Improve security
Signed-off-by: Wu Zhende wuzhende666@163.com --- container/defconfig.rb | 8 ++++++++ container/logging-es/Dockerfile | 7 +++++++ container/logging-es/build | 9 ++++++++- 3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/container/defconfig.rb b/container/defconfig.rb index b121de8..ad94940 100755 --- a/container/defconfig.rb +++ b/container/defconfig.rb @@ -21,6 +21,14 @@ def relevant_defaults(names) cci_defaults.select { |k, _| names.include? k } end
+def relevant_service_account(names) + hash = {} + Dir.glob(['/etc/compass-ci/passwd.yaml']).each do |file| + hash.update YAML.load_file(file) || {} + end + hash.select { |k, _| names.include? k } +end + def set_local_env hash = cci_defaults hash.map { |k, v| system "export #{k}=#{v}" } diff --git a/container/logging-es/Dockerfile b/container/logging-es/Dockerfile index a0acf94..f66dc35 100644 --- a/container/logging-es/Dockerfile +++ b/container/logging-es/Dockerfile @@ -5,6 +5,8 @@ ARG BASE_IMAGE FROM $BASE_IMAGE
ARG MEMORY +ARG USER +ARG PASSWORD
# docker image borrowed from hub.docker.com/r/gagara/elasticsearch-oss-arm64
@@ -16,6 +18,9 @@ RUN sed -i 's:#network.host: _site_:network.host: 0.0.0.0:' /usr/share/elastic sed -i '$a cluster.initial_master_nodes: ["node-1"]' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a indices.memory.index_buffer_size: 20%' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a thread_pool.write.queue_size: 2000' /usr/share/elasticsearch/config/elasticsearch.yml && \ + sed -i '$a xpack.security.enabled: true' /usr/share/elasticsearch/config/elasticsearch.yml && \ + sed -i '$a xpack.license.self_generated.type: basic' /usr/share/elasticsearch/config/elasticsearch.yml && \ + sed -i '$a xpack.security.transport.ssl.enabled: true' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i "s/-Xms1g/-Xms${MEMORY}m/g" /usr/share/elasticsearch/config/jvm.options && \ sed -i "s/-Xmx1g/-Xmx${MEMORY}m/g" /usr/share/elasticsearch/config/jvm.options
@@ -24,6 +29,8 @@ RUN mkdir /usr/share/elasticsearch/tmp && \
WORKDIR /usr/share/elasticsearch
+RUN ./bin/elasticsearch-users useradd ${USER} -p ${PASSWORD} -r superuser + ENV PATH /usr/share/elasticsearch/bin:$PATH ENV ES_TMPDIR /usr/share/elasticsearch/tmp
diff --git a/container/logging-es/build b/container/logging-es/build index b50830e..ff1f102 100755 --- a/container/logging-es/build +++ b/container/logging-es/build @@ -3,8 +3,15 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved. # frozen_string_literal: true
+require 'set' require_relative '../defconfig.rb'
+names = Set.new %w[ + LOGGING_ES_USER + LOGGING_ES_PASSWORD +] + +defaults = relevant_service_account(names) docker_skip_rebuild "logging-es:7.11.1"
BASE_IMAGE_DICT = { @@ -16,4 +23,4 @@ BASE_IMAGE = BASE_IMAGE_DICT[%x(arch).chomp]
available_memory = get_available_memory
-system "docker build -t logging-es:7.11.1 --build-arg BASE_IMAGE=#{BASE_IMAGE} --build-arg MEMORY=#{available_memory} ." +system "docker build -t logging-es:7.11.1 --progress=plain --build-arg BASE_IMAGE=#{BASE_IMAGE} --build-arg MEMORY=#{available_memory} --build-arg USER=#{defaults['LOGGING_ES_USER']} --build-arg PASSWORD=#{defaults['LOGGING_ES_PASSWORD']} ."
end
+def relevant_service_account(names)
- hash = {}
- Dir.glob(['/etc/compass-ci/passwd.yaml']).each do |file|
- hash.update YAML.load_file(file) || {}
- end
just use hash = YAML.load_file('/etc/compass-ci/passwd.yaml') if you just do it for a single file
Thanks, Luan Shengde
- hash.select { |k, _| names.include? k }
+end
def set_local_env hash = cci_defaults hash.map { |k, v| system "export #{k}=#{v}" } diff --git a/container/logging-es/Dockerfile b/container/logging-es/Dockerfile index a0acf94..f66dc35 100644 --- a/container/logging-es/Dockerfile +++ b/container/logging-es/Dockerfile @@ -5,6 +5,8 @@ ARG BASE_IMAGE FROM $BASE_IMAGE
ARG MEMORY +ARG USER +ARG PASSWORD
# docker image borrowed from hub.docker.com/r/gagara/elasticsearch-oss-arm64
@@ -16,6 +18,9 @@ RUN sed -i 's:#network.host: _site_:network.host: 0.0.0.0:' /usr/share/elastic sed -i '$a cluster.initial_master_nodes: ["node-1"]' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a indices.memory.index_buffer_size: 20%' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i '$a thread_pool.write.queue_size: 2000' /usr/share/elasticsearch/config/elasticsearch.yml && \
- sed -i '$a xpack.security.enabled: true' /usr/share/elasticsearch/config/elasticsearch.yml && \
- sed -i '$a xpack.license.self_generated.type: basic' /usr/share/elasticsearch/config/elasticsearch.yml && \
- sed -i '$a xpack.security.transport.ssl.enabled: true' /usr/share/elasticsearch/config/elasticsearch.yml && \ sed -i "s/-Xms1g/-Xms${MEMORY}m/g" /usr/share/elasticsearch/config/jvm.options && \ sed -i "s/-Xmx1g/-Xmx${MEMORY}m/g" /usr/share/elasticsearch/config/jvm.options
@@ -24,6 +29,8 @@ RUN mkdir /usr/share/elasticsearch/tmp && \
WORKDIR /usr/share/elasticsearch
+RUN ./bin/elasticsearch-users useradd ${USER} -p ${PASSWORD} -r superuser
ENV PATH /usr/share/elasticsearch/bin:$PATH ENV ES_TMPDIR /usr/share/elasticsearch/tmp
diff --git a/container/logging-es/build b/container/logging-es/build index b50830e..ff1f102 100755 --- a/container/logging-es/build +++ b/container/logging-es/build @@ -3,8 +3,15 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved. # frozen_string_literal: true
+require 'set' require_relative '../defconfig.rb'
+names = Set.new %w[
- LOGGING_ES_USER
- LOGGING_ES_PASSWORD
+]
+defaults = relevant_service_account(names) docker_skip_rebuild "logging-es:7.11.1"
BASE_IMAGE_DICT = { @@ -16,4 +23,4 @@ BASE_IMAGE = BASE_IMAGE_DICT[%x(arch).chomp]
available_memory = get_available_memory
-system "docker build -t logging-es:7.11.1 --build-arg BASE_IMAGE=#{BASE_IMAGE} --build-arg MEMORY=#{available_memory} ."
+system "docker build -t logging-es:7.11.1 --progress=plain --build-arg BASE_IMAGE=#{BASE_IMAGE} --build-arg MEMORY=#{available_memory} --build-arg USER=#{defaults['LOGGING_ES_USER']} --build-arg PASSWORD=#{defaults['LOGGING_ES_PASSWORD']} ."
2.23.0
-
Luan Shengde -
Wu Zhende