-
Story
-
Resolution: Done
-
Highest
-
None
-
None
Support migration of DCAE components (both platform and services) currently running as root to non-root.
DCAE also is dependent on 3rd party s/w (cloudify) which requires currently to be run as root.
Platform - PolicyHandler, CBS, Inventory, SCH
Services - VESCollector, TCA, RESTConf, PRH, HV-VES
PH - reference - https://git.onap.org/dcaegen2/platform/policy-handler/tree/Dockerfile
SEC-COM recommendation (from https://wiki.onap.org/display/DW/Best+Practices)
USER
Do not run containers as root. Use USER to change to an non-root user.
Create the user and group as in this example:
RUN groupadd -r postgres && useradd --no-log-init -r -g postgres postgres .
Avoid installing or using sudo. If you need to, use "gosu" instead.
To minimize the number of layers, avoid switching USER back and forth frequently.
- relates to
-
DCAEGEN2-2170 Switch DCAE MOD components to non-root user
- Closed
-
DCAEGEN2-2171 DL containers running as root
- Closed
-
SECCOM-111 Containers not running as root - Impact to Projects
- Open
-
VID-423 VID should run as a non-root user
- Closed