Run xcache as user instead of root

Dockerfile

@@ -6,7 +6,8 @@
 ARG BASE_YUM_REPO=testing
 ARG BASE_OSG_SERIES=3.5
 
-FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
+#FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-$BASE_YUM_REPO AS xcache
+FROM opensciencegrid/software-base:$BASE_OSG_SERIES-el7-bh AS xcache
 LABEL maintainer OSG Software <help@opensciencegrid.org>
 
 # Previous arg has gone out of scope
@@ -22,8 +23,8 @@ ENV XC_NUM_LOGROTATE 10
 ENV XC_FIX_DIR_OWNERS yes
 
 # Create the xrootd user with a fixed GID/UID
-RUN groupadd -o -g 10940 xrootd
-RUN useradd -o -u 10940 -g 10940 -s /bin/sh xrootd
+RUN groupadd -o -g 0 xrootd
+RUN useradd -o -u 10940 -g 0 -s /bin/sh xrootd
 
 # Create an empty macaroon-secret now so RPM installs won't create one, adding it to a layer.
 RUN mkdir -p /etc/xrootd && touch /etc/xrootd/macaroon-secret
@@ -40,9 +41,12 @@ RUN yum -y install /var/lib/xcache/*.rpm --enablerepo="osg-$BASE_YUM_REPO" || \
 
 RUN yum install -y \
         xcache \
+	sudo \
         gperftools-devel && \
     yum clean all --enablerepo=* && rm -rf /var/cache/yum/
 
+RUN echo "xrootd ALL=(ALL) NOPASSWD: /bin/chown -R xrootd\:xrootd *" >> /etc/sudoers.d/10-chown
+
 ADD xcache/cron.d/* /etc/cron.d/
 RUN chmod 0644 /etc/cron.d/*
 ADD xcache/sbin/* /usr/local/sbin/
@@ -58,6 +62,16 @@ RUN rm -f /etc/xrootd/macaroon-secret
 # in the XRootD logs
 WORKDIR /var/spool/xrootd
 
+# changes for OKD
+RUN chgrp -R root /etc/xrootd && chmod -R g+w /etc/xrootd && \
+    chgrp root /var/spool/xrootd  && \
+    chmod g+w /etc/environment /var/log /var/spool/xrootd /xcache && \
+    chgrp root /etc/grid-security/xrd && chmod -R g+w /etc/grid-security/xrd /etc/grid-security/certificates && \
+    chgrp -R root /run/xcache-auth /run/xrootd && chmod g+w /run/xcache-auth /run/xrootd && \
+    chgrp -R root /var/log/xrootd && chmod g+w /var/log/xrootd && \
+    chmod g+w /run && \
+    chmod g+w /var/log/supervisor
+
 ################
 # atlas-xcache #
 ################
@@ -80,6 +94,8 @@ COPY atlas-xcache/10-atlas-xcache-limits.conf /etc/security/limits.d
 COPY atlas-xcache/supervisord.d/10-atlas-xcache.conf /etc/supervisord.d/
 COPY atlas-xcache/image-config.d/10-atlas-xcache.sh /etc/osg/image-init.d/
 
+USER xrootd
+
 ##############
 # cms-xcache #
 ##############
@@ -103,8 +119,12 @@ RUN chmod 0644 /etc/cron.d/*
 COPY cms-xcache/image-config.d/* /etc/osg/image-init.d/
 COPY cms-xcache/xcache-consistency-check-wrapper.sh /usr/bin/xcache-consistency-check-wrapper.sh
 
+RUN chgrp root /var/lib/xcache-consistency-check && chmod g+w /var/lib/xcache-consistency-check
+
 EXPOSE 1094
 
+USER xrootd
+
 ###############
 # stash-cache #
 ###############
@@ -116,7 +136,7 @@ ARG BASE_YUM_REPO=testing
 
 ENV XC_IMAGE_NAME stash-cache
 
-RUN yum install -y stash-cache && \
+RUN yum install -y stash-cache hostname && \
     yum clean all --enablerepo=* && rm -rf /var/cache/
 
 COPY stash-cache/cron.d/* /etc/cron.d/
@@ -130,13 +150,14 @@ COPY stash-cache/Authfile /run/stash-cache/Authfile
 # Same for scitokens.conf
 COPY stash-cache/scitokens.conf /run/stash-cache-auth/scitokens.conf
 
+RUN touch /etc/xrootd-environment && chown xrootd:xrootd /etc/xrootd-environment
+USER xrootd
 EXPOSE 8000
 
 ################
 # stash-origin #
 ################
 
-
 FROM xcache AS stash-origin
 LABEL maintainer OSG Software <help@opensciencegrid.org>
 
@@ -161,17 +182,19 @@ COPY stash-origin/xrootd/* /etc/xrootd/config.d/
 # Add a placeholder scitokens.conf file, in case this origin isn't registered
 # and can't pull down a new one
 COPY stash-origin/scitokens.conf /run/stash-origin-auth/scitokens.conf
+USER xrootd
 
 ######################
 # atlas-xcache-debug #
 ######################
 
 FROM atlas-xcache AS atlas-xcache-debug
+
 # Install debugging tools
 RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \
     gdb \
     strace
-
+USER xrootd
 ####################
 # cms-xcache-debug #
 ####################
@@ -181,7 +204,7 @@ FROM cms-xcache AS cms-xcache-debug
 RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \
     gdb \
     strace
-
+USER xrootd
 #####################
 # stash-cache-debug #
 #####################
@@ -191,6 +214,7 @@ FROM stash-cache AS stash-cache-debug
 RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \
     gdb \
     strace
+USER xrootd
 
 #####################
 # stash-cache-debug #
@@ -201,3 +225,4 @@ FROM stash-origin AS stash-origin-debug
 RUN yum -y install -y --enablerepo="$BASE_YUM_REPO" \
     gdb \
     strace
+USER xrootd

atlas-xcache/image-config.d/10-atlas-xcache.sh

@@ -2,5 +2,5 @@
 
 /usr/local/sbin/fix_certs.sh
 
-su xrootd /usr/libexec/xcache/renew-proxy --voms atlas
+/usr/libexec/xcache/renew-proxy --voms atlas
 

atlas-xcache/supervisord.d/10-atlas-xcache.conf

@@ -1,5 +1,4 @@
 [program:atlas-xcache]
 command=xrootd -c /etc/xrootd/xrootd-atlas-xcache.cfg -k fifo -n atlas-xcache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-atlas-xcache.pid -l /var/log/xrootd/xrootd.log
-user=xrootd
 autorestart=true
 environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10

cms-xcache/image-config.d/20-cms-generate-proxy.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 /usr/local/sbin/fix_certs.sh
-su xrootd -c '/usr/libexec/xcache/renew-proxy --voms cms'
+/usr/libexec/xcache/renew-proxy --voms cms

cms-xcache/supervisord.d/10-cms-xcache.conf

@@ -1,6 +1,5 @@
 [program:cms-xcache]
 command=xrootd -c /etc/xrootd/xrootd-cms-xcache.cfg -k fifo -n cms-xcache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-cms-xcache.pid -l /var/log/xrootd/xrootd.log
-user=xrootd
 autorestart=true
 environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10
 

stash-cache/image-config.d/20-generate-proxy.sh

@@ -2,4 +2,4 @@
 
 # Generate the proxy
 /usr/local/sbin/fix_certs.sh
-su xrootd /usr/libexec/xcache/renew-proxy
+/usr/libexec/xcache/renew-proxy

stash-cache/image-config.d/40-generate-auth-file.sh

@@ -3,10 +3,6 @@
 # Generate the Auth File
 /usr/libexec/xcache/authfile-update --cache
 shopt -s nullglob
-for f in /run/stash-cache/* /run/stash-cache-auth/*; do
-    chown xrootd:xrootd "$f"
-done
-shopt -u nullglob
 
 # ddavila 20211020: Save the env vars CACHE_FQDN to be used
 # later by 'xrootd' on the 'authfile-update' script.
@@ -16,4 +12,3 @@ if [[ -n ${CACHE_FQDN} ]]; then
         echo "export CACHE_FQDN=${CACHE_FQDN}" >> /etc/xrootd-environment
 fi
 
-chown xrootd:xrootd /etc/xrootd-environment

stash-cache/supervisord.d/10-stash-cache.conf

@@ -1,16 +1,13 @@
 [program:stash-cache-authfile-update]
 command=/usr/libexec/xcache/authfile-update --cache
-user=xrootd
 priority=998
 
 [program:stash-cache]
 command=xrootd -c /etc/xrootd/xrootd-stash-cache.cfg -k fifo -n stash-cache -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-stash-cache.pid -l /var/log/xrootd/xrootd.log
-user=xrootd
 autorestart=true
 environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10
 
 [program:stash-cache-auth]
 command=xrootd -c /etc/xrootd/xrootd-stash-cache-auth.cfg -k fifo -n stash-cache-auth -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-stash-cache-auth.pid -l /var/log/xrootd/xrootd.log
-user=xrootd
 autorestart=true
 environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10

stash-origin/image-config.d/40-generate-auth-file.sh

@@ -3,10 +3,6 @@
 # Generate the Auth File
 /usr/libexec/xcache/authfile-update --origin
 shopt -s nullglob
-for f in /run/stash-origin/* /run/stash-origin-auth/*; do
-    chown xrootd:xrootd "$f"
-done
-shopt -u nullglob
 
 # ddavila 20220225: Save the env var ORIGIN_FQDN to be used
 # later by 'xrootd' on the 'authfile-update' script.
@@ -15,4 +11,3 @@ echo "# This file was generated on startup" > /etc/xrootd-environment
 if [[ -n ${ORIGIN_FQDN} ]]; then
         echo "export ORIGIN_FQDN=${ORIGIN_FQDN}" >> /etc/xrootd-environment
 fi
-chown xrootd:xrootd /etc/xrootd-environment

stash-origin/supervisord.d/stash-origin-cmsd.conf

@@ -1,6 +1,5 @@
 [program:stash-origin-cmsd]
 command=/usr/bin/cmsd -l /var/log/xrootd/cmsd.log -c /etc/xrootd/xrootd-stash-origin.cfg -k fifo -s /var/run/xrootd/cmsd-stash-origin.pid -n stash-origin
-user=xrootd
 directory=/var/spool/xrootd
 autorestart=true
 environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10

stash-origin/supervisord.d/stash-origin.conf

@@ -1,6 +1,5 @@
 [program:stash-origin]
 command=xrootd -c /etc/xrootd/xrootd-stash-origin.cfg -k fifo -n stash-origin -k %(ENV_XC_NUM_LOGROTATE)s -s /var/run/xrootd/xrootd-origin-origin.pid -l /var/log/xrootd/xrootd.log
-user=xrootd
 directory=/var/spool/xrootd
 autorestart=true
 environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so,TCMALLOC_RELEASE_RATE=10

xcache/sbin/fix_certs.sh

@@ -8,7 +8,6 @@ tmpkey=`mktemp`
 
 chmod 644 $tmpcert
 chmod 600 $tmpkey
-chown xrootd:xrootd $tmpcert $tmpkey
 
 cp $grid_security/hostcert.pem $tmpcert
 cp $grid_security/hostkey.pem $tmpkey