From 5d8c1c0610f4644a2c319c4e83de5ff6cbc03861 Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Tue, 30 Jan 2024 18:03:12 +0530 Subject: [PATCH] feat: non-root user for video recorder Signed-off-by: Viet Nguyen Duc --- Makefile | 8 ++- Video/Dockerfile | 58 +++++++++++++++++-- Video/entry_point.sh | 10 ++++ Video/supervisord.conf | 1 - Video/video.sh | 2 +- .../selenium-grid/configs/node/nodePreStop.sh | 4 +- charts/selenium-grid/values.yaml | 1 - tests/Dockerfile | 2 +- tests/docker-compose-v3-test-video.yml | 3 + 9 files changed, 74 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index 7769dd269..c029b095f 100644 --- a/Makefile +++ b/Makefile @@ -397,11 +397,13 @@ test_firefox_standalone: # Its main purpose is to check that a video file was generated. test_video: video hub chrome firefox edge # Running a few tests with docker-compose to generate the videos + rm -rf ./tests/videos; mkdir -p ./tests/videos for node in NodeChrome NodeFirefox NodeEdge ; do \ cd ./tests || true ; \ echo VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) > .env ; \ echo TAG=$(TAG_VERSION) >> .env ; \ echo NODE=$$node >> .env ; \ + echo UID=$$(id -u) >> .env ; \ if [ $$node = "NodeChrome" ] ; then \ echo BROWSER=chrome >> .env ; \ echo VIDEO_FILE_NAME=chrome_video.mp4 >> .env ; \ @@ -418,9 +420,9 @@ test_video: video hub chrome firefox edge done # Using ffmpeg to verify file integrity # https://superuser.com/questions/100288/how-can-i-check-the-integrity-of-a-video-file-avi-mpeg-mp4 - docker run -v $$(pwd):$$(pwd) -w $$(pwd) $(FFMPEG_BASED_NAME)/ffmpeg:$(FFMPEG_BASED_TAG) -v error -i ./tests/videos/chrome_video.mp4 -f null - 2>error.log - docker run -v $$(pwd):$$(pwd) -w $$(pwd) $(FFMPEG_BASED_NAME)/ffmpeg:$(FFMPEG_BASED_TAG) -v error -i ./tests/videos/firefox_video.mp4 -f null - 2>error.log - docker run -v $$(pwd):$$(pwd) -w $$(pwd) $(FFMPEG_BASED_NAME)/ffmpeg:$(FFMPEG_BASED_TAG) -v error -i ./tests/videos/edge_video.mp4 -f null - 2>error.log + docker run -u $$(id -u) -v $$(pwd):$$(pwd) -w $$(pwd) $(FFMPEG_BASED_NAME)/ffmpeg:$(FFMPEG_BASED_TAG) -v error -i ./tests/videos/chrome_video.mp4 -f null - 2>error.log + docker run -u $$(id -u) -v $$(pwd):$$(pwd) -w $$(pwd) $(FFMPEG_BASED_NAME)/ffmpeg:$(FFMPEG_BASED_TAG) -v error -i ./tests/videos/firefox_video.mp4 -f null - 2>error.log + docker run -u $$(id -u) -v $$(pwd):$$(pwd) -w $$(pwd) $(FFMPEG_BASED_NAME)/ffmpeg:$(FFMPEG_BASED_TAG) -v error -i ./tests/videos/edge_video.mp4 -f null - 2>error.log chart_setup_env: ./tests/charts/make/chart_setup_env.sh diff --git a/Video/Dockerfile b/Video/Dockerfile index 5a78e8a20..2f9b5f9f4 100644 --- a/Video/Dockerfile +++ b/Video/Dockerfile @@ -3,6 +3,14 @@ ARG BASED_TAG FROM $NAMESPACE/ffmpeg:$BASED_TAG LABEL authors="Selenium " +#Arguments to define the user running the container +ARG SEL_USER=seluser +ARG SEL_GROUP=${SEL_USER} +ARG SEL_PASSWD=secret +ARG UID=1200 +ARG GID=1201 + +USER root #================================================ # Customize sources for apt-get #================================================ @@ -12,7 +20,8 @@ RUN echo "deb http://archive.ubuntu.com/ubuntu jammy main universe\n" > /etc/ap # No interactive frontend during docker build ENV DEBIAN_FRONTEND=noninteractive \ - DEBCONF_NONINTERACTIVE_SEEN=true + DEBCONF_NONINTERACTIVE_SEEN=true \ + PIP_ROOT_USER_ACTION=ignore #======================== # Supervisor @@ -20,21 +29,60 @@ ENV DEBIAN_FRONTEND=noninteractive \ RUN apt-get -qqy update \ && apt-get upgrade -yq \ && apt-get -qqy --no-install-recommends install \ - supervisor x11-xserver-utils x11-utils curl jq python3-pip \ + supervisor x11-xserver-utils x11-utils curl jq python3-pip tzdata acl \ && python3 -m pip install --upgrade pip \ && python3 -m pip install --upgrade setuptools \ && python3 -m pip install --upgrade wheel \ + && python3 -m pip install psutil \ && rm -rf /var/lib/apt/lists/* /var/cache/apt/* +#=================== +# Timezone settings +# Possible alternative: https://github.com/docker/docker/issues/3359#issuecomment-32150214 +#=================== +ENV TZ "UTC" +RUN ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \ + dpkg-reconfigure -f noninteractive tzdata && \ + cat /etc/timezone + +#====================================== +# Configure environement +#====================================== +ENV SEL_USER=${SEL_USER} +ENV SEL_UID=${UID} +ENV SEL_GID=${GID} +ENV HOME=/home/${SEL_USER} + +#======================================== +# Add normal user and group with passwordless sudo +#======================================== +RUN groupadd ${SEL_GROUP} \ + --gid ${SEL_GID} \ + && useradd ${SEL_USER} \ + --create-home \ + --gid ${SEL_GID} \ + --shell /bin/bash \ + --uid ${SEL_UID} \ + && usermod -a -G sudo ${SEL_USER} \ + && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \ + && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd + #====================================== # Add Supervisor configuration files #====================================== COPY supervisord.conf /etc -COPY entry_point.sh video.sh video_ready.py /opt/bin/ -RUN cd /opt/bin && pip install psutil +COPY --chown="${SEL_UID}:${SEL_GID}" entry_point.sh video.sh video_ready.py /opt/bin/ ENV SE_VIDEO_FOLDER /videos -RUN mkdir -p /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER +RUN mkdir -p /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER \ + && chown -R ${SEL_USER}:${SEL_GROUP} /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER $HOME \ + && chmod -R 775 /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER $HOME \ + && chgrp -R 0 /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER $HOME \ + && chmod -R g=u /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER $HOME \ + && setfacl -Rdm u:${SEL_USER}:rwx,g:${SEL_GROUP}:rwx /var/run/supervisor /var/log/supervisor $SE_VIDEO_FOLDER $HOME + +USER ${SEL_UID} +VOLUME ${SE_VIDEO_FOLDER} ENTRYPOINT ["/opt/bin/entry_point.sh"] CMD ["/opt/bin/entry_point.sh"] diff --git a/Video/entry_point.sh b/Video/entry_point.sh index ae951a318..e9c01eea8 100755 --- a/Video/entry_point.sh +++ b/Video/entry_point.sh @@ -1,4 +1,14 @@ #!/usr/bin/env bash +#============================================== +# OpenShift or non-sudo environments support +# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines +#============================================== + +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi /usr/bin/supervisord --configuration /etc/supervisord.conf & diff --git a/Video/supervisord.conf b/Video/supervisord.conf index 84b7d6ae2..68d42b8a2 100644 --- a/Video/supervisord.conf +++ b/Video/supervisord.conf @@ -10,7 +10,6 @@ pidfile=/var/run/supervisor/supervisord.pid ; (supervisord pidfile;default sup nodaemon=true ; (start in foreground if true;default false) minfds=1024 ; (min. avail startup file descriptors;default 1024) minprocs=200 ; (min. avail process descriptors;default 200) -user=root ; (default is current user, required if root) [program:video-recording] priority=0 diff --git a/Video/video.sh b/Video/video.sh index 7bf59a015..7be462a80 100755 --- a/Video/video.sh +++ b/Video/video.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env bash VIDEO_SIZE="${SE_SCREEN_WIDTH}""x""${SE_SCREEN_HEIGHT}" DISPLAY_CONTAINER_NAME=${DISPLAY_CONTAINER_NAME} diff --git a/charts/selenium-grid/configs/node/nodePreStop.sh b/charts/selenium-grid/configs/node/nodePreStop.sh index d125ddbc0..af7d32ba9 100644 --- a/charts/selenium-grid/configs/node/nodePreStop.sh +++ b/charts/selenium-grid/configs/node/nodePreStop.sh @@ -10,9 +10,7 @@ if curl -sfk ${SE_SERVER_PROTOCOL}://127.0.0.1:${SE_NODE_PORT}/status; then curl -k -X POST ${SE_SERVER_PROTOCOL}://127.0.0.1:${SE_NODE_PORT}/se/grid/node/drain --header "${HEADERS}" while curl -sfk ${SE_SERVER_PROTOCOL}://127.0.0.1:${SE_NODE_PORT}/status -o /tmp/preStopOutput; do - echo "Node preStop is waiting for current session to be finished if any.\nNode details: \ - .value.message: $(jq -r '.value.message' /tmp/preStopOutput || "unknown"), \ - .value.node.availability: $(jq -r '.value.node.availability' /tmp/preStopOutput || "unknown")" + echo "Node preStop is waiting for current session to be finished if any. Node details: message: $(jq -r '.value.message' /tmp/preStopOutput || "unknown"), availability: $(jq -r '.value.node.availability' /tmp/preStopOutput || "unknown")" sleep 1; done else diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index 33139674f..36bf31f49 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -1066,7 +1066,6 @@ videoRecorder: cpu: "1" # SecurityContext for recorder container securityContext: - runAsUser: 0 extraEnvironmentVariables: # - name: SE_VIDEO_FOLDER # value: /videos diff --git a/tests/Dockerfile b/tests/Dockerfile index cf2d16926..f79b99203 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.8.6-buster +FROM python:3.10-slim WORKDIR /usr/src/app diff --git a/tests/docker-compose-v3-test-video.yml b/tests/docker-compose-v3-test-video.yml index bbfb6f6ab..2b14e09e3 100644 --- a/tests/docker-compose-v3-test-video.yml +++ b/tests/docker-compose-v3-test-video.yml @@ -5,6 +5,7 @@ version: "3" services: browser: image: selenium/node-${BROWSER}:${TAG} + user: ${UID} shm_size: 2gb depends_on: - selenium-hub @@ -18,6 +19,7 @@ services: browser_video: image: selenium/video:${VIDEO_TAG} + user: ${UID} volumes: - ./videos:/videos depends_on: @@ -28,6 +30,7 @@ services: selenium-hub: image: selenium/hub:${TAG} + user: ${UID} container_name: selenium-hub ports: - "4442:4442"