Merge pull request #92 from dotconfig404/feat/nonroot

feat: openshift compatible container support

Author: rwaffen

openvoxserver/Containerfile.alpine

@@ -129,7 +129,6 @@ ENV AUTOSIGN=true \
     OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \
     OPENVOXSERVER_PORT=8140 \
     PATH=$PATH:/opt/puppetlabs/server/bin:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin \
-    SSLDIR=/etc/puppetlabs/puppet/ssl \
     USE_OPENVOXDB=true \
     ### build variables
     apps_dir=/opt/puppetlabs/server/apps \
@@ -192,6 +191,43 @@ RUN apk update \
 # install puppet gem as library into jruby loadpath
 && puppetserver gem install --no-document openvox
 
+# explicitly set HOME: random UIDs will cause HOME to be "/" generally
+ENV HOME=${data_dir}/puppetserver
+
+# use system/root paths instead of non-root paths to make permission management
+# and volume mounting simpler. for this we link the appropiate paths and explicitly
+# set the base paths used for interpolation, i.e confdir, codedir, vardir, rundir and 
+# logdir via the template and/or via `30-ensure-config.sh` in `puppet.conf`
+RUN mkdir -p ${HOME}/.puppetlabs/var \
+&& ln -sf /etc/puppetlabs ${HOME}/.puppetlabs/etc \
+&& ln -sf /opt/puppetlabs ${HOME}/.puppetlabs/opt \
+&& ln -sf /var/log/puppetlabs ${HOME}/.puppetlabs/var/log \
+&& ln -sf /var/run/puppetlabs ${HOME}/.puppetlabs/var/run
+
+# mirror user permissions to group, set group to root, and set gid bit on dirs
+RUN for d in \
+    /etc/puppetlabs \
+    /var/log/puppetlabs \
+    /var/run/puppetlabs \
+    /opt/puppetlabs/ \
+  ; do \
+    mkdir -p "$d"; \
+    chgrp -R 0 "$d"; \
+    chmod -R g=u "$d"; \
+    find "$d" -type d -exec chmod g+s {} +; \
+  done
+
+# the foreground starting script has this check before running the server:
+# [ "$EUID" = "$(id -u ${USER})" ]
+# simply calling `id -u` results in the UID of the current user and the check will pass
+RUN sed -i 's/^ *USER="puppet"/USER=""/' /etc/default/puppetserver
+# `puppetserver setup` forces symlinking the "old" cadir to the "new" one for puppet 6 compatibility 
+# reasons. this won't work because after creating a link ruby tries to call chown
+RUN sed -i '/Puppetserver::Ca::Utils::Config\.symlink_to_old_cadir/ s/^/# /' \
+  /usr/lib/ruby/gems/3.4.0/gems/openvoxserver-ca-3.0.0/lib/puppetserver/ca/action/setup.rb
+
+USER puppet:0
+
 # k8s uses livenessProbe, startupProbe, readinessProbe and ignores HEALTHCHECK
 HEALTHCHECK --interval=20s --timeout=15s --retries=12 --start-period=3m CMD ["/healthcheck.sh"]
 

openvoxserver/container-entrypoint.d/20-use-templates-initially.sh

@@ -7,7 +7,7 @@ set -e
 # default
 TEMPLATES=/var/tmp/puppet
 
-cd /etc/puppetlabs/puppet
+cd "$(puppet config print confdir)"
 for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do
   [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && {
     echo "Copying template $f from $TEMPLATES"

openvoxserver/container-entrypoint.d/30-ensure-config.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+puppet config set confdir /etc/puppetlabs/puppet
+puppet config set vardir /opt/puppetlabs/puppet/cache
+puppet config set logdir /var/log/puppetlabs/puppet
+puppet config set codedir /etc/puppetlabs/code
+puppet config set rundir /var/run/puppetlabs
+puppet config set manage_internal_file_permissions false

openvoxserver/container-entrypoint.d/30-set-permissions.sh

@@ -3,5 +3,5 @@
 set -e
 
 if test -n "${OPENVOXDB_SERVER_URLS}" ; then
-  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" /etc/puppetlabs/puppet/puppetdb.conf
+  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf
 fi

openvoxserver/container-entrypoint.d/40-update-puppetdb-conf.sh

@@ -9,7 +9,7 @@ config_section=main
 # an existing certificate on the /etc/puppetlabs/puppet volume
 if [ -n "${DNS_ALT_NAMES}" ]; then
     certname=$(puppet config print certname)
-    if test ! -f "${SSLDIR}/certs/$certname.pem" ; then
+    if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then
         puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}"
     else
         actual=$(puppet config print dns_alt_names --section "${config_section}")

openvoxserver/container-entrypoint.d/70-set-dns-alt-names.sh

@@ -3,9 +3,10 @@
 require 'json'
 require 'yaml'
 
+target_path = ARGV[0] || '/etc/puppetlabs/puppet/csr_attributes.yaml'
 begin
   csr_yaml = YAML.dump(JSON.load(ENV['CSR_ATTRIBUTES']))
-  File.write('/etc/puppetlabs/puppet/csr_attributes.yaml', csr_yaml)
+  File.write(target_path, csr_yaml)
 rescue => error
   puts "Error on reading JSON env. Terminating"
   puts "Malformed JSON: #{ENV['CSR_ATTRIBUTES']}"

openvoxserver/container-entrypoint.d/89-csr_attributes.rb

@@ -5,8 +5,9 @@ set -e
 # determine script location
 readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
+readonly CSR_PATH=$(puppet config print csr_attributes)
 
 if [ -n "${CSR_ATTRIBUTES}" ]; then
     echo "CSR Attributes: ${CSR_ATTRIBUTES}"
-    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb"
+    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
 fi

openvoxserver/container-entrypoint.d/89-csr_attributes.sh

@@ -59,7 +59,8 @@ else
       exit 99
     fi
 
-    if [[ -f /etc/puppetlabs/puppetserver/ca/ca_crt.pem ]]; then
+    ca_cert=$(puppet config print cacert)
+    if [[ -f "$ca_cert" ]]; then
       echo "CA already imported."
     else
       puppetserver ca import \
@@ -68,9 +69,10 @@ else
         --private-key $INTERMEDIATE_CA_KEY
     fi
   else
-    new_cadir=/etc/puppetlabs/puppetserver/ca
+    new_cadir=$(puppet config print cadir)
+    ssl_dir=$(puppet config print ssldir)
 
-    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$SSLDIR/ca/ca_crt.pem" ]; then
+    if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then
         # There is no existing CA
 
         # Append user-supplied DNS Alt Names
@@ -87,13 +89,11 @@ else
 
         # See puppet.conf file for relevant settings
         puppetserver ca setup \
-            --ca-name "$ca_name" \
-            --config /etc/puppetlabs/puppet/puppet.conf
+            --ca-name "$ca_name" 
 
-    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$SSLDIR/ca/ca_crt.pem" ]; then
+    elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then
         # Legacy CA upgrade
-        puppetserver ca migrate \
-            --config /etc/puppetlabs/puppet/puppet.conf
-    fi
+        puppetserver ca migrate     
+        fi
   fi
 fi

openvoxserver/container-entrypoint.d/90-ca.sh

@@ -8,41 +8,43 @@ echo "System configuration values:"
 echo "* HOSTNAME: '${HOSTNAME}'"
 echo "* hostname -f: '$(hostname -f)'"
 
+ssl_dir=$(puppet config print ssldir)
+
 if [ -n "${CERTNAME}" ]; then
   echo "* CERTNAME: '${CERTNAME}'"
   certname=${CERTNAME}.pem
 else
   echo "* CERTNAME: unset, try to use the oldest certificate in the certs directory, because this might be the one that was used initially."
-  if [ ! -d "${SSLDIR}/certs" ]; then
+  if [ ! -d "${ssl_dir}/certs" ]; then
     certname="Not-Found"
-    echo "WARNING: No certificates directory found in ${SSLDIR}!"
+    echo "WARNING: No certificates directory found in ${ssl_dir}!"
   else
-    certname=$(cd "${SSLDIR}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
+    certname=$(cd "${ssl_dir}/certs" && find * -type f -name '*.pem' ! -name ca.pem -print0 | xargs -0 ls -1tr | head -n 1)
     if [ -z "${certname}" ]; then
-      echo "WARNING: No certificates found in ${SSLDIR}/certs! Please set CERTNAME!"
+      echo "WARNING: No certificates found in ${ssl_dir}/certs! Please set CERTNAME!"
     fi
   fi
 fi
 
 echo "* OPENVOXSERVER_PORT: '${OPENVOXSERVER_PORT:-8140}'"
 echo "* Certname: '${certname}'"
 echo "* DNS_ALT_NAMES: '${DNS_ALT_NAMES}'"
-echo "* SSLDIR: '${SSLDIR}'"
+echo "* SSLDIR: '${ssl_dir}'"
 
 altnames="-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux"
 
-if [ -f "${SSLDIR}/certs/ca.pem" ]; then
+if [ -f "${ssl_dir}/certs/ca.pem" ]; then
   echo "CA Certificate:"
   # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-  openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/ca.pem" $altnames
+  openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/ca.pem" $altnames
 fi
 
 if [ -n "${certname}" ]; then
-  if [ -f "${SSLDIR}/certs/${certname}" ]; then
+  if [ -f "${ssl_dir}/certs/${certname}" ]; then
     echo "Certificate ${certname}:"
     # shellcheck disable=SC2086 # $altnames shouldn't be quoted
-    openssl x509 -subject -issuer -text -noout -in "${SSLDIR}/certs/${certname}" $altnames
+    openssl x509 -subject -issuer -text -noout -in "${ssl_dir}/certs/${certname}" $altnames
   else
-    echo "WARNING: Certificate ${certname} not found in ${SSLDIR}/certs!"
+    echo "WARNING: Certificate ${certname} not found in ${ssl_dir}/certs!"
   fi
 fi