From 1beb5d018e35cb436ae5002cf6a4434fc6e63dd3 Mon Sep 17 00:00:00 2001
From: lenny <leonard.goodell@intel.com>
Date: Tue, 23 Mar 2021 17:07:35 -0700
Subject: [PATCH 1/2] refactor: Rework entry point scripts to run 'listenTcp'
 command as non-root

closes #3221

Signed-off-by: lenny <leonard.goodell@intel.com>
---
 .../entrypoint-scripts/consul_wait_install.sh               | 6 +++---
 .../entrypoint-scripts/postgres_wait_install.sh             | 2 +-
 cmd/security-secretstore-setup/Dockerfile                   | 2 +-
 cmd/security-secretstore-setup/entrypoint.sh                | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh b/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh
index 5fc58b5a01..d78d10f3f3 100755
--- a/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh
+++ b/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh
@@ -70,7 +70,7 @@ echo "$(date) ENABLE_REGISTRY_ACL = ${ENABLE_REGISTRY_ACL}"
 
 if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
   echo "$(date) Starting edgex-core-consul with ACL enabled ..."
-  docker-entrypoint.sh agent \
+  exec docker-entrypoint.sh agent \
     -ui \
     -bootstrap \
     -server \
@@ -96,7 +96,7 @@ if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
   # no need to wait for Consul's port since it is in ready state after all ACL stuff
 else
   echo "$(date) Starting edgex-core-consul with ACL disabled ..."
-  docker-entrypoint.sh agent \
+  exec docker-entrypoint.sh agent \
     -ui \
     -bootstrap \
     -server \
@@ -111,7 +111,7 @@ else
 fi
 
 # Signal that Consul is ready for services blocked waiting on Consul
-/edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \
+exec su-exec consul /edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \
   --port="${STAGEGATE_REGISTRY_READYPORT}" --host="${STAGEGATE_REGISTRY_HOST}"
 if [ $? -ne 0 ]; then
     echo "$(date) failed to gating the consul ready port, exits"
diff --git a/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh b/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh
index 3579d0ba4a..10925d9ec1 100755
--- a/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh
+++ b/cmd/security-bootstrapper/entrypoint-scripts/postgres_wait_install.sh
@@ -93,7 +93,7 @@ done
 echo "$(date) ${STAGEGATE_KONGDB_HOST} is initialized"
 
 # Signal that Postgres is ready for services blocked waiting on Postgres
-/edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \
+exec su-exec postgres /edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \
   --port="${STAGEGATE_KONGDB_READYPORT}" --host="${STAGEGATE_KONGDB_HOST}"
 if [ $? -ne 0 ]; then
   echo "$(date) failed to gating the postgres ready port, exits"
diff --git a/cmd/security-secretstore-setup/Dockerfile b/cmd/security-secretstore-setup/Dockerfile
index 806ed825b5..cee3f8c21f 100644
--- a/cmd/security-secretstore-setup/Dockerfile
+++ b/cmd/security-secretstore-setup/Dockerfile
@@ -36,7 +36,7 @@ RUN make cmd/security-file-token-provider/security-file-token-provider \
 
 FROM alpine:3.12
 
-RUN apk add --update --no-cache ca-certificates dumb-init curl
+RUN apk add --update --no-cache ca-certificates dumb-init curl su-exec
 
 LABEL license='SPDX-License-Identifier: Apache-2.0' \
       copyright='Copyright (c) 2019: Dell Technologies, Inc.'
diff --git a/cmd/security-secretstore-setup/entrypoint.sh b/cmd/security-secretstore-setup/entrypoint.sh
index d3ecf2b3a1..090902fbbe 100644
--- a/cmd/security-secretstore-setup/entrypoint.sh
+++ b/cmd/security-secretstore-setup/entrypoint.sh
@@ -36,7 +36,7 @@ echo "$(date) Changing ownership of secrets to ${EDGEX_USER}:${EDGEX_GROUP}"
 chown -Rh ${EDGEX_USER}:${EDGEX_GROUP} /tmp/edgex/secrets
 
 # Signal tokens ready port for other services waiting on
-/edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \
+exec su-exec ${EDGEX_USER} /edgex-init/security-bootstrapper --confdir=/edgex-init/res listenTcp \
   --port="${STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT}" --host="${STAGEGATE_SECRETSTORESETUP_HOST}"
 if [ $? -ne 0 ]; then
   echo "$(date) failed to gating the tokens ready port"

From aec761c3b459d68dc3d29fa74b986b105aeae991 Mon Sep 17 00:00:00 2001
From: lenny <leonard.goodell@intel.com>
Date: Wed, 24 Mar 2021 08:40:53 -0700
Subject: [PATCH 2/2] fix: Removed exec of consul entrypont scripts

Signed-off-by: lenny <leonard.goodell@intel.com>
---
 .../entrypoint-scripts/consul_wait_install.sh                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh b/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh
index d78d10f3f3..ed5dffa00a 100755
--- a/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh
+++ b/cmd/security-bootstrapper/entrypoint-scripts/consul_wait_install.sh
@@ -70,7 +70,7 @@ echo "$(date) ENABLE_REGISTRY_ACL = ${ENABLE_REGISTRY_ACL}"
 
 if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
   echo "$(date) Starting edgex-core-consul with ACL enabled ..."
-  exec docker-entrypoint.sh agent \
+  docker-entrypoint.sh agent \
     -ui \
     -bootstrap \
     -server \
@@ -96,7 +96,7 @@ if [ "${ENABLE_REGISTRY_ACL}" == "true" ]; then
   # no need to wait for Consul's port since it is in ready state after all ACL stuff
 else
   echo "$(date) Starting edgex-core-consul with ACL disabled ..."
-  exec docker-entrypoint.sh agent \
+  docker-entrypoint.sh agent \
     -ui \
     -bootstrap \
     -server \