Non root docker user (#2460)

* Non root docker user

* Fixes for user - signle user for all services

* Base image changed

* Fixes for pvc removal

* Moved to be in sync with PE

* Changed to TB repository

@@ -2,8 +2,8 @@
 
 set -e
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 systemctl --no-reload enable ${pkg.name}.service >/dev/null 2>&1 || :
 
 exit 0

@@ -2,21 +2,21 @@
 
 set -e
 
-if ! getent group ${pkg.name} >/dev/null; then
-    addgroup --system ${pkg.name}
+if ! getent group ${pkg.user} >/dev/null; then
+    addgroup --system ${pkg.user}
 fi
 
-if ! getent passwd ${pkg.name} >/dev/null; then
+if ! getent passwd ${pkg.user} >/dev/null; then
     adduser --quiet \
             --system \
-            --ingroup ${pkg.name} \
+            --ingroup ${pkg.user} \
             --quiet \
             --disabled-login \
             --disabled-password \
             --home ${pkg.installFolder} \
             --no-create-home \
             -gecos "Thingsboard application" \
-            ${pkg.name}
+            ${pkg.user}
 fi
 
 exit 0
\ No newline at end of file

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 
 if [ $1 -eq 1 ] ; then
         # Initial installation

@@ -3,7 +3,7 @@ Description=${pkg.name}
 After=syslog.target
 
 [Service]
-User=${pkg.name}
+User=${pkg.user}
 ExecStart=${pkg.installFolder}/bin/${pkg.name}.jar
 SuccessExitStatus=143
 

@@ -44,7 +44,7 @@ installDir=${pkg.installFolder}/data
 
 source "${CONF_FOLDER}/${configfile}"
 
-run_user=${pkg.name}
+run_user=${pkg.user}
 
 su -s /bin/sh -c "java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.ThingsboardInstallApplication \
                     -Dinstall.data_dir=${installDir} \

@@ -43,7 +43,7 @@ installDir=${pkg.installFolder}/data
 
 source "${CONF_FOLDER}/${configfile}"
 
-run_user=${pkg.name}
+run_user=${pkg.user}
 
 su -s /bin/sh -c "java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.ThingsboardInstallApplication \
                     -Dinstall.data_dir=${installDir} \

@@ -17,6 +17,13 @@ In order to set database type change the value of `DATABASE` variable in `.env`
 
 **NOTE**: According to the database type corresponding docker service will be deployed (see `docker-compose.postgres.yml`, `docker-compose.cassandra.yml` for details).
 
+Execute the following command to create log folders for the services and chown of these folders to the docker container users. 
+To be able to change user, **chown** command is used, which requires sudo permissions (script will request password for a sudo access): 
+
+`
+$ ./docker-create-log-folders.sh
+`
+
 Execute the following command to run installation:
 
 `

+#!/bin/bash
+#
+# Copyright © 2016-2020 The Thingsboard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+mkdir -p tb-node/log/ && sudo chown -R 799:799 tb-node/log/
+
+mkdir -p tb-transports/coap/log && sudo chown -R 799:799 tb-transports/coap/log
+
+mkdir -p tb-transports/http/log && sudo chown -R 799:799 tb-transports/http/log
+
+mkdir -p tb-transports/mqtt/log && sudo chown -R 799:799 tb-transports/mqtt/log
\ No newline at end of file

@@ -39,5 +39,5 @@ spec:
     volumeMounts:
       - mountPath: /config
         name: tb-node-config
-    command: ['sh', '-c', 'while [ ! -f /install-finished ]; do sleep 2; done;']
+    command: ['sh', '-c', 'while [ ! -f /tmp/install-finished ]; do sleep 2; done;']
   restartPolicy: Never

@@ -15,4 +15,6 @@
 # limitations under the License.
 #
 
-kubectl -n thingsboard delete svc,sts,deploy,pv,pvc,cm,po,ing --all
+kubectl -n thingsboard delete svc,sts,deploy,cm,po,ing --all
+
+kubectl -n thingsboard get pvc --no-headers=true | awk '//{print $1}' | xargs kubectl -n thingsboard delete --ignore-not-found=true pvc
\ No newline at end of file

@@ -22,7 +22,7 @@ function installTb() {
     kubectl apply -f tb-node-configmap.yml
     kubectl apply -f database-setup.yml &&
     kubectl wait --for=condition=Ready pod/tb-db-setup --timeout=120s &&
-    kubectl exec tb-db-setup -- sh -c 'export INSTALL_TB=true; export LOAD_DEMO='"$loadDemo"'; start-tb-node.sh; touch /install-finished;'
+    kubectl exec tb-db-setup -- sh -c 'export INSTALL_TB=true; export LOAD_DEMO='"$loadDemo"'; start-tb-node.sh; touch /tmp/install-finished;'
 
     kubectl delete pod tb-db-setup
 

@@ -38,6 +38,6 @@ fi
 
 kubectl apply -f database-setup.yml &&
 kubectl wait --for=condition=Ready pod/tb-db-setup --timeout=120s &&
-kubectl exec tb-db-setup -- sh -c 'export UPGRADE_TB=true; export FROM_VERSION='"$fromVersion"'; start-tb-node.sh; touch /install-finished;'
+kubectl exec tb-db-setup -- sh -c 'export UPGRADE_TB=true; export FROM_VERSION='"$fromVersion"'; start-tb-node.sh; touch /tmp/install-finished;'
 
 kubectl delete pod tb-db-setup

@@ -58,6 +58,8 @@ spec:
         env:
         - name: POSTGRES_DB
           value: "thingsboard"
+        - name: POSTGRES_PASSWORD
+          value: "postgres"
         - name: PGDATA
           value: /var/lib/postgresql/data/pgdata
         volumeMounts:

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM debian:stretch
+FROM thingsboard/base
 
 COPY start-js-executor.sh ${pkg.name}.deb /tmp/
 
@@ -25,4 +25,6 @@ RUN dpkg -i /tmp/${pkg.name}.deb
 
 RUN update-rc.d ${pkg.name} disable
 
+USER ${pkg.user}
+
 CMD ["start-js-executor.sh"]

@@ -26,4 +26,6 @@ identity=${pkg.name}
 
 source "${CONF_FOLDER}/${configfile}"
 
-su -s /bin/sh -c "$mainfile"
+cd ${pkg.installFolder}/bin
+
+exec /bin/sh -c "$mainfile"

@@ -36,7 +36,6 @@
         <main.dir>${basedir}/../..</main.dir>
         <pkg.name>tb-js-executor</pkg.name>
         <docker.name>tb-js-executor</docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
         <pkg.linux.dist>${project.build.directory}/package/linux</pkg.linux.dist>

@@ -25,4 +25,8 @@ RUN dpkg -i /tmp/${pkg.name}.deb
 
 RUN systemctl --no-reload disable --now ${pkg.name}.service > /dev/null 2>&1 || :
 
+RUN chown -R ${pkg.user}:${pkg.user} /tmp
+
+USER ${pkg.user}
+
 CMD ["start-tb-node.sh"]

@@ -18,12 +18,14 @@
 CONF_FOLDER="/config"
 jarfile=${pkg.installFolder}/bin/${pkg.name}.jar
 configfile=${pkg.name}.conf
-run_user=${pkg.name}
+run_user=${pkg.user}
 
 source "${CONF_FOLDER}/${configfile}"
 
 export LOADER_PATH=/config,${LOADER_PATH}
 
+cd ${pkg.installFolder}/bin
+
 if [ "$INSTALL_TB" == "true" ]; then
 
     if [ "$LOAD_DEMO" == "true" ]; then

@@ -36,7 +36,6 @@
         <main.dir>${basedir}/../..</main.dir>
         <pkg.name>thingsboard</pkg.name>
         <docker.name>tb-node</docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
     </properties>

@@ -38,7 +38,6 @@
         <tb.docker.name>tb</tb.docker.name>
         <tb-postgres.docker.name>tb-postgres</tb-postgres.docker.name>
         <tb-cassandra.docker.name>tb-cassandra</tb-cassandra.docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
         <pkg.upgradeVersion>2.4.2</pkg.upgradeVersion>
     </properties>

@@ -25,4 +25,6 @@ RUN dpkg -i /tmp/${pkg.name}.deb
 
 RUN update-rc.d ${pkg.name} disable
 
+USER ${pkg.user}
+
 CMD ["start-tb-coap-transport.sh"]

@@ -25,6 +25,8 @@ export LOADER_PATH=/config,${LOADER_PATH}
 
 echo "Starting '${project.name}' ..."
 
+cd ${pkg.installFolder}/bin
+
 exec java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.coap.ThingsboardCoapTransportApplication \
                     -Dspring.jpa.hibernate.ddl-auto=none \
                     -Dlogging.config=/config/logback.xml \

@@ -36,7 +36,6 @@
         <main.dir>${basedir}/../../..</main.dir>
         <pkg.name>tb-coap-transport</pkg.name>
         <docker.name>tb-coap-transport</docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.logFolder>/var/log/${pkg.name}</pkg.logFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
     </properties>

@@ -25,4 +25,6 @@ RUN dpkg -i /tmp/${pkg.name}.deb
 
 RUN update-rc.d ${pkg.name} disable
 
+USER ${pkg.user}
+
 CMD ["start-tb-http-transport.sh"]

@@ -25,6 +25,8 @@ export LOADER_PATH=/config,${LOADER_PATH}
 
 echo "Starting '${project.name}' ..."
 
+cd ${pkg.installFolder}/bin
+
 exec java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.http.ThingsboardHttpTransportApplication \
                     -Dspring.jpa.hibernate.ddl-auto=none \
                     -Dlogging.config=/config/logback.xml \

@@ -36,7 +36,6 @@
         <main.dir>${basedir}/../../..</main.dir>
         <pkg.name>tb-http-transport</pkg.name>
         <docker.name>tb-http-transport</docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.logFolder>/var/log/${pkg.name}</pkg.logFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
     </properties>

@@ -25,4 +25,6 @@ RUN dpkg -i /tmp/${pkg.name}.deb
 
 RUN update-rc.d ${pkg.name} disable
 
+USER ${pkg.user}
+
 CMD ["start-tb-mqtt-transport.sh"]

@@ -25,6 +25,8 @@ export LOADER_PATH=/config,${LOADER_PATH}
 
 echo "Starting '${project.name}' ..."
 
+cd ${pkg.installFolder}/bin
+
 exec java -cp ${jarfile} $JAVA_OPTS -Dloader.main=org.thingsboard.server.mqtt.ThingsboardMqttTransportApplication \
                     -Dspring.jpa.hibernate.ddl-auto=none \
                     -Dlogging.config=/config/logback.xml \

@@ -36,7 +36,6 @@
         <main.dir>${basedir}/../../..</main.dir>
         <pkg.name>tb-mqtt-transport</pkg.name>
         <docker.name>tb-mqtt-transport</docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.logFolder>/var/log/${pkg.name}</pkg.logFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
     </properties>

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 
-FROM debian:stretch
+FROM thingsboard/base
 
 COPY start-web-ui.sh ${pkg.name}.deb /tmp/
 
@@ -25,4 +25,6 @@ RUN dpkg -i /tmp/${pkg.name}.deb
 
 RUN update-rc.d ${pkg.name} disable
 
+USER ${pkg.user}
+
 CMD ["start-web-ui.sh"]

@@ -26,4 +26,6 @@ identity=${pkg.name}
 
 source "${CONF_FOLDER}/${configfile}"
 
-su -s /bin/sh -c "$mainfile"
+cd ${pkg.installFolder}/bin
+
+exec /bin/sh -c "$mainfile"

@@ -36,7 +36,6 @@
         <main.dir>${basedir}/../..</main.dir>
         <pkg.name>tb-web-ui</pkg.name>
         <docker.name>tb-web-ui</docker.name>
-        <pkg.user>thingsboard</pkg.user>
         <pkg.unixLogFolder>/var/log/${pkg.name}</pkg.unixLogFolder>
         <pkg.installFolder>/usr/share/${pkg.name}</pkg.installFolder>
         <pkg.linux.dist>${project.build.directory}/package/linux</pkg.linux.dist>

@@ -29,6 +29,7 @@
 
     <properties>
         <main.dir>${basedir}</main.dir>
+        <pkg.user>thingsboard</pkg.user>
         <spring-boot.version>2.1.3.RELEASE</spring-boot.version>
         <spring.version>5.1.5.RELEASE</spring.version>
         <spring-security.version>5.1.4.RELEASE</spring-security.version>

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 update-rc.d ${pkg.name} defaults
 

 #!/bin/sh
 
-if ! getent group ${pkg.name} >/dev/null; then
-    addgroup --system ${pkg.name}
+if ! getent group ${pkg.user} >/dev/null; then
+    addgroup --system ${pkg.user}
 fi
 
-if ! getent passwd ${pkg.name} >/dev/null; then
+if ! getent passwd ${pkg.user} >/dev/null; then
     adduser --quiet \
             --system \
-            --ingroup ${pkg.name} \
+            --ingroup ${pkg.user} \
             --quiet \
             --disabled-login \
             --disabled-password \
             --home ${pkg.installFolder} \
             --no-create-home \
             -gecos "Thingsboard application" \
-            ${pkg.name}
+            ${pkg.user}
 fi

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 
 if [ $1 -eq 1 ] ; then
         # Initial installation

@@ -3,7 +3,7 @@ Description=${pkg.name}
 After=syslog.target
 
 [Service]
-User=${pkg.name}
+User=${pkg.user}
 ExecStart=${pkg.installFolder}/bin/${pkg.name}.jar
 SuccessExitStatus=143
 

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 update-rc.d ${pkg.name} defaults
 

 #!/bin/sh
 
-if ! getent group ${pkg.name} >/dev/null; then
-    addgroup --system ${pkg.name}
+if ! getent group ${pkg.user} >/dev/null; then
+    addgroup --system ${pkg.user}
 fi
 
-if ! getent passwd ${pkg.name} >/dev/null; then
+if ! getent passwd ${pkg.user} >/dev/null; then
     adduser --quiet \
             --system \
-            --ingroup ${pkg.name} \
+            --ingroup ${pkg.user} \
             --quiet \
             --disabled-login \
             --disabled-password \
             --home ${pkg.installFolder} \
             --no-create-home \
             -gecos "Thingsboard application" \
-            ${pkg.name}
+            ${pkg.user}
 fi

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 
 if [ $1 -eq 1 ] ; then
         # Initial installation

@@ -3,7 +3,7 @@ Description=${pkg.name}
 After=syslog.target
 
 [Service]
-User=${pkg.name}
+User=${pkg.user}
 ExecStart=${pkg.installFolder}/bin/${pkg.name}.jar
 SuccessExitStatus=143
 

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 update-rc.d ${pkg.name} defaults
 

 #!/bin/sh
 
-if ! getent group ${pkg.name} >/dev/null; then
-    addgroup --system ${pkg.name}
+if ! getent group ${pkg.user} >/dev/null; then
+    addgroup --system ${pkg.user}
 fi
 
-if ! getent passwd ${pkg.name} >/dev/null; then
+if ! getent passwd ${pkg.user} >/dev/null; then
     adduser --quiet \
             --system \
-            --ingroup ${pkg.name} \
+            --ingroup ${pkg.user} \
             --quiet \
             --disabled-login \
             --disabled-password \
             --home ${pkg.installFolder} \
             --no-create-home \
             -gecos "Thingsboard application" \
-            ${pkg.name}
+            ${pkg.user}
 fi

 #!/bin/sh
 
-chown -R ${pkg.name}: ${pkg.logFolder}
-chown -R ${pkg.name}: ${pkg.installFolder}
+chown -R ${pkg.user}: ${pkg.logFolder}
+chown -R ${pkg.user}: ${pkg.installFolder}
 
 if [ $1 -eq 1 ] ; then
         # Initial installation

@@ -3,7 +3,7 @@ Description=${pkg.name}
 After=syslog.target
 
 [Service]
-User=${pkg.name}
+User=${pkg.user}
 ExecStart=${pkg.installFolder}/bin/${pkg.name}.jar
 SuccessExitStatus=143