More tools now migrated but not tested yet:

- Kafka Testing Tools
- KCat
- NiFi
- Omid

Author: lfrancke

kafka-testing-tools/Dockerfile

@@ -8,6 +8,7 @@ FROM stackable/image/stackable-base AS final
 ARG PRODUCT
 ARG KCAT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Kafka Testing Tools" \
       maintainer="info@stackable.tech" \
@@ -29,11 +30,11 @@ RUN microdnf install  \
     && rm -rf /var/cache/yum
 
 # Store kcat version with binary name and add softlink
-COPY --chown=stackable:stackable --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/kcat-${KCAT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/kcat-${KCAT}
 RUN ln -s /stackable/kcat-${KCAT} /stackable/kcat
-COPY --chown=stackable:stackable --from=kcat /licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses
 
 
-COPY --chown=stackable:stackable kafka-testing-tools/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 kafka-testing-tools/licenses /licenses
 
 ENTRYPOINT ["/stackable/kcat"]

kcat/Dockerfile

@@ -7,6 +7,7 @@
 FROM stackable/image/java-base AS builder
 
 ARG PRODUCT
+ARG STACKABLE_USER_UID
 
 RUN microdnf update \
     && microdnf install \
@@ -32,7 +33,7 @@ RUN curl -O https://repo.stackable.tech/repository/packages/kcat/kcat-${PRODUCT}
     && cd kcat-${PRODUCT} \
     && ./bootstrap.sh
 
-COPY --chown=stackable:stackable kcat/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 kcat/licenses /licenses
 
 # SNIPPET 1
 # 145.2 gcc  -I/stackable/kcat-1.7.0/tmp-bootstrap/usr/include -I/stackable/kcat-1.7.0/tmp-bootstrap/usr/include -g -O2 -Wall -Wsign-compare -Wfloat-equal -Wpointer-arith -Wcast-align -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -Wl,-rpath-link=/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -Wl,-rpath-link=/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib kcat.o format.o tools.o input.o json.o avro.o -o kcat  -lm -ldl -lpthread -lrt -lpthread -lrt  -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib  /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libavro.a /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libjansson.a -lcurl /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libserdes.a -Wl,-Bstatic -lavro -Wl,-Bdynamic /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libyajl_s.a -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib //stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/librdkafka.a -lm -ldl -lpthread -lrt -lz -lcrypto -lssl -lsasl2   -lm -ldl -lpthread -lrt -lpthread -lrt  -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib  /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libavro.a /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libjansson.a -lcurl

nifi/Dockerfile

@@ -5,6 +5,7 @@ FROM stackable/image/java-devel AS nifi-builder
 
 ARG PRODUCT
 ARG MAVEN_VERSION="3.9.8"
+ARG STACKABLE_USER_UID
 
 RUN microdnf update && \
     microdnf clean all && \
@@ -22,10 +23,10 @@ RUN if [[ "${PRODUCT}" == 2.* ]] ; then \
         ln -sf /tmp/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn ; \
     fi
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable nifi/stackable/patches /stackable/patches
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/patches /stackable/patches
 
 # NOTE: NiFi 1.21.0 source build does not work with the current arm64 git runners due to java heap issues:
 #
@@ -82,28 +83,11 @@ RUN if [[ "${PRODUCT}" == "1.21.0" ]] ; then \
         rm -rf /stackable/nifi-${PRODUCT}/docs ; \
     fi
 
-# ===
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/nifi-${PRODUCT}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/nifi-${PRODUCT}
-# ===
-
 FROM stackable/image/java-base AS final
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache NiFi" \
       maintainer="info@stackable.tech" \
@@ -113,28 +97,39 @@ LABEL name="Apache NiFi" \
       summary="The Stackable image for Apache NiFi." \
       description="This image is deployed by the Stackable Operator for Apache NiFi."
 
-RUN microdnf update && \
-    microdnf install \
-    # Required to install nipyapi
-    python-pip && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum && \
-    # The nipyapi is required for the ReportingTaskJob
-    pip install --no-cache-dir nipyapi==0.19.1 && \
-    # For backwards compatibility we create a softlink in /bin where the jar used to be as long as we are root
-    # This can be removed once older versions / operators using this are no longer supported
-    ln -s /stackable/stackable-bcrypt.jar /bin/stackable-bcrypt.jar
+COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
+COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
+
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/bin /stackable/bin
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/python /stackable/python
+
+RUN <<EOF
+ln -s /stackable/nifi-${PRODUCT} /stackable/nifi
+
+microdnf update
+
+# python-pip: Required to install nipyapi
+microdnf install \
+  python-pip
+
+microdnf clean all
+rm -rf /var/cache/yum
 
-USER stackable
+# The nipyapi is required for the ReportingTaskJob
+pip install --no-cache-dir nipyapi==0.19.1 && \
 
-COPY --chown=stackable:stackable --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
-COPY --chown=stackable:stackable --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
+# For backwards compatibility we create a softlink in /bin where the jar used to be as long as we are root
+# This can be removed once older versions / operators using this are no longer supported
+ln -s /stackable/stackable-bcrypt.jar /bin/stackable-bcrypt.jar
 
-COPY --chown=stackable:stackable nifi/stackable/bin /stackable/bin
-COPY --chown=stackable:stackable nifi/licenses /licenses
-COPY --chown=stackable:stackable nifi/python /stackable/python
+# All files and folders owned by root to support running as arbitrary users
+# This is best practice as all container users will belong to the root group (0)
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
 
-RUN ln -s /stackable/nifi-${PRODUCT} /stackable/nifi
+USER ${STACKABLE_USER_UID}
 
 ENV HOME=/stackable
 ENV NIFI_HOME=/stackable/nifi

omid/Dockerfile

@@ -5,6 +5,7 @@ FROM stackable/image/java-devel AS builder
 
 ARG PRODUCT
 ARG DELETE_CACHES="true"
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -17,13 +18,13 @@ microdnf clean all
 rm -rf /var/cache/yum
 EOF
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable omid/stackable/patches/apply_patches.sh /stackable/phoenix-omid-${PRODUCT}/patches/apply_patches.sh
-COPY --chown=stackable:stackable omid/stackable/patches/${PRODUCT} /stackable/phoenix-omid-${PRODUCT}/patches/${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 omid/stackable/patches/apply_patches.sh /stackable/phoenix-omid-${PRODUCT}/patches/apply_patches.sh
+COPY --chown=${STACKABLE_USER_UID}:0 omid/stackable/patches/${PRODUCT} /stackable/phoenix-omid-${PRODUCT}/patches/${PRODUCT}
 
-RUN --mount=type=cache,id=maven-omid-${PRODUCT},uid=1000,target=/stackable/.m2/repository <<EOF
+RUN --mount=type=cache,id=maven-omid-${PRODUCT},uid=${STACKABLE_USER_UID},target=/stackable/.m2/repository <<EOF
   set -x
   curl https://repo.stackable.tech/repository/packages/omid/phoenix-omid-${PRODUCT}-src.tar.gz | tar -xzC .
   cd /stackable/phoenix-omid-${PRODUCT} || exit
@@ -62,6 +63,7 @@ FROM stackable/image/java-base
 ARG PRODUCT
 ARG RELEASE
 ARG JMX_EXPORTER
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache Phoenix Omid" \
       maintainer="info@stackable.tech" \
@@ -73,31 +75,33 @@ LABEL name="Apache Phoenix Omid" \
 
 COPY omid/licenses /licenses
 
-COPY --chown=stackable:stackable omid/stackable /stackable
-COPY --chown=stackable:stackable --from=builder /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server-${PRODUCT}
-COPY --chown=stackable:stackable --from=builder /stackable/omid-examples-${PRODUCT} /stackable/omid-examples-${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 omid/stackable /stackable
+COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server-${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/omid-examples-${PRODUCT} /stackable/omid-examples-${PRODUCT}
 
 RUN <<EOF
-  microdnf update
-  microdnf clean all
-  rm -rf /var/cache/yum
-
-  ln -s /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server
-  ln -s /stackable/omid-examples-${PRODUCT} /stackable/omid-examples
-  curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
-  -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-  chmod -x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-  # omid.sh places this file at the front of the classpath: remove it to allow the config map entry to take precedence
-  rm /stackable/omid-tso-server/conf/hbase-site.xml
-
-  # To support arbitrary user ids on OpenShift, this folder must belong to the root group.
-  mkdir /stackable/logs
-  chown -R 1000:0 /stackable/logs
-  chgrp -R 0 /stackable/logs
-  chmod -R g=u /stackable/logs
+microdnf update
+microdnf clean all
+rm -rf /var/cache/yum
+
+ln -s /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server
+ln -s /stackable/omid-examples-${PRODUCT} /stackable/omid-examples
+curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
+-o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+chmod -x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+# omid.sh places this file at the front of the classpath: remove it to allow the config map entry to take precedence
+rm /stackable/omid-tso-server/conf/hbase-site.xml
+
+# To support arbitrary user ids on OpenShift, this folder must belong to the root group.
+mkdir /stackable/logs
+
+# All files and folders owned by root to support running as arbitrary users
+# This is best practice as all container users will belong to the root group (0)
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
 EOF
 
-USER 1000
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/omid-tso-server
 
 ENV HOME=/stackable