Various update: log4shell removal, testing-tools uid/gid (#1192)

* Various update: log4shell removal, testing-tools uid/gid

* address review feedback

Author: lfrancke

druid/Dockerfile

@@ -41,7 +41,7 @@ COPY --chown=${STACKABLE_USER_UID}:0 druid/stackable/patches/${PRODUCT} /stackab
 
 COPY --from=hadoop-builder --chown=${STACKABLE_USER_UID}:0 /stackable/patched-libs /stackable/patched-libs
 # Cache mounts are owned by root by default
-# We need to explicitly give the uid to use which is hardcoded to "1000" in stackable-base
+# We need to explicitly give the uid to use.
 # The cache id has to include the product version that we are building because otherwise
 # docker encounters race conditions when building multiple versions in parallel, as all
 # builder containers will share the same cache and the `rm -rf` commands will fail

java-devel/Dockerfile

@@ -23,40 +23,40 @@ gpgcheck=1
 gpgkey=https://packages.adoptium.net/artifactory/api/gpg/key/public
 EOF
 
-RUN microdnf update && \
-    microdnf install -y \
-    cmake \
-    cyrus-sasl-devel \
-    # diff is required by maven during the build of hbase \
-    # Cannot run program "diff" (in directory "/stackable/hbase-2.4.12-src/hbase-shaded/hbase-shaded-check-invariants"
-    diffutils \
-    fuse-devel \
-    gcc \
-    gcc-c++ \
-    # The GNU gettext utilities contain the envsubst program which
-    # substitutes the values of environment variables.
-    gettext \
-    # For the apply_patches.sh script
-    git \
-    # Needed by the maven ant run plugin for the "set-hostname-property" step in zookeeper
-    hostname \
-    # Needed for compiling Java projects
-    "temurin-${PRODUCT}-jdk" \
-    krb5-devel \
-    libcurl-devel \
-    make \
-    maven \
-    openssl-devel \
-    # Required to unpack Omid tarball
-    tar \
-    wget \
-    which \
-    xz \
-    zlib-devel \
-    # Required for log4shell.sh
-    unzip zip && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum
+RUN <<EOF
+microdnf update
+microdnf install \
+  cmake \
+  cyrus-sasl-devel \
+  `# diff is required by maven during the build of hbase` \
+  `# Cannot run program "diff" (in directory "/stackable/hbase-2.4.12-src/hbase-shaded/hbase-shaded-check-invariants"` \
+  diffutils \
+  fuse-devel \
+  gcc \
+  gcc-c++ \
+  `# The GNU gettext utilities contain the envsubst program which` \
+  `# substitutes the values of environment variables.` \
+  gettext \
+  `# For the apply_patches.sh script`\
+  git \
+  `# Needed by the maven ant run plugin for the "set-hostname-property" step in zookeeper` \
+  hostname \
+  `# Needed for compiling Java projects` \
+  "temurin-${PRODUCT}-jdk" \
+  krb5-devel \
+  libcurl-devel \
+  make \
+  maven \
+  openssl-devel \
+  `# Required to unpack Omid tarball` \
+  tar \
+  wget \
+  which \
+  xz \
+  zlib-devel
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
 
 ENV JAVA_HOME="/usr/lib/jvm/temurin-${PRODUCT}-jdk"
 

omid/Dockerfile

@@ -49,24 +49,6 @@ if [ "${DELETE_CACHES}" = "true" ] ; then
 fi
 EOF
 
-# ===
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/omid-tso-server-${PRODUCT}-stackable${RELEASE}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/omid-tso-server-${PRODUCT}-stackable${RELEASE}
-# ===
-
 FROM stackable/image/java-base
 
 ARG PRODUCT

shared/log4j.txt

@@ -10,6 +10,9 @@ FROM python:3.12-slim-bullseye@sha256:229b2897e6b5c630d83a721e42dd1c96e3ec996323
 ARG PRODUCT
 ARG RELEASE
 ARG KEYCLOAK_VERSION
+ARG STACKABLE_USER_UID
+ARG STACKABLE_USER_GID
+ARG STACKABLE_USER_NAME
 
 LABEL name="Stackable Testing Tools" \
       maintainer="info@stackable.tech" \
@@ -25,49 +28,55 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 # This is needed so that krb5-user installs without prompting for a realm.
 ENV DEBIAN_FRONTEND=noninteractive
 
-# krb5-user/libkrb5-dev are needed for Kerberos support.
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential \
-        ca-certificates \
-        curl \
-        gzip \
-        jq \
-        krb5-user \
-        kubernetes-client \
-        libkrb5-dev \
-        libssl-dev \
-        libxml2-dev \
-        libxslt1-dev \
-        pkg-config \
-        python3-certifi \
-        python3-idna \
-        python3-semver \
-        python3-thrift \
-        python3-toml \
-        python3-urllib3 \
-        tar \
-        zip \
-        unzip \
-        # Java 11 seems like the best middle-ground for all tools
-        openjdk-11-jdk-headless && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
 
 COPY testing-tools/python /stackable/python
 COPY testing-tools/licenses /licenses
 
-ENV PATH=/stackable/keycloak/bin:$PATH
-RUN curl --fail -L https://repo.stackable.tech/repository/packages/keycloak/keycloak-${KEYCLOAK_VERSION}.tar.gz | tar -xzC /stackable && \
-    ln -s /stackable/keycloak-${KEYCLOAK_VERSION} /stackable/keycloak
 
-RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir -r /stackable/python/requirements.txt && \
-    groupadd -r stackable --gid=1000 && \
-    useradd -r -g stackable --uid=1000 stackable && \
-    chown -R stackable:stackable /stackable
+RUN <<EOF
+apt-get update
+apt-get install -y --no-install-recommends \
+  build-essential \
+  ca-certificates \
+  curl \
+  gzip \
+  jq \
+  `# krb5-user/libkrb5-dev are needed for Kerberos support. ` \
+  krb5-user \
+  libkrb5-dev \
+  kubernetes-client \
+  libssl-dev \
+  libxml2-dev \
+  libxslt1-dev \
+  pkg-config \
+  python3-certifi \
+  python3-idna \
+  python3-semver \
+  python3-thrift \
+  python3-toml \
+  python3-urllib3 \
+  tar \
+  zip \
+  unzip \
+  `# Java 11 seems like the best middle-ground for all tools` \
+  openjdk-11-jdk-headless
+
+apt-get clean
+rm -rf /var/lib/apt/lists/*
+
+curl --fail -L https://repo.stackable.tech/repository/packages/keycloak/keycloak-${KEYCLOAK_VERSION}.tar.gz | tar -xzC /stackable
+ln -s /stackable/keycloak-${KEYCLOAK_VERSION} /stackable/keycloak
+
+pip install --no-cache-dir --upgrade pip
+pip install --no-cache-dir -r /stackable/python/requirements.txt
+groupadd -r ${STACKABLE_USER_NAME} --gid=${STACKABLE_USER_GID}
+useradd -r -g ${STACKABLE_USER_NAME} --uid=${STACKABLE_USER_UID} ${STACKABLE_USER_NAME}
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+EOF
+
+ENV PATH=/stackable/keycloak/bin:$PATH
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 
 ENV STACKABLE_PRODUCT_VERSION=${PRODUCT}