Use galaxy user instead of root (#2449)

Signed-off-by: Fabricio Aguiar <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Author: fao89

.github/workflows/ci-docker-compose-integration.yml

@@ -47,7 +47,7 @@ jobs:
 
       - name: Spin up dev/compose/${{ matrix.env.TEST_PROFILE }}.yaml
         run: |
-          docker compose -f dev/compose/${{ matrix.env.TEST_PROFILE }}.yaml up --detach
+          USER_ID=$(id --user) docker compose -f dev/compose/${{ matrix.env.TEST_PROFILE }}.yaml up --detach
 
       - name: Export environment variables to host
         if: ${{ matrix.env.TEST_PROFILE != 'certified-sync' }}

.github/workflows/ci_automation_hub_collection.yml

@@ -72,7 +72,7 @@ jobs:
 
       - name: Spin up dev/compose/standalone.yaml
         run: |
-          docker compose -f dev/compose/standalone.yaml up --detach
+          USER_ID=$(id --user) docker compose -f dev/compose/standalone.yaml up --detach
 
       - name: Export environment variables to host
         run: |

Dockerfile.rhel8

@@ -1,6 +1,7 @@
 FROM registry.access.redhat.com/ubi8
 
 ARG GIT_COMMIT
+ARG USER_ID=1000
 
 ENV LANG=en_US.UTF-8 \
     PYTHONUNBUFFERED=1 \
@@ -11,7 +12,7 @@ ENV LANG=en_US.UTF-8 \
     GIT_COMMIT=${GIT_COMMIT:-} \
     VIRTUAL_ENV="/venv"
 
-RUN adduser --uid 1000 --gid 0 --home-dir /app --no-create-home galaxy
+RUN adduser --uid "${USER_ID}" -G 0 --home-dir /app --no-create-home galaxy
 
 # https://access.redhat.com/security/cve/CVE-2021-3872
 RUN rpm -qa | egrep ^vim | xargs rpm -e --nodeps
@@ -46,19 +47,19 @@ RUN chgrp -R 0 $HOME && \
 RUN set -ex; \
     install -dm 0775 -o galaxy \
                                /var/lib/pulp/{artifact,assets,media,scripts,tmp} \
-                               /etc/pulp/{certs,keys} \
+                               /etc/pulp/{certs,keys,gnupg} \
                                /tmp/ansible && \
     pip3.11 install --no-deps --editable /app && \
     PULP_CONTENT_ORIGIN=x django-admin collectstatic && \
-    install -Dm 0644 /app/ansible.cfg /etc/ansible/ansible.cfg && \
-    install -Dm 0644 /app/docker/etc/settings.py /etc/pulp/settings.py && \
-    install -Dm 0755 /app/docker/entrypoint.sh /entrypoint.sh && \
-    install -Dm 0755 /app/docker/bin/* /usr/local/bin/ && \
-    install -Dm 0775 /app/galaxy-operator/bin/* /usr/bin/
+    install -Dm 0644 -o galaxy /app/ansible.cfg /etc/ansible/ansible.cfg && \
+    install -Dm 0644 -o galaxy /app/docker/etc/settings.py /etc/pulp/settings.py && \
+    install -Dm 0755 -o galaxy /app/docker/entrypoint.sh /entrypoint.sh && \
+    install -Dm 0755 -o galaxy /app/docker/bin/* /usr/local/bin/ && \
+    install -Dm 0775 -o galaxy /app/galaxy-operator/bin/* /usr/bin/
 
 USER galaxy
 WORKDIR /app
-VOLUME [ "/var/lib/pulp/artifact", \
-         "/var/lib/pulp/tmp", \
+VOLUME [ "/var/lib/pulp", \
+         "/etc/pulp", \
          "/tmp/ansible" ]
 ENTRYPOINT [ "/entrypoint.sh" ]

Makefile

@@ -1,5 +1,8 @@
 .SILENT:
 
+# set the USER_ID to the current user uid
+export USER_ID = $(shell id --user)
+
 .DEFAULT:
 .PHONY: help
 help:             ## Show the help.
@@ -173,11 +176,12 @@ test/unit:  ## Run unit tests
 	tox -e py311
 
 .PHONY: test/integration/standalone
-test/integration/standalone:  ## Run integration tests
+test/integration/standalone:  ## Run standalone integration tests
 	# if pytest is not found raise a warning and install it
 	@which pytest || (echo "pytest not found, installing it now" && pip install -r integration_requirements.txt)
-	@echo "Running integration tests"
-	HUB_ADMIN_PASS=admin \
+	@echo "Running standalone integration tests"
+	HUB_LOCAL=1 \
+	HUB_USE_MOVE_ENDPOINT="true" \
 	HUB_API_ROOT=http://localhost:5001/api/galaxy/ \
 	GALAXYKIT_SLEEP_SECONDS_POLLING=.5 \
     GALAXYKIT_SLEEP_SECONDS_ONETIME=.5 \
@@ -188,3 +192,59 @@ test/integration/standalone:  ## Run integration tests
 	pytest  galaxy_ng/tests/integration \
 	-p 'no:pulpcore' -p 'no:pulp_ansible' \
 	-v -r sx --color=yes -m 'deployment_standalone or all'
+
+.PHONY: test/integration/community
+test/integration/community:  ## Run community integration tests
+	# if pytest is not found raise a warning and install it
+	@which pytest || (echo "pytest not found, installing it now" && pip install -r integration_requirements.txt)
+	@echo "Running community integration tests"
+	HUB_LOCAL=1 \
+	HUB_TEST_AUTHENTICATION_BACKEND=community \
+	HUB_API_ROOT=http://localhost:5001/api/ \
+	GALAXYKIT_SLEEP_SECONDS_POLLING=.5 \
+    GALAXYKIT_SLEEP_SECONDS_ONETIME=.5 \
+    GALAXYKIT_POLLING_MAX_ATTEMPTS=50 \
+    GALAXY_SLEEP_SECONDS_POLLING=.5 \
+    GALAXY_SLEEP_SECONDS_ONETIME=.5 \
+    GALAXY_POLLING_MAX_ATTEMPTS=50 \
+	pytest  galaxy_ng/tests/integration \
+	-p 'no:pulpcore' -p 'no:pulp_ansible' \
+	-v -r sx --color=yes -m 'deployment_community'
+
+.PHONY: test/integration/certified
+test/integration/certified:  ## Run certified-sync integration tests
+	# if pytest is not found raise a warning and install it
+	@which pytest || (echo "pytest not found, installing it now" && pip install -r integration_requirements.txt)
+	@echo "Running certified-sync integration tests"
+	HUB_LOCAL=1 \
+	HUB_API_ROOT=http://localhost:5001/api/galaxy/ \
+	HUB_USE_MOVE_ENDPOINT="true" \
+	GALAXYKIT_SLEEP_SECONDS_POLLING=.5 \
+    GALAXYKIT_SLEEP_SECONDS_ONETIME=.5 \
+    GALAXYKIT_POLLING_MAX_ATTEMPTS=50 \
+    GALAXY_SLEEP_SECONDS_POLLING=.5 \
+    GALAXY_SLEEP_SECONDS_ONETIME=.5 \
+    GALAXY_POLLING_MAX_ATTEMPTS=50 \
+	pytest  galaxy_ng/tests/integration \
+	-p 'no:pulpcore' -p 'no:pulp_ansible' \
+	-v -r sx --color=yes -m 'sync'
+
+.PHONY: test/integration/insights
+test/integration/insights:  ## Run insights integration tests
+	# if pytest is not found raise a warning and install it
+	@which pytest || (echo "pytest not found, installing it now" && pip install -r integration_requirements.txt)
+	@echo "Running insights integration tests"
+	HUB_LOCAL=1 \
+	HUB_API_ROOT=http://localhost:8080/api/automation-hub/ \
+	HUB_AUTH_URL=http://localhost:8080/auth/realms/redhat-external/protocol/openid-connect/token \
+    HUB_USE_MOVE_ENDPOINT="true" \
+    HUB_UPLOAD_SIGNATURES="true" \
+	GALAXYKIT_SLEEP_SECONDS_POLLING=.5 \
+    GALAXYKIT_SLEEP_SECONDS_ONETIME=.5 \
+    GALAXYKIT_POLLING_MAX_ATTEMPTS=50 \
+    GALAXY_SLEEP_SECONDS_POLLING=.5 \
+    GALAXY_SLEEP_SECONDS_ONETIME=.5 \
+    GALAXY_POLLING_MAX_ATTEMPTS=50 \
+	pytest  galaxy_ng/tests/integration \
+	-p 'no:pulpcore' -p 'no:pulp_ansible' \
+	-v -r sx --color=yes -m 'deployment_cloud or all'

dev/compose/Dockerfile.dev

@@ -7,7 +7,9 @@ ARG GNUPGHOME
 ENV GNUPGHOME $GNUPGHOME
 
 USER root
+RUN ${VIRTUAL_ENV}/bin/python3 -m pip install ipython ipdb django-extensions pulp-cli
 
+USER galaxy
 RUN /app/dev/compose/signing/setup_gpg_workarounds.sh
 
 RUN set -ex; \
@@ -20,5 +22,3 @@ RUN set -ex; \
     chmod +x /var/lib/pulp/scripts/*_sign.sh
 
 RUN /app/dev/compose/signing/setup_gpg_keys.sh
-
-RUN ${VIRTUAL_ENV}/bin/python3 -m pip install ipython ipdb django-extensions pulp-cli

dev/compose/aap.yaml

@@ -1,6 +1,6 @@
 x-common-env: &common-env
 
-  GNUPGHOME: /root/.gnupg/
+  GNUPGHOME: /etc/pulp/gnupg/
 
   DJANGO_SUPERUSER_USERNAME: admin
   DJANGO_SUPERUSER_EMAIL: [email protected]
@@ -89,6 +89,8 @@ services:
     build:
       context: ../../
       dockerfile: Dockerfile
+      args:
+        USER_ID: "${USER_ID:-1000}"
     image: "localhost/galaxy_ng/galaxy_ng:base"
 
   base_img_dev:  # Extends base_img with extra files and dev tools
@@ -152,6 +154,7 @@ services:
         pulpcore-manager createsuperuser --noinput || true;
 
         touch /var/lib/pulp/.migrated;
+        chown -R galaxy:galaxy /etc/pulp /var/lib/pulp;
       "
 
   api:
@@ -172,7 +175,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -200,7 +203,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -223,7 +226,7 @@ services:
       - "../../:/app"
     environment:
       <<: *common-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -250,7 +253,7 @@ services:
       - "../../:/app"
     environment:
       <<: *common-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "

dev/compose/certified-sync.yaml

@@ -1,6 +1,6 @@
 x-common-env: &common-env
 
-  GNUPGHOME: /root/.gnupg/
+  GNUPGHOME: /etc/pulp/gnupg/
 
   DJANGO_SUPERUSER_USERNAME: admin
   DJANGO_SUPERUSER_EMAIL: [email protected]
@@ -110,6 +110,8 @@ services:
     build:
       context: ../../
       dockerfile: Dockerfile
+      args:
+        USER_ID: "${USER_ID:-1000}"
     image: "localhost/galaxy_ng/galaxy_ng:base"
 
   base_img_dev:  # Extends base_img with extra files and dev tools
@@ -175,6 +177,7 @@ services:
         pulpcore-manager createsuperuser --noinput || true;
 
         touch /var/lib/pulp/.migrated;
+        chown -R galaxy:galaxy /etc/pulp /var/lib/pulp;
       "
 
   standalone-api:
@@ -195,7 +198,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -222,7 +225,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -244,7 +247,7 @@ services:
       - "../../:/app"
     environment:
       <<: *standalone-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -271,7 +274,7 @@ services:
       - "../../:/app"
     environment:
       <<: *standalone-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -394,6 +397,7 @@ services:
         pulpcore-manager createsuperuser --noinput || true;
 
         touch /var/lib/pulp/.migrated;
+        chown -R galaxy:galaxy /etc/pulp /var/lib/pulp;
       "
 
   insights-proxy:
@@ -426,7 +430,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -453,7 +457,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -475,7 +479,7 @@ services:
       - "../../:/app"
     environment:
       <<: *insights-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -502,7 +506,7 @@ services:
       - "../../:/app"
     environment:
       <<: *insights-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "

dev/compose/community.yaml

@@ -1,6 +1,6 @@
 x-common-env: &common-env
 
-  GNUPGHOME: /root/.gnupg/
+  GNUPGHOME: /etc/pulp/gnupg/
   GALAXY_IMPORTER_CONFIG: /src/galaxy_ng/profiles/community/galaxy-importer/galaxy-importer.cfg
 
   DJANGO_SUPERUSER_USERNAME: admin
@@ -99,6 +99,8 @@ services:
     build:
       context: ../../
       dockerfile: Dockerfile
+      args:
+        USER_ID: "${USER_ID:-1000}"
     image: "localhost/galaxy_ng/galaxy_ng:base"
 
   base_img_dev:  # Extends base_img with extra files and dev tools
@@ -174,6 +176,7 @@ services:
         pulpcore-manager createsuperuser --noinput || true;
 
         touch /var/lib/pulp/.migrated;
+        chown -R galaxy:galaxy /etc/pulp /var/lib/pulp;
       "
 
   api:
@@ -194,7 +197,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -221,7 +224,7 @@ services:
     networks:
       - default
       - service-mesh
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -243,7 +246,7 @@ services:
       - "../../:/app"
     environment:
       <<: *common-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "
@@ -266,7 +269,7 @@ services:
       - "../../:/app"
     environment:
       <<: *common-env
-    user: root
+    user: galaxy
     <<: *debugging
     command: |
       bash -c "