Wingkwan.lau development patch 54649

Dockerfile

+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=mongo/mongo
+ARG BASE_TAG=4.4.6
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+# switch to root in order to fix permissions
+USER root
+
+# define Mongo's data and configuration directories
+ENV DATA_DIR=/data/db \
+    CONFIG_DIR=/data/configdb \
+    WORKING_DIR=/home/containeruser
+
+# create container user's home directory
+RUN mkdir -p $WORKING_DIR
+
+# copy over the script to make permissions compatible with OpenShift
+COPY scripts/fix-permissions.sh /usr/local/bin
+
+# ensure the script is executable
+RUN chmod a+x /usr/local/bin/fix-permissions.sh
+
+# set up container user and adjust permissions to run in OpenShift environment
+RUN fix-permissions.sh ${DATA_DIR} -P && \
+    fix-permissions.sh ${CONFIG_DIR} -P && \
+    fix-permissions.sh ${WORKING_DIR} -P 
+
+RUN ls -ltrh ${DATA_DIR}
+RUN ls -ltrh ${CONFIG_DIR}
+RUN ls -ltrh ${WORKING_DIR}
+
+# set home directory to persistent volume directory
+ENV HOME=/var/lib/mongodb/data
+
+# switch back to mongodb (for non-containerized environments)
+USER mongodb:mongodb

hardening_manifest.yaml

+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "diat/aap-mongo"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+- "14.1"
+- "latest"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_REGISTRY: "registry1.dsop.io"
+  BASE_IMAGE: "opensource/mongodb/mongodb"
+  BASE_TAG: "4.4.6"
+
+# Docker image labels
+labels:
+  # Name of the image
+  org.opencontainers.image.title: "aap-mongo"
+  # Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Mongo DB for working with the Advanced Analytics Platform on Atlas"
+  # License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "MongoDB License"
+  # URL to find more information on the image
+  org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform"
+  # Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "aap-mongo"
+  # Authoritative version of the software
+  org.opencontainers.image.version: "14.1"
+  # Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "aap,mongo,aap-mongo,aapmongo,mongodb,aap-mongodb,atlas,diat"
+  # This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  # Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "diat/aap-mongo"
+ 
+# List of project maintainers
+maintainers:
+- email: "wingkwan.lau1@navy.mil"
+  name: "WingKwan Lau"
+  username: "wlau"
+

scripts/fix-permissions.sh

+#!/bin/sh
+
+# allow script to fail without failing build
+set +e
+
+# unless otherwise specified, follow symlinks
+SYMLINK_OPT=${2:--L}
+
+# catch error if file/directory does not exist
+if ! [ -e "$1" ]; then
+    echo "ERROR: File or directory $1 does not exist." >&2
+    exit 0
+fi
+
+# fix group ownership
+find $SYMLINK_OPT "$1" \! -gid 0 -exec chgrp 0 {} +
+
+# fix group permissions
+find $SYMLINK_OPT "$1" \! -perm -g+rw -exec chmod g+rw {} +
+
+# ensure the group can execute any file executable by the owning user
+find $SYMLINK_OPT "$1" -perm /u+x -a \! -perm /g+x -exec chmod g+x {} +
+
+# ensure directories have executable permissions
+find $SYMLINK_OPT "$1" -type d \! -perm /g+x -exec chmod g+x {} +
+
+# always end successfully so that build does not fail
+exit 0
+