diff --git a/Dockerfile b/Dockerfile index be484d13..d839ad57 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,8 @@ ARG BASE_YUM_REPO=testing ARG BASE_OSG_SERIES=3.5 -FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache +#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache +FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache LABEL maintainer OSG Software # Previous arg has gone out of scope @@ -22,8 +23,8 @@ ENV XC_NUM_LOGROTATE 10 ENV XC_FIX_DIR_OWNERS yes # Create the xrootd user with a fixed GID/UID -RUN groupadd -o -g 10940 xrootd -RUN useradd -o -u 10940 -g 10940 -s /bin/sh xrootd +RUN groupadd -o -g 0 xrootd +RUN useradd -o -u 10940 -g 0 -s /bin/sh xrootd # Create an empty macaroon-secret now so RPM installs won't create one, adding it to a layer. RUN mkdir -p /etc/xrootd && touch /etc/xrootd/macaroon-secret @@ -40,9 +41,12 @@ RUN yum -y install /var/lib/xcache/*.rpm --enablerepo="osg-$BASE_YUM_REPO" || \ RUN yum install -y \ xcache \ + sudo \ gperftools-devel && \ yum clean all --enablerepo=* && rm -rf /var/cache/yum/ +RUN echo "xrootd ALL=(ALL) NOPASSWD: /bin/chown -R xrootd\:xrootd *" >> /etc/sudoers.d/10-chown + ADD xcache/cron.d/* /etc/cron.d/ RUN chmod 0644 /etc/cron.d/* ADD xcache/sbin/* /usr/local/sbin/ @@ -58,6 +62,16 @@ RUN rm -f /etc/xrootd/macaroon-secret # in the XRootD logs WORKDIR /var/spool/xrootd +# changes for OKD +RUN chgrp -R root /etc/xrootd && chmod -R g+w /etc/xrootd && \ + chgrp root /var/spool/xrootd && \ + chmod g+w /etc/environment /var/log /var/spool/xrootd /xcache && \ + chgrp root /etc/grid-security/xrd && chmod -R g+w /etc/grid-security/xrd /etc/grid-security/certificates && \ + chgrp -R root /run/xcache-auth /run/xrootd && chmod g+w /run/xcache-auth /run/xrootd && \ + chgrp -R root /var/log/xrootd && chmod g+w /var/log/xrootd && \ + chmod g+w /run && \ + chmod g+w /var/log/supervisor + ################ # atlas-xcache # ################ @@ -80,6 +94,8 @@ COPY atlas-xcache/10-atlas-xcache-limits.conf /etc/security/limits.d COPY atlas-xcache/supervisord.d/10-atlas-xcache.conf /etc/supervisord.d/ COPY atlas-xcache/image-config.d/10-atlas-xcache.sh /etc/osg/image-init.d/ +USER xrootd + ############## # cms-xcache # ############## @@ -103,8 +119,12 @@ RUN chmod 0644 /etc/cron.d/* COPY cms-xcache/image-config.d/* /etc/osg/image-init.d/ COPY cms-xcache/xcache-consistency-check-wrapper.sh /usr/bin/xcache-consistency-check-wrapper.sh +RUN chgrp root /var/lib/xcache-consistency-check && chmod g+w /var/lib/xcache-consistency-check + EXPOSE 1094 +USER xrootd + ############### # stash-cache # ############### @@ -116,7 +136,7 @@ ARG BASE_YUM_REPO=testing ENV XC_IMAGE_NAME stash-cache -RUN yum install -y stash-cache && \ +RUN yum install -y stash-cache hostname && \ yum clean all --enablerepo=* && rm -rf /var/cache/ COPY stash-cache/cron.d/* /etc/cron.d/ @@ -130,13 +150,14 @@ COPY stash-cache/Authfile /run/stash-cache/Authfile # Same for scitokens.conf COPY stash-cache/scitokens.conf /run/stash-cache-auth/scitokens.conf +RUN touch /etc/xrootd-environment && chown xrootd:xrootd /etc/xrootd-environment +USER xrootd EXPOSE 8000 ################ # stash-origin # ################ - FROM xcache AS stash-origin LABEL maintainer OSG Software @@ -161,17 +182,19 @@ COPY stash-origin/xrootd/* /etc/xrootd/config.d/ # Add a placeholder scitokens.conf file, in case this origin isn't registered # and can't pull down a new one COPY stash-origin/scitokens.conf /run/stash-origin-auth/scitokens.conf +USER xrootd ###################### # atlas-xcache-debug # ###################### FROM atlas-xcache AS atlas-xcache-debug + # Install debugging tools RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \ gdb \ strace - +USER xrootd #################### # cms-xcache-debug # #################### @@ -181,7 +204,7 @@ FROM cms-xcache AS cms-xcache-debug RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \ gdb \ strace - +USER xrootd ##################### # stash-cache-debug # ##################### @@ -191,6 +214,7 @@ FROM stash-cache AS stash-cache-debug RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \ gdb \ strace +USER xrootd ##################### # stash-cache-debug # @@ -201,3 +225,4 @@ FROM stash-origin AS stash-origin-debug RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \ gdb \ strace +USER xrootd diff --git a/atlas-xcache/image-config.d/10-atlas-xcache.sh b/atlas-xcache/image-config.d/10-atlas-xcache.sh index 72b29703..094b8698 100755 --- a/atlas-xcache/image-config.d/10-atlas-xcache.sh +++ b/atlas-xcache/image-config.d/10-atlas-xcache.sh @@ -2,5 +2,5 @@ /usr/local/sbin/fix_certs.sh -su xrootd /usr/libexec/xcache/renew-proxy --voms atlas +/usr/libexec/xcache/renew-proxy --voms atlas diff --git a/atlas-xcache/supervisord.d/10-atlas-xcache.conf b/atlas-xcache/supervisord.d/10-atlas-xcache.conf index 6f9d543a..60929ba5 100644 --- a/atlas-xcache/supervisord.d/10-atlas-xcache.conf +++ b/atlas-xcache/supervisord.d/10-atlas-xcache.conf @@ -1,5 +1,4 @@ [program:atlas-xcache] command=xrootd -c /etc/xrootd/xrootd-atlas-xcache.cfg -k fifo -n atlas-xcache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-atlas-xcache.pid -l /var/log/xrootd/xrootd.log -user=xrootd autorestart=true environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 diff --git a/cms-xcache/image-config.d/20-cms-generate-proxy.sh b/cms-xcache/image-config.d/20-cms-generate-proxy.sh index cfff3cec..f1d6232c 100755 --- a/cms-xcache/image-config.d/20-cms-generate-proxy.sh +++ b/cms-xcache/image-config.d/20-cms-generate-proxy.sh @@ -1,3 +1,3 @@ #!/bin/bash /usr/local/sbin/fix_certs.sh -su xrootd -c '/usr/libexec/xcache/renew-proxy --voms cms' +/usr/libexec/xcache/renew-proxy --voms cms diff --git a/cms-xcache/supervisord.d/10-cms-xcache.conf b/cms-xcache/supervisord.d/10-cms-xcache.conf index eefc783c..6abfcc30 100644 --- a/cms-xcache/supervisord.d/10-cms-xcache.conf +++ b/cms-xcache/supervisord.d/10-cms-xcache.conf @@ -1,6 +1,5 @@ [program:cms-xcache] command=xrootd -c /etc/xrootd/xrootd-cms-xcache.cfg -k fifo -n cms-xcache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-cms-xcache.pid -l /var/log/xrootd/xrootd.log -user=xrootd autorestart=true environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 diff --git a/stash-cache/image-config.d/20-generate-proxy.sh b/stash-cache/image-config.d/20-generate-proxy.sh index 0194f154..1eddda8f 100755 --- a/stash-cache/image-config.d/20-generate-proxy.sh +++ b/stash-cache/image-config.d/20-generate-proxy.sh @@ -2,4 +2,4 @@ # Generate the proxy /usr/local/sbin/fix_certs.sh -su xrootd /usr/libexec/xcache/renew-proxy +/usr/libexec/xcache/renew-proxy diff --git a/stash-cache/image-config.d/40-generate-auth-file.sh b/stash-cache/image-config.d/40-generate-auth-file.sh index 80d5f611..3c7a6dc6 100755 --- a/stash-cache/image-config.d/40-generate-auth-file.sh +++ b/stash-cache/image-config.d/40-generate-auth-file.sh @@ -3,10 +3,6 @@ # Generate the Auth File /usr/libexec/xcache/authfile-update --cache shopt -s nullglob -for f in /run/stash-cache/* /run/stash-cache-auth/*; do - chown xrootd:xrootd "$f" -done -shopt -u nullglob # ddavila 20211020: Save the env vars CACHE_FQDN to be used # later by 'xrootd' on the 'authfile-update' script. @@ -16,4 +12,3 @@ if [[ -n ${CACHE_FQDN} ]]; then echo "export CACHE_FQDN=${CACHE_FQDN}" >> /etc/xrootd-environment fi -chown xrootd:xrootd /etc/xrootd-environment diff --git a/stash-cache/supervisord.d/10-stash-cache.conf b/stash-cache/supervisord.d/10-stash-cache.conf index b7b2d5e1..cee135a5 100644 --- a/stash-cache/supervisord.d/10-stash-cache.conf +++ b/stash-cache/supervisord.d/10-stash-cache.conf @@ -1,16 +1,13 @@ [program:stash-cache-authfile-update] command=/usr/libexec/xcache/authfile-update --cache -user=xrootd priority=998 [program:stash-cache] command=xrootd -c /etc/xrootd/xrootd-stash-cache.cfg -k fifo -n stash-cache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-stash-cache.pid -l /var/log/xrootd/xrootd.log -user=xrootd autorestart=true environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 [program:stash-cache-auth] command=xrootd -c /etc/xrootd/xrootd-stash-cache-auth.cfg -k fifo -n stash-cache-auth -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-stash-cache-auth.pid -l /var/log/xrootd/xrootd.log -user=xrootd autorestart=true environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 diff --git a/stash-origin/image-config.d/40-generate-auth-file.sh b/stash-origin/image-config.d/40-generate-auth-file.sh index 7b3e20eb..e36e6ed4 100755 --- a/stash-origin/image-config.d/40-generate-auth-file.sh +++ b/stash-origin/image-config.d/40-generate-auth-file.sh @@ -3,10 +3,6 @@ # Generate the Auth File /usr/libexec/xcache/authfile-update --origin shopt -s nullglob -for f in /run/stash-origin/* /run/stash-origin-auth/*; do - chown xrootd:xrootd "$f" -done -shopt -u nullglob # ddavila 20220225: Save the env var ORIGIN_FQDN to be used # later by 'xrootd' on the 'authfile-update' script. @@ -15,4 +11,3 @@ echo "# This file was generated on startup" > /etc/xrootd-environment if [[ -n ${ORIGIN_FQDN} ]]; then echo "export ORIGIN_FQDN=${ORIGIN_FQDN}" >> /etc/xrootd-environment fi -chown xrootd:xrootd /etc/xrootd-environment diff --git a/stash-origin/supervisord.d/stash-origin-cmsd.conf b/stash-origin/supervisord.d/stash-origin-cmsd.conf index 6402a34a..2bce5d2a 100644 --- a/stash-origin/supervisord.d/stash-origin-cmsd.conf +++ b/stash-origin/supervisord.d/stash-origin-cmsd.conf @@ -1,6 +1,5 @@ [program:stash-origin-cmsd] command=/usr/bin/cmsd -l /var/log/xrootd/cmsd.log -c /etc/xrootd/xrootd-stash-origin.cfg -k fifo -s /var/run/xrootd/cmsd-stash-origin.pid -n stash-origin -user=xrootd directory=/var/spool/xrootd autorestart=true environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 diff --git a/stash-origin/supervisord.d/stash-origin.conf b/stash-origin/supervisord.d/stash-origin.conf index 2e4bb1ec..581649ed 100644 --- a/stash-origin/supervisord.d/stash-origin.conf +++ b/stash-origin/supervisord.d/stash-origin.conf @@ -1,6 +1,5 @@ [program:stash-origin] command=xrootd -c /etc/xrootd/xrootd-stash-origin.cfg -k fifo -n stash-origin -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-origin-origin.pid -l /var/log/xrootd/xrootd.log -user=xrootd directory=/var/spool/xrootd autorestart=true environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10 diff --git a/xcache/sbin/fix_certs.sh b/xcache/sbin/fix_certs.sh index 06ffd44e..ee4139e7 100755 --- a/xcache/sbin/fix_certs.sh +++ b/xcache/sbin/fix_certs.sh @@ -8,7 +8,6 @@ tmpkey=`mktemp` chmod 644 $tmpcert chmod 600 $tmpkey -chown xrootd:xrootd $tmpcert $tmpkey cp $grid_security/hostcert.pem $tmpcert cp $grid_security/hostkey.pem $tmpkey