Using Maven plugin build, unable to create a bwce docker container as nonroot user #717
Description
Maven Plugin version: bw6-maven-plugin 2.9.5
Maven version: 3.9.5
Product : TIBCO Businessworks Container edition
Product version: BWCE 2.8.3
Component: Either of Maven Eclipse Plugin or Maven build plugin
Steps to reproduce the issue:
- Build base image by changing the user to bwce to run as nonroot user.
FROM eclipse-temurin:11-jre-alpine
LABEL maintainer="TIBCO Software Inc."
ADD . /
RUN chmod 755 /scripts/*.sh && apk update && apk add unzip openssh net-tools
RUN apk add --no-cache bash
# Create a non-root group and user
RUN addgroup -S bwcegroup && adduser -S bwce -G bwcegroup
RUN unzip -qq /resources/bwce-runtime/bwce*.zip -d /tmp && rm -rf /resources/bwce-runtime/bwce*.zip 2> /dev/null
# Make the necessary directories writable by the 'bwce' user
RUN chown -R bwce:bwcegroup /tmp /resources
USER bwce
ENTRYPOINT ["/scripts/start.sh"]
- Use this base image in docker-dev.properties file and do maven build.
mvn -X -f bwcetestproject.parent/pom.xml clean package initialize docker:build
As part of this build, it creates an ear file bwcetestproject-1.0.0-SNAPSHOT.ear and copies at / directory of the image
- When the application container is created I could see the permission of the ear file as root user.
/ $ ls -lrt
total 116
drwxr-xr-x 1 root root 4096 Nov 30 09:32 var
drwxr-xr-x 2 root root 4096 Nov 30 09:32 srv
drwxr-xr-x 2 root root 4096 Nov 30 09:32 run
drwx------ 2 root root 4096 Nov 30 09:32 root
drwxr-xr-x 2 root root 4096 Nov 30 09:32 mnt
drwxr-xr-x 5 root root 4096 Nov 30 09:32 media
drwxr-xr-x 1 root root 4096 Nov 30 09:32 lib
drwxr-xr-x 1 root root 4096 Dec 1 07:11 usr
-rwxrwxr-x 1 root root 1182 Dec 1 07:12 __cacert_entrypoint.sh
drwxr-xr-x 1 root root 4096 Dec 1 07:12 opt
-rw-r--r-- 1 root root 491 Dec 5 22:49 gl-secret-detection-report.json
-rw-r--r-- 1 root root 408 Dec 5 22:49 heb-checkov-sast-report.json
drwxrwxrwx 2 root root 4096 Dec 5 22:50 reducedStartupTime
-rwxrwxrwx 1 root root 1509 Dec 5 22:50 README.txt
-rwxrwxrwx 1 root root 542 Dec 5 22:50 Dockerfile
drwxrwxrwx 1 bwce bwcegrou 4096 Dec 5 22:50 resources
drwxrwxrwx 1 root root 4096 Dec 5 22:50 scripts
-rw-r--r-- 1 root root 5598 Dec 5 22:50 gl-dependency-scanning-report.json
drwxr-xr-x 1 root root 4096 Dec 5 22:51 sbin
drwxr-xr-x 1 root root 4096 Dec 5 22:51 bin
drwxr-xr-x 1 root root 4096 Dec 5 22:51 home
-rw-r--r-- 1 root root 10941 Dec 19 17:53 bwcetestproject-1.0.0-SNAPSHOT.ear
dr-xr-xr-x 12 root root 0 Dec 19 20:33 sys
dr-xr-xr-x 247 root root 0 Dec 19 20:33 proc
drwxr-xr-x 1 root root 4096 Dec 19 20:33 etc
drwxr-xr-x 5 root root 340 Dec 19 20:33 dev
drwxrwxrwt 1 bwce bwcegrou 4096 Dec 19 20:33 tmp
- Because of that ear file is not accessible to create the container in kubernetes platform. I am able to start the container successfully in local docker (may be less security restrictions) but not in Kubernetes environment.
INFO Variables received : null, null, null, /tmp
/opt/java/openjdk
Adding Plug-in Jars
Adding additional libs
libsunec.so File found...
'/resources/addons/lib/libsunec.so' -> '/tmp/tibco.home/tibcojre64/11/lib/amd64'
Importing cacerts into java truststore
./scripts/setup.sh: line 304: /tmp/tibco.home/tibcojre64/11/bin/keytool: cannot execute: required file not found
Importing cacerts into java truststore
./scripts/setup.sh: line 304: /tmp/tibco.home/tibcojre64/11/bin/keytool: cannot execute: required file not found
error: cannot open zipfile [ /tmp/tibco.home/bwce/2.8/bin/bwapp.ear ]
Permission denied
unzip: cannot find or open /tmp/tibco.home/bwce/2.8/bin/bwapp.ear, /tmp/tibco.home/bwce/2.8/bin/bwapp.ear.zip or /tmp/tibco.home/bwce/2.8/bin/bwapp.ear.ZIP.
Using Custom Logback file
The loglevel is set to WARN level
./scripts/setup.sh: line 157: /tmp/META-INF/MANIFEST.MF: No such file or directory
Appended ADDONS_HOME/lib in bwappnode.tra file
Appended ADDONS_HOME/lib in bwappnode file
Appended -Xmx686M -Xms128M -Xss512K -Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true --add-opens java.management/sun.management=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED to java.extend.properties
BW_PROFILE is set to 'DEPLOY.substvar'
cp: can't stat '/tmp/META-INF/DEPLOY.substvar': No such file or directory
java.io.FileNotFoundException: /tmp/tmp/pcf.substvar (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(Unknown Source)
at java.base/java.io.FileInputStream.<init>(Unknown Source)
at java.base/java.io.FileReader.<init>(Unknown Source)
at com.tibco.bwce.profile.resolver.ProfileResolverHelper.getKeysForConfig(ProfileResolverHelper.java:46)
at com.tibco.bwce.profile.resolver.DockerProfileTokenResolver.resolveTokens(DockerProfileTokenResolver.java:223)
at com.tibco.bwce.profile.resolver.DockerProfileTokenResolver.resolve(DockerProfileTokenResolver.java:37)
at com.tibco.bwce.profile.resolver.Resolver.main(Resolver.java:24)
Additional environment details if any:
Trying to create the container in kuberenetes 1.8 environment.
Describe the results you received:
Container startup logs are provided in step 4 above
Describe the results you expected:
I should be able to run the bwce container as nonroot user using the above base image and maven build process.
If I comment out the instruction "USER bwce" in my base image, this entire process works fine without any issue.
Additional information you deem important (e.g. issue happens only occasionally):
Based on the directory listing at '/tmp/tibco.home/bwce/2.8/bin', it appears that the symbolic link bwapp.ear inside /tmp/tibco.home/bwce/2.8/bin is pointing to /bwcetestproject-1.0.0-SNAPSHOT.ear. However, the ownership of the file /bwcetestproject-1.0.0-SNAPSHOT.ear is owned by root:root with read permissions only for the owner.