Skip to content

Commit

Permalink
feat(security): secure containers run as non-root (#3003)
Browse files Browse the repository at this point in the history 
closes #2983 

Modified the entrypoint script of security-secretstore-setup to set
the appropriate ownership of the /tmp/edgex/secrets directory that's
mounted to retrieve secrets in various services used throughout.

Removed a security concern from the entrypoint script of
security-secretstore-setup that allowed root level CLI execution access
to anyone that could add parameters via CMD in the dockerfile.

Signed-off-by: Beau Frusetta <beau.frusetta@intel.com>
  • Loading branch information
@beaufrusetta
beaufrusetta authored Jan 9, 2021
1 parent 6aacc02 commit 310fcf0
Show file tree
Hide file tree
Showing 6 changed files with 16 additions and 16 deletions.
1 change: 1 addition & 0 deletions cmd/core-command/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,6 @@ WORKDIR /
COPY --from=builder /edgex-go/cmd/core-command/Attribution.txt /
COPY --from=builder /edgex-go/cmd/core-command/core-command /
COPY --from=builder /edgex-go/cmd/core-command/res/configuration.toml /res/configuration.toml

ENTRYPOINT ["/core-command"]
CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]
1 change: 1 addition & 0 deletions cmd/core-metadata/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,6 @@ WORKDIR /
COPY --from=builder /edgex-go/cmd/core-metadata/Attribution.txt /
COPY --from=builder /edgex-go/cmd/core-metadata/core-metadata /
COPY --from=builder /edgex-go/cmd/core-metadata/res/configuration.toml /res/configuration.toml

ENTRYPOINT ["/core-metadata"]
CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]
6 changes: 4 additions & 2 deletions cmd/security-secretstore-setup/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,11 @@ COPY --from=builder /edgex-go/cmd/security-secretstore-setup/res/configuration.t
COPY --from=builder /edgex-go/cmd/security-file-token-provider/security-file-token-provider .
COPY --from=builder /edgex-go/cmd/security-secretstore-setup/security-secretstore-setup .

# setup the entry point script
# Setup the entry point script, create token dir, and assign perms
COPY --from=builder /edgex-go/cmd/security-secretstore-setup/entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint.sh \
&& ln -s /usr/local/bin/entrypoint.sh /
&& ln -s /usr/local/bin/entrypoint.sh / \
&& mkdir -p /vault/config/assets \
&& chown -Rh 100:1000 /vault/

ENTRYPOINT ["entrypoint.sh"]
22 changes: 8 additions & 14 deletions cmd/security-secretstore-setup/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,27 +24,21 @@ if [ -n "${SECRETSTORE_SETUP_DONE_FLAG}" ] && [ -f "${SECRETSTORE_SETUP_DONE_FLA
rm -f "${SECRETSTORE_SETUP_DONE_FLAG}"
fi

echo "creating /vault/config/assets"
echo "Starting vault-worker..."

# create token directory and
# grant permissions of folders for vault:vault
mkdir -p /vault/config/assets
chown -Rh 100:1000 /vault/

echo "starting vault-worker..."

echo "Initializing secret store"
echo "Initializing secret store..."
/security-secretstore-setup --vaultInterval=10

echo "Executing custom command: $@"
"$@"

# write a sentinel file when we're done because consul is not
# secure and we don't trust it it access to the EdgeX secret store
if [ -n "${SECRETSTORE_SETUP_DONE_FLAG}" ]; then

echo "Changing ownership of secrets to edgex_user:edgex_group"
chown -R ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets

echo "Signaling secretstore-setup completion"
mkdir -p $(dirname "${SECRETSTORE_SETUP_DONE_FLAG}")
touch "${SECRETSTORE_SETUP_DONE_FLAG}"
mkdir -p $(dirname "${SECRETSTORE_SETUP_DONE_FLAG}") && \
touch "${SECRETSTORE_SETUP_DONE_FLAG}"
fi

echo "Waiting for termination signal"
Expand Down
1 change: 1 addition & 0 deletions cmd/support-notifications/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,6 @@ COPY --from=builder /etc/ssl /etc/ssl
COPY --from=builder /edgex-go/cmd/support-notifications/Attribution.txt /
COPY --from=builder /edgex-go/cmd/support-notifications/support-notifications /
COPY --from=builder /edgex-go/cmd/support-notifications/res/configuration.toml /res/configuration.toml

ENTRYPOINT ["/support-notifications"]
CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]
1 change: 1 addition & 0 deletions cmd/support-scheduler/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,6 @@ EXPOSE $APP_PORT
COPY --from=builder /edgex-go/cmd/support-scheduler/Attribution.txt /
COPY --from=builder /edgex-go/cmd/support-scheduler/support-scheduler /
COPY --from=builder /edgex-go/cmd/support-scheduler/res/configuration.toml /res/configuration.toml

ENTRYPOINT ["/support-scheduler"]
CMD ["-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"]

0 comments on commit 310fcf0

Please sign in to comment.