc \
+  && touch ${SEL_DIR}/config.toml \
+  && chown -R ${SEL_USER}:${SEL_GROUP} ${SEL_DIR} /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \
+  && chmod -R 775 ${SEL_DIR} /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \
   && wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
     -O ${SEL_DIR}/selenium-server.jar \
-  && echo "${SEL_PASSWD}" > ${SEL_DIR}/initialPasswd
+  && echo "${SEL_PASSWD}" > ${SEL_DIR}/initialPasswd \
+  && chgrp -R 0 ${SEL_DIR} ${HOME} ${SEL_DIR}/assets /var/run/supervisor /var/log/supervisor \
+  && chmod -R g=u ${SEL_DIR} ${HOME} ${SEL_DIR}/assets /var/run/supervisor /var/log/supervisor \
+  && setfacl -Rm u:${SEL_USER}:rwx /opt ${SEL_DIR} ${HOME} ${SEL_DIR}/assets /var/run/supervisor /var/log/supervisor \
+  && setfacl -Rm g:${SEL_GROUP}:rwx /opt ${SEL_DIR} ${HOME} ${SEL_DIR}/assets /var/run/supervisor /var/log/supervisor
 
 #=====
 # Download observability related jaegar jars and make them available in a separate directory
 # so that the container can skip downloading them everytime it comes up
 #=====
 RUN curl -fLo /tmp/cs https://github.com/coursier/launchers/raw/master/coursier \
-  && chmod +x /tmp/cs
+  && chmod +x /tmp/cs \
+  && mkdir -p ${EXTERNAL_JARS} \
+  && chmod -R 775 ${EXTERNAL_JARS}
 
 RUN /tmp/cs fetch --classpath --cache ${EXTERNAL_JARS} \
     io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \
     io.opentelemetry:opentelemetry-exporter-jaeger:${OPENTELEMETRY_VERSION} \
     io.grpc:grpc-netty:${GRPC_VERSION} > ${EXTERNAL_JARS}/.classpath.txt
-RUN rm -fr /root/.cache/*
 
-# Change ownership of directories
-RUN fix-permissions ${HOME} ${SEL_DIR} ${SEL_DIR}/assets ${EXTERNAL_JARS} ${SE_DOWNLOAD_DIR} /var/run/supervisor /var/log/supervisor
-
-#==========
-# Relaxing permissions for OpenShift and other non-sudo environments
-#==========
-RUN chmod g=u /etc/passwd
+RUN chmod 664 ${EXTERNAL_JARS}/.classpath.txt
+RUN rm -fr /root/.cache/*
 
 #===================================================
 # Run the following commands as non-privileged user
 #===================================================
 USER ${SEL_UID}:${SEL_GID}
-VOLUME ${SE_DOWNLOAD_DIR}
+VOLUME ${SEL_DOWNLOAD_DIR}
 
 # Boolean value, maps "--bind-host"
 ENV SE_BIND_HOST false

diff --git a/Base/entry_point.sh b/Base/entry_point.sh
@@ -1,34 +1,14 @@
 #!/usr/bin/env bash
-_log () {
-    if [[ "$*" == "ERROR:"* ]] || [[ "$*" == "WARNING:"* ]] || [[ "${CONTAINER_LOGS_QUIET}" == "" ]]; then
-        echo "$@"
-    fi
-}
 
-# If the container started as the root user
-if [ "$(id -u)" == 0 ]; then
-    fix-permissions "${SE_DOWNLOAD_DIR}"
-elif [ "$(id -u)" == "$(id -u ${SEL_USER})" ] && [ "$(id -g)" == "$(id -g ${SEL_USER})" ]; then
-    # Trust SEL_USER is the desired non-root user to execute with sudo
-    sudo -E fix-permissions "${SE_DOWNLOAD_DIR}"
-else
-    # For non-root user to change ownership
-    # Relaxing permissions for OpenShift and other non-sudo environments
-    # (https://docs.openshift.com/container-platform/latest/openshift_images/create-images.html#use-uid_create-images)
-    if ! whoami &> /dev/null; then
-        _log "There is no entry in /etc/passwd for our UID=$(id -u). Attempting to fix..."
-        if [ -w /etc/passwd ]; then
-            _log "Renaming user to ${USER_NAME:-default} ($(id -u):$(id -g)"
-            # We cannot use "sed --in-place" since sed tries to create a temp file in
-            # /etc/ and we may not have write access. Apply sed on our own temp file:
-            sed --expression="s/^${SEL_USER}:/${USER_NAME:-default}:/" /etc/passwd > /tmp/passwd
-            echo "${USER_NAME:-default}:x:$(id -u):$(id -g):${USER_NAME:-default} user:${HOME}:/bin/bash" >> /tmp/passwd
-            cat /tmp/passwd > /etc/passwd
-            rm /tmp/passwd
-            _log "Added new ${USER_NAME:-default} user ($(id -u):$(id -g)). Fixed UID!"
-        fi
-    fi
-    fix-permissions "${SE_DOWNLOAD_DIR}"
+#==============================================
+# OpenShift or non-sudo environments support
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+#==============================================
+
+if ! whoami &> /dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
 fi
 
 /usr/bin/supervisord --configuration /etc/supervisord.conf &

diff --git a/Base/fix-permissions b/Base/fix-permissions
diff --git a/NodeBase/Dockerfile b/NodeBase/Dockerfile
@@ -114,8 +114,7 @@ RUN  wget -nv -O noVNC.zip \
 RUN chmod +x /dev/shm
 
 # Creating base directory for Xvfb
-RUN mkdir -p /tmp/.X11-unix && \
-    fix-permissions /tmp/.X11-unix
+RUN mkdir -p /tmp/.X11-unix
 
 #==============================
 # Generating the VNC password using initial password in Base image
@@ -124,8 +123,14 @@ RUN mkdir -p /tmp/.X11-unix && \
 
 RUN mkdir -p ${HOME}/.vnc \
     && x11vnc -storepasswd $(cat ${SEL_DIR}/initialPasswd) ${HOME}/.vnc/passwd \
-    && chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \
-    && fix-permissions ${HOME}/.vnc
+    && chown -R "${SEL_USER}:${SEL_GROUP}" ${HOME}/.vnc
+
+#==========
+# Relaxing permissions for OpenShift and other non-sudo environments
+#==========
+RUN chmod -R 775 ${HOME} /tmp/.X11-unix \
+  && chgrp -R 0 ${HOME} /tmp/.X11-unix \
+  && chmod -R g=u ${HOME} /tmp/.X11-unix
 
 #===================================================
 # Run the following commands as non-privileged user
@@ -172,7 +177,7 @@ ENV SE_VNC_PORT 5900
 ENV DISPLAY :99.0
 ENV DISPLAY_NUM 99
 # Path to the Configfile
-ENV CONFIG_FILE=/opt/selenium/config.toml
+ENV CONFIG_FILE=${SEL_DIR}/config.toml
 ENV GENERATE_CONFIG true
 # Drain the Node after N sessions. 
 # A value higher than zero enables the feature

diff --git a/NodeChrome/Dockerfile b/NodeChrome/Dockerfile
@@ -46,17 +46,18 @@ RUN if [ ! -z "$CHROME_DRIVER_VERSION" ]; \
   && echo "Using ChromeDriver from: "$CHROME_DRIVER_URL \
   && echo "Using ChromeDriver version: "$CHROME_DRIVER_VERSION \
   && wget --no-verbose -O /tmp/chromedriver_linux64.zip $CHROME_DRIVER_URL \
-  && rm -rf /opt/selenium/chromedriver \
-  && unzip /tmp/chromedriver_linux64.zip -d /opt/selenium \
+  && rm -rf ${SEL_DIR}/chromedriver \
+  && unzip /tmp/chromedriver_linux64.zip -d ${SEL_DIR} \
   && rm /tmp/chromedriver_linux64.zip \
-  && mv /opt/selenium/chromedriver-linux64/chromedriver /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION \
-  && ln -fs /opt/selenium/chromedriver-$CHROME_DRIVER_VERSION /usr/bin/chromedriver
+  && mv ${SEL_DIR}/chromedriver-linux64/chromedriver ${SEL_DIR}/chromedriver-$CHROME_DRIVER_VERSION \
+  && chmod 755 ${SEL_DIR}/chromedriver-$CHROME_DRIVER_VERSION \
+  && ln -fs ${SEL_DIR}/chromedriver-$CHROME_DRIVER_VERSION /usr/bin/chromedriver
 
 USER ${SEL_UID}
 
 #============================================
 # Dumping Browser information for config
 #============================================
-RUN echo "chrome" > /opt/selenium/browser_name
-RUN google-chrome --version | awk '{print $3}' > /opt/selenium/browser_version
-RUN echo "\"goog:chromeOptions\": {\"binary\": \"/usr/bin/google-chrome\"}" > /opt/selenium/browser_binary_location
+RUN echo "chrome" > ${SEL_DIR}/browser_name
+RUN google-chrome --version | awk '{print $3}' > ${SEL_DIR}/browser_version
+RUN echo "\"goog:chromeOptions\": {\"binary\": \"/usr/bin/google-chrome\"}" > ${SEL_DIR}/browser_binary_location
diff --git a/NodeEdge/Dockerfile b/NodeEdge/Dockerfile
@@ -39,17 +39,18 @@ RUN if [ -z "$EDGE_DRIVER_VERSION" ]; \
   fi \
   && echo "Using msedgedriver version: "$EDGE_DRIVER_VERSION \
   && wget --no-verbose -O /tmp/msedgedriver_linux64.zip https://msedgedriver.azureedge.net/$EDGE_DRIVER_VERSION/edgedriver_linux64.zip \
-  && rm -rf /opt/selenium/msedgedriver \
-  && unzip /tmp/msedgedriver_linux64.zip -d /opt/selenium \
+  && rm -rf ${SEL_DIR}/msedgedriver \
+  && unzip /tmp/msedgedriver_linux64.zip -d ${SEL_DIR} \
   && rm /tmp/msedgedriver_linux64.zip \
-  && mv /opt/selenium/msedgedriver /opt/selenium/msedgedriver-$EDGE_DRIVER_VERSION \
-  && ln -fs /opt/selenium/msedgedriver-$EDGE_DRIVER_VERSION /usr/bin/msedgedriver
+  && mv ${SEL_DIR}/msedgedriver ${SEL_DIR}/msedgedriver-$EDGE_DRIVER_VERSION \
+  && chmod 755 ${SEL_DIR}/msedgedriver-$EDGE_DRIVER_VERSION \
+  && ln -fs ${SEL_DIR}/msedgedriver-$EDGE_DRIVER_VERSION /usr/bin/msedgedriver
 
 USER ${SEL_UID}
 
 #============================================
 # Dumping Browser information for config
 #============================================
-RUN echo "MicrosoftEdge" > /opt/selenium/browser_name
-RUN microsoft-edge --version | awk '{print $3}' > /opt/selenium/browser_version
-RUN echo "\"ms:edgeOptions\": {\"binary\": \"/usr/bin/microsoft-edge\"}" > /opt/selenium/browser_binary_location
+RUN echo "MicrosoftEdge" > ${SEL_DIR}/browser_name
+RUN microsoft-edge --version | awk '{print $3}' > ${SEL_DIR}/browser_version
+RUN echo "\"ms:edgeOptions\": {\"binary\": \"/usr/bin/microsoft-edge\"}" > ${SEL_DIR}/browser_binary_location
diff --git a/NodeFirefox/Dockerfile b/NodeFirefox/Dockerfile
@@ -41,6 +41,6 @@ USER ${SEL_UID}
 #============================================
 # Dumping Browser information for config
 #============================================
-RUN echo "firefox" > /opt/selenium/browser_name
-RUN firefox --version | awk '{print $3}' > /opt/selenium/browser_version
-RUN echo "\"moz:firefoxOptions\": {\"binary\": \"/usr/bin/firefox\"}" > /opt/selenium/browser_binary_location
+RUN echo "firefox" > ${SEL_DIR}/browser_name
+RUN firefox --version | awk '{print $3}' > ${SEL_DIR}/browser_version
+RUN echo "\"moz:firefoxOptions\": {\"binary\": \"/usr/bin/firefox\"}" > ${SEL_DIR}/browser_binary_location