From 0498657328e8f05118eeefa6b0ec32f97486e72b Mon Sep 17 00:00:00 2001 From: svor Date: Mon, 9 Dec 2019 19:46:58 +0200 Subject: [PATCH 1/4] Patch maven base images to unset MAVEN_CONFIG env Signed-off-by: svor --- arbitrary-users-patch/build_images.sh | 8 +++++++- arbitrary-users-patch/maven/Dockerfile | 14 +++++++++++++ arbitrary-users-patch/maven/entrypoint.sh | 20 +++++++++++++++++++ devfiles/apache-camel-springboot/devfile.yaml | 2 -- devfiles/java-maven/devfile.yaml | 2 -- 5 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 arbitrary-users-patch/maven/Dockerfile create mode 100644 arbitrary-users-patch/maven/entrypoint.sh diff --git a/arbitrary-users-patch/build_images.sh b/arbitrary-users-patch/build_images.sh index d5e6f317e..976b93428 100755 --- a/arbitrary-users-patch/build_images.sh +++ b/arbitrary-users-patch/build_images.sh @@ -16,6 +16,8 @@ DEFAULT_REGISTRY="quay.io" DEFAULT_ORGANIZATION="eclipse" DEFAULT_TAG="nightly" +MAVEN_BASE="maven" + REGISTRY=${REGISTRY:-${DEFAULT_REGISTRY}} ORGANIZATION=${ORGANIZATION:-${DEFAULT_ORGANIZATION}} TAG=${TAG:-${DEFAULT_TAG}} @@ -31,7 +33,11 @@ while read -r line; do base_image_name=$(echo "$line" | tr -s ' ' | cut -f 1 -d ' ') base_image=$(echo "$line" | tr -s ' ' | cut -f 2 -d ' ') echo "Building ${NAME_FORMAT}/${base_image_name}:${TAG} based on $base_image ..." - docker build -t "${NAME_FORMAT}/${base_image_name}:${TAG}" --no-cache --build-arg FROM_IMAGE="$base_image" "${SCRIPT_DIR}"/ + script_dir=${SCRIPT_DIR} + if [[ ${base_image:0:5} = ${MAVEN_BASE} ]] ; then + script_dir=${SCRIPT_DIR}/${MAVEN_BASE} + fi + docker build -t "${NAME_FORMAT}/${base_image_name}:${TAG}" --no-cache --build-arg FROM_IMAGE="$base_image" "${script_dir}"/ if ${PUSH_IMAGES}; then echo "Pushing ${NAME_FORMAT}/${base_image_name}:${TAG}" to remote registry docker push "${NAME_FORMAT}/${base_image_name}:${TAG}" diff --git a/arbitrary-users-patch/maven/Dockerfile b/arbitrary-users-patch/maven/Dockerfile new file mode 100644 index 000000000..8919fdc89 --- /dev/null +++ b/arbitrary-users-patch/maven/Dockerfile @@ -0,0 +1,14 @@ +ARG FROM_IMAGE +FROM ${FROM_IMAGE} +USER 0 +# Set permissions on /etc/passwd and /home to allow arbitrary users to write +COPY [--chown=0:0] entrypoint.sh / +RUN mkdir -p /home/user && chgrp -R 0 /home && chmod -R g=u /etc/passwd /home && chmod +x /entrypoint.sh + +USER 10001 +ENV HOME=/home/user +#unset MAVEN_CONFIG env +ENV MAVEN_CONFIG= +WORKDIR /projects +ENTRYPOINT [ "/entrypoint.sh" ] +CMD ["tail", "-f", "/dev/null"] diff --git a/arbitrary-users-patch/maven/entrypoint.sh b/arbitrary-users-patch/maven/entrypoint.sh new file mode 100644 index 000000000..8f02d0dd6 --- /dev/null +++ b/arbitrary-users-patch/maven/entrypoint.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Ensure $HOME exists when starting +if [ ! -d "${HOME}" ]; then + mkdir -p "${HOME}" +fi + +# Setup $PS1 for a consistent and reasonable prompt +if [ -w "${HOME}" ] && [ ! -f "${HOME}"/.bashrc ]; then + echo "PS1='\s-\v \w \$ '" > "${HOME}"/.bashrc +fi + +# Add current (arbitrary) user to /etc/passwd +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-user}:x:$(id -u):0:${USER_NAME:-user} user:${HOME}:/bin/bash" >> /etc/passwd + fi +fi + +exec "$@" diff --git a/devfiles/apache-camel-springboot/devfile.yaml b/devfiles/apache-camel-springboot/devfile.yaml index 03ad502f5..9f851cdd9 100644 --- a/devfiles/apache-camel-springboot/devfile.yaml +++ b/devfiles/apache-camel-springboot/devfile.yaml @@ -26,8 +26,6 @@ components: alias: maven image: quay.io/eclipse/che-java8-maven:nightly env: - - name: MAVEN_CONFIG - value: "/home/user/.m2" - name: MAVEN_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 diff --git a/devfiles/java-maven/devfile.yaml b/devfiles/java-maven/devfile.yaml index 311fbba2a..714f4e36d 100644 --- a/devfiles/java-maven/devfile.yaml +++ b/devfiles/java-maven/devfile.yaml @@ -18,8 +18,6 @@ components: alias: maven image: quay.io/eclipse/che-java11-maven:nightly env: - - name: MAVEN_CONFIG - value: /home/user/.m2 - name: MAVEN_OPTS value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 From c73b041fb3b6aef99318018fea35512c449acbbb Mon Sep 17 00:00:00 2001 From: svor Date: Wed, 11 Dec 2019 10:23:40 +0200 Subject: [PATCH 2/4] Set empty MAVEN_CONFIG in devfiles where samples use mvnw Signed-off-by: svor --- arbitrary-users-patch/build_images.sh | 8 +------- arbitrary-users-patch/maven/Dockerfile | 14 ------------- arbitrary-users-patch/maven/entrypoint.sh | 20 ------------------- devfiles/apache-camel-springboot/devfile.yaml | 2 ++ devfiles/java-mysql/devfile.yaml | 2 ++ devfiles/java-web-spring/devfile.yaml | 2 ++ 6 files changed, 7 insertions(+), 41 deletions(-) delete mode 100644 arbitrary-users-patch/maven/Dockerfile delete mode 100644 arbitrary-users-patch/maven/entrypoint.sh diff --git a/arbitrary-users-patch/build_images.sh b/arbitrary-users-patch/build_images.sh index 976b93428..d5e6f317e 100755 --- a/arbitrary-users-patch/build_images.sh +++ b/arbitrary-users-patch/build_images.sh @@ -16,8 +16,6 @@ DEFAULT_REGISTRY="quay.io" DEFAULT_ORGANIZATION="eclipse" DEFAULT_TAG="nightly" -MAVEN_BASE="maven" - REGISTRY=${REGISTRY:-${DEFAULT_REGISTRY}} ORGANIZATION=${ORGANIZATION:-${DEFAULT_ORGANIZATION}} TAG=${TAG:-${DEFAULT_TAG}} @@ -33,11 +31,7 @@ while read -r line; do base_image_name=$(echo "$line" | tr -s ' ' | cut -f 1 -d ' ') base_image=$(echo "$line" | tr -s ' ' | cut -f 2 -d ' ') echo "Building ${NAME_FORMAT}/${base_image_name}:${TAG} based on $base_image ..." - script_dir=${SCRIPT_DIR} - if [[ ${base_image:0:5} = ${MAVEN_BASE} ]] ; then - script_dir=${SCRIPT_DIR}/${MAVEN_BASE} - fi - docker build -t "${NAME_FORMAT}/${base_image_name}:${TAG}" --no-cache --build-arg FROM_IMAGE="$base_image" "${script_dir}"/ + docker build -t "${NAME_FORMAT}/${base_image_name}:${TAG}" --no-cache --build-arg FROM_IMAGE="$base_image" "${SCRIPT_DIR}"/ if ${PUSH_IMAGES}; then echo "Pushing ${NAME_FORMAT}/${base_image_name}:${TAG}" to remote registry docker push "${NAME_FORMAT}/${base_image_name}:${TAG}" diff --git a/arbitrary-users-patch/maven/Dockerfile b/arbitrary-users-patch/maven/Dockerfile deleted file mode 100644 index 8919fdc89..000000000 --- a/arbitrary-users-patch/maven/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -ARG FROM_IMAGE -FROM ${FROM_IMAGE} -USER 0 -# Set permissions on /etc/passwd and /home to allow arbitrary users to write -COPY [--chown=0:0] entrypoint.sh / -RUN mkdir -p /home/user && chgrp -R 0 /home && chmod -R g=u /etc/passwd /home && chmod +x /entrypoint.sh - -USER 10001 -ENV HOME=/home/user -#unset MAVEN_CONFIG env -ENV MAVEN_CONFIG= -WORKDIR /projects -ENTRYPOINT [ "/entrypoint.sh" ] -CMD ["tail", "-f", "/dev/null"] diff --git a/arbitrary-users-patch/maven/entrypoint.sh b/arbitrary-users-patch/maven/entrypoint.sh deleted file mode 100644 index 8f02d0dd6..000000000 --- a/arbitrary-users-patch/maven/entrypoint.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Ensure $HOME exists when starting -if [ ! -d "${HOME}" ]; then - mkdir -p "${HOME}" -fi - -# Setup $PS1 for a consistent and reasonable prompt -if [ -w "${HOME}" ] && [ ! -f "${HOME}"/.bashrc ]; then - echo "PS1='\s-\v \w \$ '" > "${HOME}"/.bashrc -fi - -# Add current (arbitrary) user to /etc/passwd -if ! whoami &> /dev/null; then - if [ -w /etc/passwd ]; then - echo "${USER_NAME:-user}:x:$(id -u):0:${USER_NAME:-user} user:${HOME}:/bin/bash" >> /etc/passwd - fi -fi - -exec "$@" diff --git a/devfiles/apache-camel-springboot/devfile.yaml b/devfiles/apache-camel-springboot/devfile.yaml index 9f851cdd9..db2a21e3b 100644 --- a/devfiles/apache-camel-springboot/devfile.yaml +++ b/devfiles/apache-camel-springboot/devfile.yaml @@ -26,6 +26,8 @@ components: alias: maven image: quay.io/eclipse/che-java8-maven:nightly env: + - name: MAVEN_CONFIG + value: "" - name: MAVEN_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 diff --git a/devfiles/java-mysql/devfile.yaml b/devfiles/java-mysql/devfile.yaml index a1db4fb7e..42767a344 100644 --- a/devfiles/java-mysql/devfile.yaml +++ b/devfiles/java-mysql/devfile.yaml @@ -18,6 +18,8 @@ components: alias: tools image: quay.io/eclipse/che-java8-maven:nightly env: + - name: MAVEN_CONFIG + value: "" - name: JAVA_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 diff --git a/devfiles/java-web-spring/devfile.yaml b/devfiles/java-web-spring/devfile.yaml index 4a2330d74..1567d7904 100644 --- a/devfiles/java-web-spring/devfile.yaml +++ b/devfiles/java-web-spring/devfile.yaml @@ -18,6 +18,8 @@ components: alias: tools image: quay.io/eclipse/che-java8-maven:nightly env: + - name: MAVEN_CONFIG + value: "" - name: JAVA_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 From 030c53f486b24ff4299348c7ba8b41b478625d3f Mon Sep 17 00:00:00 2001 From: svor Date: Wed, 11 Dec 2019 18:08:15 +0200 Subject: [PATCH 3/4] update all maven based images to unset MAVEN_CONFIG Signed-off-by: svor --- devfiles/java-maven/devfile.yaml | 2 ++ devfiles/java-mongo/devfile.yaml | 2 ++ devfiles/java-web-vertx/devfile.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/devfiles/java-maven/devfile.yaml b/devfiles/java-maven/devfile.yaml index 714f4e36d..865a5b822 100644 --- a/devfiles/java-maven/devfile.yaml +++ b/devfiles/java-maven/devfile.yaml @@ -18,6 +18,8 @@ components: alias: maven image: quay.io/eclipse/che-java11-maven:nightly env: + - name: MAVEN_CONFIG + value: "" - name: MAVEN_OPTS value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 diff --git a/devfiles/java-mongo/devfile.yaml b/devfiles/java-mongo/devfile.yaml index ce6f6b637..e112410c1 100644 --- a/devfiles/java-mongo/devfile.yaml +++ b/devfiles/java-mongo/devfile.yaml @@ -18,6 +18,8 @@ components: alias: maven image: quay.io/eclipse/che-java8-maven:nightly env: + - name: MAVEN_CONFIG + value: "" - name: JAVA_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 diff --git a/devfiles/java-web-vertx/devfile.yaml b/devfiles/java-web-vertx/devfile.yaml index fb56edcdd..71a70a1a3 100644 --- a/devfiles/java-web-vertx/devfile.yaml +++ b/devfiles/java-web-vertx/devfile.yaml @@ -17,6 +17,8 @@ components: alias: maven image: quay.io/eclipse/che-java8-maven:nightly env: + - name: MAVEN_CONFIG + value: "" - name: JAVA_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 From e870e2ea7e1bbc2f2333b40d464fa2932934ae3c Mon Sep 17 00:00:00 2001 From: svor Date: Wed, 11 Dec 2019 18:09:02 +0200 Subject: [PATCH 4/4] code cleanup Signed-off-by: svor --- devfiles/apache-camel-springboot/devfile.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devfiles/apache-camel-springboot/devfile.yaml b/devfiles/apache-camel-springboot/devfile.yaml index db2a21e3b..4eb5312d6 100644 --- a/devfiles/apache-camel-springboot/devfile.yaml +++ b/devfiles/apache-camel-springboot/devfile.yaml @@ -26,7 +26,7 @@ components: alias: maven image: quay.io/eclipse/che-java8-maven:nightly env: - - name: MAVEN_CONFIG + - name: MAVEN_CONFIG value: "" - name: MAVEN_OPTS value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10