Define xtesting user to harden security

It applies security guidelines even if everybody was already
free to harden his own containers via the python package.

Change-Id: Ia9936d158c02b4e5c86386cb046ff7e35af07f03
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>

diff --git a/docker/core/Dockerfile b/docker/core/Dockerfile
index c91c636..668561f 100644 (file)
--- a/docker/core/Dockerfile
+++ b/docker/core/Dockerfile
@@ -24,6 +24,9 @@ RUN apk -U upgrade && \
         -chttps://git.opnfv.org/functest-xtesting/plain/upper-constraints.txt?h=$BRANCH \
         /src/functest-xtesting && \
     rm -r /src/functest-xtesting upper-constraints.txt && \
+    addgroup -g 1000 xtesting && adduser -u 1000 -G xtesting -D xtesting && \
+    mkdir -p /var/lib/xtesting/results && chown -R xtesting: /var/lib/xtesting && \
     apk del .build-deps
 COPY testcases.yaml /usr/lib/python3.9/site-packages/xtesting/ci/testcases.yaml
+USER xtesting
 CMD ["run_tests", "-t", "all"]

diff --git a/docker/mts/Dockerfile b/docker/mts/Dockerfile
index eae61aa..ae32d8b 100644 (file)
--- a/docker/mts/Dockerfile
+++ b/docker/mts/Dockerfile
@@ -7,6 +7,7 @@ ENV JAVA_HOME=/usr/lib/jvm/java-1.8-openjdk
 ENV NGN_JAVA_HOME=${JAVA_HOME}/bin
 ENV MAVEN_OPTS=$MAVEN_OPTS
 
+USER root
 COPY mts-installer.properties /src/mts-installer.properties
 RUN case $(uname -m) in x86_64) \
         apk --no-cache add --update openjdk8-jre && \
@@ -22,4 +23,5 @@ RUN case $(uname -m) in x86_64) \
         rm -rf /root/.m2/ ${APP_FOLDER}/tutorial /src/mts-installer.properties /src/git-mts && \
         apk del .build-deps;; esac
 COPY testcases.yaml /usr/lib/python3.9/site-packages/xtesting/ci/testcases.yaml
+USER xtesting
 CMD ["run_tests", "-t", "all"]