Patch all used images for arbitrary users on OpenShift (#38)

* Patch all used images for arbitrary users on OpenShift

- Patch all currently used images for arbitrary user support
- Move $HOME and $PS1 definition into arbitrary user patch to simplify
  devfiles and make UX more consistent
- Add additional fixes to patched images:
  - Set chmod g=u on /home to allow write access
  - Create home directory if it does not exist

Signed-off-by: Angel Misevski <[email protected]>

arbitrary-users-patch/Dockerfile

@@ -1,12 +1,13 @@
 ARG FROM_IMAGE
 FROM ${FROM_IMAGE}
 USER 0
-RUN chmod g=u /etc/passwd
+# Set permissions on /etc/passwd and /home to allow arbitrary users to write
+RUN chmod g=u /etc/passwd /home
 COPY [--chown=0:0] entrypoint.sh /
-RUN chmod +x entrypoint.sh
+RUN chmod +x /entrypoint.sh
 
 USER 10001
-ENV HOME /home/user
+ENV HOME=/home/user
 WORKDIR /projects
 ENTRYPOINT [ "/entrypoint.sh" ]
-CMD ["sleep", "infinity"]
+CMD ["tail", "-f", "/dev/null"]

arbitrary-users-patch/base_images

@@ -1 +1,10 @@
-java11-maven maven:3.6.0-jdk-11
+che-python-3.6          centos/python-36-centos7:1
+che-php-7               eclipse/php:7.1-che7
+che-golang-1.10         golang:1.10.7-stretch
+che-java11-gradle       gradle:5.2.1-jdk11
+che-java11-maven        maven:3.6.0-jdk-11
+che-java8-maven         maven:3.6.1-jdk-8
+che-dotnet-2.2          mcr.microsoft.com/dotnet/core/sdk:2.2-stretch
+che-nodejs10-alpine     node:10.16-alpine
+che-nodejs10-ubi        registry.access.redhat.com/ubi8/nodejs-10
+che-nodejs8-centos      registry.centos.org/che-stacks/centos-nodejs

arbitrary-users-patch/build_images.sh

@@ -1,12 +1,39 @@
 #!/bin/bash
+#
+# Copyright (c) 2012-2018 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
 set -e
 
+SCRIPT_DIR=$(cd "$(dirname "$0")"; pwd)
+
 DEFAULT_REGISTRY="quay.io"
+DEFAULT_ORGANIZATION="eclipse"
+DEFAULT_TAG="nightly"
+
 REGISTRY=${REGISTRY:-${DEFAULT_REGISTRY}}
+ORGANIZATION=${ORGANIZATION:-${DEFAULT_ORGANIZATION}}
+TAG=${TAG:-${DEFAULT_TAG}}
+
+NAME_FORMAT="${REGISTRY}/${ORGANIZATION}"
+
+PUSH_IMAGES=false
+if [ "$1" == "--push" ]; then
+  PUSH_IMAGES=true
+fi
 
 while read -r line; do
-  base_image_name=$(echo $line | cut -f 1 -d ' ')
-  base_image=$(echo $line | cut -f 2 -d ' ')
-  echo "Building ${REGISTRY}/eclipse-che/che7-${base_image_name} based on $base_image ..."
-  docker build -t "${REGISTRY}/eclipse-che/che7-${base_image_name}" --build-arg FROM_IMAGE=$base_image .
-done < base_images
+  base_image_name=$(echo "$line" | tr -s ' ' | cut -f 1 -d ' ')
+  base_image=$(echo "$line" | tr -s ' ' | cut -f 2 -d ' ')
+  echo "Building ${NAME_FORMAT}/${base_image_name}:${TAG} based on $base_image ..."
+  docker build -t "${NAME_FORMAT}/${base_image_name}:${TAG}" --build-arg FROM_IMAGE="$base_image" "${SCRIPT_DIR}"/
+  if ${PUSH_IMAGES}; then
+    echo "Pushing ${NAME_FORMAT}/${base_image_name}:${TAG}" to remote registry
+    docker push "${NAME_FORMAT}/${base_image_name}:${TAG}"
+  fi
+done < "${SCRIPT_DIR}"/base_images

arbitrary-users-patch/entrypoint.sh

@@ -1,7 +1,20 @@
-#!/bin/sh
+#!/bin/bash
+
+# Ensure $HOME exists when starting
+if [ ! -d "${HOME}" ]; then
+  mkdir -p "${HOME}"
+fi
+
+# Setup $PS1 for a consistent and reasonable prompt
+if [ ! -f "${HOME}"/.bashrc ]; then
+  echo "PS1='\s-\v \w \$ '" > "${HOME}"/.bashrc
+fi
+
+# Add current (arbitrary) user to /etc/passwd
 if ! whoami &> /dev/null; then
   if [ -w /etc/passwd ]; then
     echo "${USER_NAME:-user}:x:$(id -u):0:${USER_NAME:-user} user:${HOME}:/bin/bash" >> /etc/passwd
   fi
 fi
+
 exec "$@"

cico_build_nightly.sh

@@ -14,6 +14,8 @@ set -x
 # Exit on error
 set -e
 
+SCRIPT_DIR=$(cd "$(dirname "$0")"; pwd)
+
 # Source environment variables of the jenkins slave
 # that might interest this worker.
 function load_jenkins_vars() {
@@ -60,6 +62,9 @@ function build_and_push() {
   IMAGE="che-devfile-registry"
   TAG="nightly"
 
+  "${SCRIPT_DIR}"/arbitrary-users-patch/build_images.sh --push
+  echo "CICO: pushed nightly arbitrary-user patched base images"
+
   if [ -n "${QUAY_ECLIPSE_CHE_USERNAME}" ] && [ -n "${QUAY_ECLIPSE_CHE_PASSWORD}" ]; then
     docker login -u "${QUAY_ECLIPSE_CHE_USERNAME}" -p "${QUAY_ECLIPSE_CHE_PASSWORD}" "${REGISTRY}"
   else

devfiles/apache-camel-springboot/devfile.yaml

@@ -22,9 +22,7 @@ components:
   -
     type: dockerimage
     alias: maven
-    image: maven:3.6.1-jdk-8
-    command: ['sleep']
-    args: ['infinity']
+    image: quay.io/eclipse/che-java8-maven:nightly
     env:
       - name: MAVEN_CONFIG
         value: "/home/user/.m2"
@@ -40,10 +38,6 @@ components:
         value: "-XX:MaxRAMPercentage=50.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10
           -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90
           -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom"
-      - name: PS1
-        value: "$(echo ${0})\\$"
-      - name: HOME
-        value: "/home/user"
     volumes:
       - name: m2
         containerPath: "/home/user/.m2"

devfiles/dotnet/devfile.yaml

@@ -20,14 +20,7 @@ components:
   -
     type: dockerimage
     alias: dotnet
-    image: mcr.microsoft.com/dotnet/core/sdk:2.2-stretch
-    command: ['sleep']
-    args: ['infinity']
-    env:
-      - name: HOME
-        value: /home/user
-      - name: PS1
-        value: $(echo ${0})\\$
+    image: quay.io/eclipse/che-dotnet-2.2:nightly
     memoryLimit: 512Mi
     endpoints:
       - name: '5000/tcp'

devfiles/go/devfile.yaml

@@ -18,10 +18,8 @@ components:
 -
   type: dockerimage
   # this version is used in the plugin
-  image: golang:1.10.7-stretch
+  image: quay.io/eclipse/che-golang-1.10:nightly
   alias: go-cli
-  command: ['sleep']
-  args: ['infinity']
   env:
     - name: GOPATH
       # replicate the GOPATH from the plugin
@@ -30,8 +28,6 @@ components:
       # replicate the GOCACHE from the plugin, even though the cache is not shared
       # between the two
       value: /tmp/.cache
-    - name: PS1
-      value: $(echo ${0})\\$
   memoryLimit: 512Mi
   mountSources: true
 commands:

devfiles/java-gradle/devfile.yaml

@@ -15,9 +15,7 @@ components:
   -
     type: dockerimage
     alias: gradle
-    image: gradle:5.2.1-jdk11
-    command: ['sleep']
-    args: ['infinity']
+    image: quay.io/eclipse/che-java11-gradle:nightly
     env:
       - name: GRADLE_USER_HOME
         value: /home/gradle/.gradle
@@ -29,8 +27,6 @@ components:
         value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10
           -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90
           -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom"
-      - name: PS1
-        value: "$(echo ${0})\\$ "
       - name: HOME
         value: /home/gradle
     memoryLimit: 512Mi

devfiles/java-maven/devfile.yaml

@@ -15,9 +15,7 @@ components:
   -
     type: dockerimage
     alias: maven
-    image: maven:3.6.0-jdk-11
-    command: ['sleep']
-    args: ['infinity']
+    image: quay.io/eclipse/che-java11-maven:nightly
     env:
       - name: MAVEN_CONFIG
         value: /home/user/.m2
@@ -34,10 +32,6 @@ components:
         value: "-XX:MaxRAMPercentage=50 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10
           -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90
           -Dsun.zip.disableMemoryMapping=true -Xms20m -Djava.security.egd=file:/dev/./urandom"
-      - name: PS1
-        value: $(echo ${0})\\$
-      - name: HOME
-        value: /home/user
     memoryLimit: 512Mi
     endpoints:
       - name: '8080/tcp'

devfiles/nodejs-mongo/devfile.yaml

@@ -16,14 +16,8 @@ components:
   -
     type: dockerimage
     alias: nodejs
-    image: registry.access.redhat.com/ubi8/nodejs-10
-    command: ['sleep']
-    args: ['infinity']
+    image: quay.io/eclipse/che-nodejs10-ubi:nightly
     env:
-      - name: HOME
-        value: /tmp/user
-      - name: PS1
-        value: $(echo ${0})\\$
       # The values below are used to set up the environment for running the application
       - name: SECRET
         value: 220fd770-c028-480d-8f95-f84353c7d55a 

devfiles/nodejs-react/devfile.yaml

@@ -18,14 +18,7 @@ components:
     alias: nodejs
     # system limit for number of file watchers reached with
     # image: registry.access.redhat.com/ubi8/nodejs-10
-    image: registry.centos.org/che-stacks/centos-nodejs
-    command: ['sleep']
-    args: ['infinity']
-    env:
-      - name: HOME
-        value: /tmp/user
-      - name: PS1
-        value: $(echo ${0})\\$
+    image: quay.io/eclipse/che-nodejs8-centos:nightly
     memoryLimit: 512Mi
     endpoints:
       - name: 'nodejs'

devfiles/nodejs/devfile.yaml

@@ -16,14 +16,7 @@ components:
   -
     type: dockerimage
     alias: nodejs
-    image: registry.access.redhat.com/ubi8/nodejs-10
-    command: ['sleep']
-    args: ['infinity']
-    env:
-      - name: HOME
-        value: /home/user
-      - name: PS1
-        value: $(echo ${0})\\$
+    image: quay.io/eclipse/che-nodejs10-ubi:nightly
     memoryLimit: 512Mi
     endpoints:
       - name: 'nodejs'

devfiles/php-laravel/devfile.yaml

@@ -20,12 +20,7 @@ components:
 -
   type: dockerimage
   alias: php
-  image: eclipse/php:7.1-che7
-  env:
-    - name: HOME
-      value: /home/user
-    - name: PS1
-      value: $(echo ${0})\\$
+  image: quay.io/eclipse/che-php-7:nightly
   memoryLimit: 512Mi
   endpoints:
   - name: '8080/tcp'

devfiles/php-mysql/devfile.yaml

@@ -20,12 +20,7 @@ components:
 -
   type: dockerimage
   alias: php
-  image: eclipse/php:7.1-che7
-  env:
-    - name: HOME
-      value: /home/user
-    - name: PS1
-      value: $(echo ${0})\\$
+  image: quay.io/eclipse/che-php-7:nightly
   memoryLimit: 512Mi
   endpoints:
   - name: '8080/tcp'

devfiles/php-symfony/devfile.yaml

@@ -20,12 +20,7 @@ components:
 -
   type: dockerimage
   alias: php
-  image: eclipse/php:7.1-che7
-  env:
-    - name: HOME
-      value: /home/user
-    - name: PS1
-      value: $(echo ${0})\\$
+  image: quay.io/eclipse/che-php-7:nightly
   memoryLimit: 512Mi
   endpoints:
   - name: '8080/tcp'

devfiles/php-web-simple/devfile.yaml

@@ -20,12 +20,7 @@ components:
 -
   type: dockerimage
   alias: php
-  image: eclipse/php:7.1-che7
-  env:
-    - name: HOME
-      value: /home/user
-    - name: PS1
-      value: $(echo ${0})\\$
+  image: quay.io/eclipse/che-php-7:nightly
   memoryLimit: 512Mi
   mountSources: true
   volumes:

devfiles/python-django/devfile.yaml

@@ -16,14 +16,7 @@ components:
   -
     type: dockerimage
     alias: python
-    image: centos/python-36-centos7:1
-    command: ['sleep']
-    args: ['infinity']
-    env:
-      - name: HOME
-        value: /home/user
-      - name: PS1
-        value: $(echo ${0})\\$
+    image: quay.io/eclipse/che-python-3.6:nightly
     memoryLimit: 512Mi
     endpoints:
       - name: 'django'

devfiles/python/devfile.yaml

@@ -16,14 +16,7 @@ components:
   -
     type: dockerimage
     alias: python
-    image: centos/python-36-centos7:1
-    command: ['sleep']
-    args: ['infinity']
-    env:
-      - name: HOME
-        value: /home/user
-      - name: PS1
-        value: $(echo ${0})\\$
+    image: quay.io/eclipse/che-python-3.6:nightly
     memoryLimit: 512Mi
     mountSources: true
 commands: