OPENDAP / hyrax-docker

GNU Lesser General Public License v3.0
22 stars 12 forks source link

running bes with a particular uid #36

Open gajowi opened 4 years ago

gajowi commented 4 years ago

I have a need to run bes with a particular uid to fit in with our storage setup.

I have a couple of ideas but would like to get any changes upstream so they can be more generally useful. BTW I think the rpm install creates the bes user with the next available uid.

The front-running idea is to run 'usermod -u NNN bes' in the entrypoint where NNN is passed in as an environment variable (maybe BES_UID).

Does that seem a good idea and valuable to the project? Its a pretty simple code change.

BTW setting the tomcat UID may also be desirable and might matter for logging but not for reading data. Likewise setting the ncWMS2 user would seem good.

regards,

Gareth

gajowi commented 4 years ago

By the way, I could not say what best practice is, but thredds-docker uses the upstream tomcat container image mechanism to set the UID: https://github.com/Unidata/tomcat-docker#configurable-tomcat-uid-and-gid The environment variable feeds into an entrypoint that invokes useradd: https://github.com/Unidata/tomcat-docker/blob/master/entrypoint.sh

gajowi commented 3 years ago

I've made a clean fork and starting writing code. I have something working but perhaps not complete and only minimally tested. Here is a patch. The same changes are needed for multiple entrypoint.sh files, probably only in the hyrax-snapshot directory (but I can't build that as I can't access the snapshot).

Rather than press on and make a PR that will be unacceptable, I'm posting this and asking what to do next.

>:~/hyrax-docker/hyrax-1.16.2$ git diff --output=patch
>:~/hyrax-docker/hyrax-1.16.2$ cat patch
diff --git a/hyrax-1.16.2/hyrax/entrypoint.sh b/hyrax-1.16.2/hyrax/entrypoint.sh
index 3e392a5..9525b4e 100755
--- a/hyrax-1.16.2/hyrax/entrypoint.sh
+++ b/hyrax-1.16.2/hyrax/entrypoint.sh
@@ -62,9 +62,16 @@ else
     NCWMS_BASE="https://localhost:8080"
      echo "Assigning default NCWMS_BASE: $NCWMS_BASE"  
 fi
+
+if [ $BES_USER_ID ] && [ -n $BES_USER_ID ] ; then    
+    echo "Found exisiting BES_USER_ID: $BES_USER_ID"  
+else 
+    BES_USER_ID="not_set"
+     echo "BES_USER_ID is $BES_USER_ID"  
+fi
 debug=false;

-while getopts "de:sn:" opt; do
+while getopts "de:sn:b:" opt; do
   echo "Processing command line opt: ${opt}" >&2
   case $opt in
     e)
@@ -79,17 +86,22 @@ while getopts "de:sn:" opt; do
       echo "Setting ncWMS public facing service base to : $OPTARG" >&2
       NCWMS_BASE=$OPTARG
       ;;
+    b)
+      echo "Setting bes user numeric uid to : $OPTARG" >&2
+      BES_USER_ID=$OPTARG
+      ;;
     d)
       debug=true;
       echo "Debug is enabled" >&2;
       ;;
     \?)
       echo "Invalid option: -$OPTARG" >&2
-      echo "options: [-e xxx] [-s] [-n yyy] [-d] "  >&2
+      echo "options: [-e xxx] [-s] [-n yyy] [-b nnn] [-d] "  >&2
       echo " -e xxx where xxx is the email address of the admin contact for the server."
       echo " -s When present causes the BES to follow symbolic links."
       echo " -n yyy where yyy is the protocol, server and port part "  >&2
       echo "    of the ncWMS service (for example http://foo.com:8090)."  >&2
+      echo " -b nnn where nnn is the numeric uid for the bes user."
       echo " -d Enables debugging output for this script."  >&2
       echo "EXITING NOW"  >&2
       exit 2;
@@ -124,6 +136,13 @@ if [ $FOLLOW_SYMLINKS != "not_set" ]; then
     sed -i "s/^BES.Catalog.catalog.FollowSymLinks=No/BES.Catalog.catalog.FollowSymLinks=Yes/" /etc/bes/bes.conf
 fi

+if [ $BES_USER_ID != "not_set" ]; then
+    echo "Setting BES_USER_ID to $BES_USER_ID."
+    usermod -u ${BES_USER_ID} bes
+    chown -R bes /etc/bes
+    sync
+fi
+

 # Start the BES daemon process
 # /usr/bin/besdaemon -i /usr -c /etc/bes/bes.conf -r /var/run/bes.pid