add user and missing package to agent (#382)

Author: Nikolas De Giorgis

agent/Dockerfile

@@ -6,6 +6,7 @@ ARG tools_version
 RUN apt-get -qq update \
         && apt-get -y -qq install \
         curl \
+        libnss-wrapper \
         && apt-get upgrade -y -qq \
         && apt-get dist-upgrade -y -qq \
         && rm -rf /var/lib/apt/lists/*
@@ -32,4 +33,5 @@ RUN curl --fail --retry 3 --silent https://downloads.mongodb.org/tools/db/mongod
     && tar xfz mongodb-tools.tgz --directory /var/lib/mongodb-mms-automation/ \
     && rm mongodb-tools.tgz
 
+USER 2000
 CMD ["agent/mongodb-agent", "-cluster=/var/lib/automation/config/automation-config.json"]

controllers/construct/mongodbstatefulset.go

@@ -43,6 +43,9 @@ const (
 	headlessAgentEnv           = "HEADLESS_AGENT"
 	podNamespaceEnv            = "POD_NAMESPACE"
 	automationConfigEnv        = "AUTOMATION_CONFIG_MAP"
+
+	automationconfFilePath = "/data/automation-mongod.conf"
+	keyfileFilePath        = "/var/lib/mongodb-mms-automation/authentication/keyfile"
 )
 
 // MongoDBStatefulSetOwner is an interface which any resource which generates a MongoDB StatefulSet should implement.
@@ -112,6 +115,7 @@ func BuildMongoDBReplicaSetStatefulSetModificationFunction(mdb MongoDBStatefulSe
 		statefulset.WithVolumeClaim(logVolumeName, logsPvc()),
 		statefulset.WithPodSpecTemplate(
 			podtemplatespec.Apply(
+				podtemplatespec.WithSecurityContext(podtemplatespec.DefaultPodSecurityContext()),
 				podtemplatespec.WithPodLabels(labels),
 				podtemplatespec.WithVolume(healthStatusVolume),
 				podtemplatespec.WithVolume(hooksVolume),
@@ -128,23 +132,34 @@ func BuildMongoDBReplicaSetStatefulSetModificationFunction(mdb MongoDBStatefulSe
 }
 
 func mongodbAgentContainer(automationConfigSecretName string, volumeMounts []corev1.VolumeMount) container.Modification {
+	agentCommand := strings.Join([]string{
+		"agent/mongodb-agent",
+		"-cluster=" + clusterFilePath,
+		"-skipMongoStart",
+		"-noDaemonize",
+		"-healthCheckFilePath=" + agentHealthStatusFilePathValue,
+		"-serveStatusPort=5000",
+		"-useLocalMongoDbTools"}, " ")
 	return container.Apply(
 		container.WithName(AgentName),
 		container.WithImage(os.Getenv(AgentImageEnv)),
 		container.WithImagePullPolicy(corev1.PullAlways),
 		container.WithReadinessProbe(DefaultReadiness()),
 		container.WithResourceRequirements(resourcerequirements.Defaults()),
 		container.WithVolumeMounts(volumeMounts),
-		container.WithCommand([]string{
-			"agent/mongodb-agent",
-			"-cluster=" + clusterFilePath,
-			"-skipMongoStart",
-			"-noDaemonize",
-			"-healthCheckFilePath=" + agentHealthStatusFilePathValue,
-			"-serveStatusPort=5000",
-			"-useLocalMongoDbTools",
-		},
-		),
+		container.WithSecurityContext(container.DefaultSecurityContext()),
+		container.WithCommand([]string{"/bin/bash", "-c", `current_uid=$(id -u)
+echo $current_uid
+declare -r current_uid
+if ! grep -q "${current_uid}" /etc/passwd ; then
+sed -e "s/^mongodb:/builder:/" /etc/passwd > /tmp/passwd
+echo "mongodb:x:$(id -u):$(id -g):,,,:/:/bin/bash" >> /tmp/passwd
+cat /tmp/passwd
+export NSS_WRAPPER_PASSWD=/tmp/passwd
+export LD_PRELOAD=libnss_wrapper.so
+export NSS_WRAPPER_GROUP=/etc/group
+fi
+` + agentCommand}),
 		container.WithEnvs(
 			corev1.EnvVar{
 				Name:  headlessAgentEnv,
@@ -227,32 +242,37 @@ func getMongoDBImage(version string) string {
 }
 
 func mongodbContainer(version string, volumeMounts []corev1.VolumeMount) container.Modification {
-	mongoDbCommand := []string{
-		"/bin/sh",
-		"-c",
-		`
-# run post-start hook to handle version changes
+	mongoDbCommand := fmt.Sprintf(`
+#run post-start hook to handle version changes
 /hooks/version-upgrade
 
-# wait for config to be created by the agent
-while [ ! -f /data/automation-mongod.conf ]; do sleep 3 ; done ; sleep 2 ;
+# wait for config and keyfile to be created by the agent
+ while ! [ -f %s -a -f %s ]; do sleep 3 ; done ; sleep 2 ;
+
 
 # start mongod with this configuration
-exec mongod -f /data/automation-mongod.conf ;
-`,
+exec mongod -f %s;
+`, automationconfFilePath, keyfileFilePath, automationconfFilePath)
+
+	containerCommand := []string{
+		"/bin/sh",
+		"-c",
+		mongoDbCommand,
 	}
 
 	return container.Apply(
 		container.WithName(MongodbName),
 		container.WithImage(getMongoDBImage(version)),
 		container.WithResourceRequirements(resourcerequirements.Defaults()),
-		container.WithCommand(mongoDbCommand),
+		container.WithCommand(containerCommand),
 		container.WithEnvs(
 			corev1.EnvVar{
 				Name:  agentHealthStatusFilePathEnv,
 				Value: "/healthstatus/agent-health-status.json",
 			},
 		),
 		container.WithVolumeMounts(volumeMounts),
+
+		container.WithSecurityContext(container.DefaultSecurityContext()),
 	)
 }

pkg/kube/container/containers.go

@@ -183,3 +183,12 @@ func WithSecurityContext(context corev1.SecurityContext) Modification {
 		container.SecurityContext = &context
 	}
 }
+
+// DefaultSecurityContext returns the default security context for containers.
+// It sets RunAsUser = 2000 and RunAsNonRoot = true
+func DefaultSecurityContext() corev1.SecurityContext {
+	runAsNonRoot := true
+	runAsUser := int64(2000)
+
+	return corev1.SecurityContext{RunAsUser: &runAsUser, RunAsNonRoot: &runAsNonRoot}
+}

pkg/kube/podtemplatespec/podspec_template.go

@@ -144,6 +144,12 @@ func WithSecurityContext(securityContext corev1.PodSecurityContext) Modification
 	}
 }
 
+// DefaultPodSecurityContext returns the default pod security context with FsGroup = 2000
+func DefaultPodSecurityContext() corev1.PodSecurityContext {
+	fsGroup := int64(2000)
+	return corev1.PodSecurityContext{FSGroup: &fsGroup}
+}
+
 // WithImagePullSecrets adds an ImagePullSecrets local reference with the given name
 func WithImagePullSecrets(name string) Modification {
 	return func(podTemplateSpec *corev1.PodTemplateSpec) {