Adding a non-root user to ASI, AC, and API Pods

You can add a non-root user to the Sterling B2B Integrator Certified Container image.

About this task

Note: This is optional.

The Sterling B2B Integrator Certified Container image comes with a default non-root user with name/uid as b2biuser/1010 and group with name/uid as b2bigroup/1010 respectively.

By default, the Certified Container starts the Sterling B2B Integrator application services with the b2biuser. This user also owns the mapped trace folder.

Note: For the default user in the Certified Container to be able to access the configurations and resources from the host folder path mapped to /ibm/resources, all the folders in that path should have an execute 'x' permission and all the files should have a read 'r' permission for others.

Follow these steps to update the Sterling B2B Integrator Certified Container image with the currently logged in user or any other user/group on the host as per the platform security policy:

Procedure

Copy the contents shown below to a file named as Dockerfile and place it on a host that has Docker client installed.


FROM icr.io/cp/ibm-b2bi/b2bi:6.2.0.0 AS b2bi-base

FROM registry.access.redhat.com/ubi9/ubi:9.2 AS b2bi-extended

ARG USER_NAME=b2biuser
ARG USER_ID
ARG GROUP_NAME=b2bigroup
ARG GROUP_ID

LABEL name="IBM Sterling B2B Integrator Enterprise Edition Certified Container" \
      vendor="IBM" \
      version="6.2.0" \
      release="6.2.0" \
      summary="Sterling File Gateway lets organizations transfer files between partners using different protocols, conventions for naming files, and file formats. A scalable and security-enabled gateway, Sterling File Gateway enables companies to consolidate all their internet-based file transfers on a single edge gateway, which helps secure your B2B collaboration network and the data flowing through it. To find out more, see IBM Sterling File Gatewayon IBM Marketplace." \
      description="IBM Sterling B2B Integrator Enterprise Edition Certified Container"
	  
USER root
     
RUN yum install --disableplugin=subscription-manager  -y  procps systemd \
    && yum install --disableplugin=subscription-manager  -y bash \
    && yum install --disableplugin=subscription-manager  -y unzip \
    && yum install --disableplugin=subscription-manager  -y xz \
    && yum install --disableplugin=subscription-manager -y tzdata \
    && yum install --disableplugin=subscription-manager  -y openssl \
    && yum install --disableplugin=subscription-manager -y shadow-utils \
    && yum install --disableplugin=subscription-manager -y python3 \
    && yum install --disableplugin=subscription-manager -y python3-inotify \
    && yum install --disableplugin=subscription-manager -y iputils \
    && yum install --disableplugin=subscription-manager -y lsof \
    && yum install --disableplugin=subscription-manager -y findutils \
    && yum install --disableplugin=subscription-manager -y gpg systemd \
    && yum install --disableplugin=subscription-manager -y bash glibc-locale-source glibc-langpack-en \
    && yum install --disableplugin=subscription-manager -y xz \
    && yum reinstall --disableplugin=subscription-manager -y tzdata \
    && yum install --disableplugin=subscription-manager -y openssl \
    && yum -y install --disableplugin=subscription-manager libnsl2 \    
    && yum --disableplugin=subscription-manager clean all \
    && yum --disableplugin=subscription-manager -y autoremove \
    && localedef -i en_US -f UTF-8 en_US.UTF-8  \
    && groupadd -o -g ${GROUP_ID} ${GROUP_NAME} \
    && adduser -l -r -u ${USER_ID} -m -d /home/${USER_NAME} -s /sbin/nologin -c "B2BI user" -g ${GROUP_NAME} ${USER_NAME} \
    && chmod 755 /home/${USER_NAME} \
    && sed -i "s/^hosts:.*/hosts:      files dns/g" /etc/nsswitch.conf \
    && update-alternatives --install /bin/sh sh /bin/bash 100

COPY --from=b2bi-base --chown=${USER_NAME}:${GROUP_NAME} /ibm /ibm

RUN mkdir /licenses \
    && ln -s /ibm/b2bi/install/licrfiles /licenses \
    && chown ${USER_NAME}:${GROUP_NAME} /licenses

USER ${USER_NAME}

ENV INSTALL_DIR=${INSTALL_DIR:-/ibm/b2bi/install} \
    BASE_DIR=${BASE_DIR:-/ibm} \
    LOG_DIR=${LOG_DIR:-/ibm/trace} \
    RESOURCE_DIR=${RESOURCE_DIR:-/ibm/resources} \
    SERVICE_DIR=${SERVICE_DIR:-/ibm/services}

ENTRYPOINT ["/ibm/b2bi/install/bin/b2biDockerStart.sh"]

Edit Dockerfile to change the repository and tag name from b2bi:latest to the appropriate repository and tag name for the Sterling B2B Integrator image you downloaded. Uncomment the LABEL section based on the product which you want to extend an image for.
Run the following command to extend the Sterling B2B Integrator Certified Container image to include the host user:
```
docker build -t ${desired tag}:${product version} --build-arg 
USER_ID=${host_user_id} --build-arg GROUP_ID=${host_user_group_id} --build-arg 
USER_NAME=${host_user_name} --build-arg GROUP_NAME=${host_user_group_name} 
${path/to/dockerfile} 
```
Note:
- The build arguments host_user_id and host_user_group_id must be the uids for the selected host user and group. The build arguments host_user_name and host_user_group_name must be the names for the selected host user and group.
- If --build-arg for USER_NAME/GROUP_NAME is missing from the command, b2biuser/b2bigroup is considered as the default USER_NAME/GROUP_NAME.
- Use docker version 19.03.5 or above to build the image. If the version is lower that suggested one, then you must hard code the USER_NAME and GROUP_NAME in the command below, present in Dockerfile.
```
COPY --from=b2bi-base --chown=<hard coded username>:<hard coded groupname> /ibm /ibm
```
Use the new image id/tag for all subsequent Certified Container installation configurations.
If you use ibm-b2bi-prod Helm chart to deploy, then you must edit values.yaml and use same the user/group ID used during creation of image in Step 3.
```
security:
     supplementalGroups: [5555]
     fsGroup: ${host_user_group_id}
     runAsUser: ${host_user_id}
```