add eos-nobody user and use the rpm provided forwardable keytab

2705abd4 · Fabio Luchetti · 5e052130 · 2705abd4 · 2705abd4 · 2705abd4
Commit 2705abd4 authored May 18, 2021 by Fabio Luchetti
11 changed files
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,7 @@ COPY eos-docker/xrootd-fwd-proxy.cfg /etc/xrootd/
 RUN sed -i "s/__EOS_CODENAME__/${EOS_CODENAME}/g" /etc/yum.repos.d/eos.repo

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/
-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Docker will aggressively cache the following command, but this is fine, since
 # these packages are not updated often.
@@ -79,14 +79,11 @@ RUN if [ "${EOS_CODENAME}" != "diopside" ]; then yum -y --nogpg install quarkdb;
 # fails. This happens on CC7 and C8.
 RUN yum install -y --nogpg install xrootd-client

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab
+

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile.local
+++ b/Dockerfile.local
@@ -26,7 +26,7 @@ COPY xrootd-fwd-proxy.cfg /etc/xrootd/

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Install XRootD
 ENV XRD_VERSION 4.12.7
@@ -43,14 +43,10 @@ RUN yum -y --nogpg update \
    xrootd-server-libs-$XRD_VERSION \
    && yum clean all

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile_asan
+++ b/Dockerfile_asan
@@ -32,7 +32,7 @@ RUN sed -i "s/__EOS_CODENAME__/${EOS_CODENAME}/g" /etc/yum.repos.d/eos.repo

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Docker will aggressively cache the following command, but this is fine, since
 # these packages are not updated often.
@@ -70,13 +70,9 @@ RUN createrepo ${EOSREPODIR} \

 RUN if [ "${EOS_CODENAME}" != "diopside" ]; then yum -y --nogpg install quarkdb; else yum -y --nogpg install eos-quarkdb; fi

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/Dockerfile_c8
+++ b/Dockerfile_c8
@@ -32,7 +32,7 @@ RUN sed -i "s/__EOS_CODENAME__/${EOS_CODENAME}/g" /etc/yum.repos.d/eos.repo

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Note: Docker will aggressively cache the following command.
 #       However, these packages don't change often
@@ -88,14 +88,10 @@ RUN if [ "${EOS_CODENAME}" != "diopside" ]; then yum -y --nogpg install quarkdb;
 # fails. This happens on CC7 and C8.
 RUN dnf -y --nogpg install xrootd-client

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile_coverage
+++ b/Dockerfile_coverage
@@ -26,7 +26,7 @@ COPY eos-docker/xrootd-fwd-proxy.cfg /etc/xrootd/

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Docker will aggressively cache the following command, but this is fine, since
 # these packages are not updated often.
@@ -79,13 +79,9 @@ RUN echo -e "export EOS_COVERAGE_REPORT=1" >> /etc/sysconfig/eos
 RUN mkdir -p /root/rpmbuild/BUILD/ \
    && cp -r --preserve /usr/src/debug/eos-* /root/rpmbuild/BUILD/

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/Dockerfile_cs8
+++ b/Dockerfile_cs8
@@ -34,7 +34,7 @@ RUN sed -i "s/__EOS_CODENAME__/${EOS_CODENAME}/g" /etc/yum.repos.d/eos.repo

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Note: Docker will aggressively cache the following command.
 #       However, these packages don't change often
@@ -90,14 +90,10 @@ RUN if [ "${EOS_CODENAME}" != "diopside" ]; then yum -y --nogpg install quarkdb;
 # fails. This happens on CC7 and C8.
 RUN dnf -y --nogpg install xrootd-client

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile_no_sse
+++ b/Dockerfile_no_sse
@@ -32,7 +32,7 @@ RUN sed -i "s/__EOS_CODENAME__/${EOS_CODENAME}/g" /etc/yum.repos.d/eos.repo

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Docker will aggressively cache the following command, but this is fine, since
 # these packages are not updated often.
@@ -83,14 +83,10 @@ RUN if [ "${EOS_CODENAME}" != "diopside" ]; then yum -y --nogpg install quarkdb;
 # fails. This happens on CC7 and C8.
 RUN yum install -y --nogpg install xrootd-client-4.11.3

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile_ubuntu_bionic
+++ b/Dockerfile_ubuntu_bionic
@@ -21,7 +21,7 @@ COPY eos-docker/fstfmd.dict /var/eos/md/

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 ENV DEBIAN_FRONTEND noninteractive


--- a/Dockerfile_ubuntu_focal
+++ b/Dockerfile_ubuntu_focal
@@ -21,7 +21,7 @@ COPY eos-docker/fstfmd.dict /var/eos/md/

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 ENV DEBIAN_FRONTEND noninteractive


--- a/Dockerfile_xrd_testing
+++ b/Dockerfile_xrd_testing
@@ -26,7 +26,7 @@ COPY eos-docker/xrootd-fwd-proxy.cfg /etc/xrootd/

 RUN mkdir /var/tmp/eosxd-cache/ /var/tmp/eosxd-journal/

-RUN adduser eos-user
+RUN adduser eos-user && adduser eosnobody

 # Docker will aggressively cache the following command, but this is fine, since
 # these packages are not updated often.
@@ -62,13 +62,9 @@ RUN createrepo ${EOSREPODIR} \
    eos-archive eos-client eos-fuse eos-fusex eos-ns-inspect eos-server eos-test eos-testkeytab \
    && yum clean all

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package).
-# This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
-# Infrastructure; you can remove these lines if you don't need one.
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/minimal/c7_minimal.Dockerfile
+++ b/minimal/c7_minimal.Dockerfile
@@ -34,14 +34,10 @@ RUN sed -i "s|/usr/bin/xrdcp|/opt/eos/xrootd/bin/xrdcp|g" /etc/xrd.cf.fst
 # Install some much needed utility: please bloat with care!
 RUN yum -y --nogpg install nano redis && yum clean all && rm -rf /var/cache/yum

-# Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable
-# one (installed by the eos-testkeytab package). This is mmostly useful to deploy EOS 
-# on containerized envoronments; you can remove these lines if you don't need one.
-# @todo review: what about not installing eos-testkeytab at all?
-RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab \
-    && yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab \
-    && chown daemon:daemon /etc/eos.keytab \
-    && chmod 400 /etc/eos.keytab
+# Swap and use the forwardable keytab (installed by the eos-testkeytab package).
+# This is useful for clients who reside on a private network and tunnel through a 
+# Network Address Translation (NAT) device. You can remove these lines if you don't need them.
+RUN mv -f /etc/eos.keytab.fw /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd