Adding a non-root User

You can add a non-root user to the IBM Sterling Global Mailbox Certified Container image.

About this task

Note: This is optional.
The Global Mailbox Certified Container image comes with a default non-root user with name/uid as b2biuser/1010 and group with name/uid as b2bigroup/1010 respectively.

By default, the Certified Container starts the Global Mailbox application services with the b2biuser. This user also owns the mapped trace folder and documents folder.

Note: For the default user in the Certified Container to be able to read from and write to the file system of the host folder, mapped to /ibm/trace and /ibm/documents, the file system path should have all permissions set at the group level and same group ID should be provided under security.supplementalGroups.

Follow these steps to update the Global Mailbox Certified Container image with the currently logged in user or any other user/group on the host as per the platform security policy:

Procedure

Extending Certified Container Global Mailbox image

  1. Copy the contents shown below to a file named as Dockerfile and place it on a host that has Docker client installed. 
    FROM gm:latest AS gm-base

FROM registry.access.redhat.com/ubi8/ubi:8.4 AS gm-extended

ARG USER_NAME=gmuser \
    USER_ID \
    GROUP_NAME=gmgroup \
    GROUP_ID \
	INSTALL_DIR=/ibm/b2bi/install

LABEL name="IBM Sterling Global Mailbox Certified Container" \
      vendor="IBM" \
      version="6.1.2.0" \
      release="6.1.2.0" \
      summary="IBM Sterling Global Mailbox helps companies address demands for high availability operations and redundancy with a robust and reliable data storage solution available across geographically distributed locations." \
      description="Achieve highly available, always-on file transfer operations"

USER root
     
RUN microdnf install shadow-utils \
    && microdnf install python3 \
    && microdnf install python3-inotify \
    && microdnf install findutils \
    && microdnf install procps \
    && microdnf clean all \
    && if [ ${GROUP_ID} -ne 0 ] ; then groupadd -g ${GROUP_ID} ${GROUP_NAME} ; fi \
	&& if [ ${USER_ID} -ne 0 ]; then adduser -l -r -u ${USER_ID} -m -d /home/${USER_NAME} -s /sbin/nologin -c "Base user" -g ${GROUP_ID} ${USER_NAME}; chmod 755 /home/${USER_NAME} ;fi

COPY --from=gm-base --chown=${USER_NAME}:${GROUP_NAME} /ibm /ibm


USER ${USER_ID}

WORKDIR $INSTALL_DIR/bin

ENV JAVA_HOME=$INSTALL_DIR/jdk

ENTRYPOINT ["./startGMAdminWrapper.sh"]
  2. Edit Dockerfile to change the repository and tag name from gm:latest to the appropriate repository and tag name for the Global Mailbox image you downloaded.
  3. Run the following command to extend the Global Mailbox Certified Container image to include the host user: 
    
docker build -t ${desired tag}:${product version} --build-arg 
USER_ID=${host_user_id} --build-arg GROUP_ID=${host_user_group_id} --build-arg 
USER_NAME=${host_user_name} --build-arg GROUP_NAME=${host_user_group_name} 
${path/to/dockerfile}

Extending Certified Container Global Mailbox db-setup image

  1. Copy the contents shown below to a file named as Dockerfile and place it on a host that has Docker client installed. 
    FROM gm-db-setup:latest AS gm-base

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4 AS gm-extended

ARG USER_NAME=gmuser
ARG USER_ID
ARG GROUP_NAME=gmgroup
ARG GROUP_ID
ARG INSTALL_DIR=/ibm/b2bi/install

ENV JAVA_HOME=$INSTALL_DIR/jdk

LABEL name="IBM Sterling Global Mailbox Certified Container" \
      vendor="IBM" \
      version="6.1.2.0" \
      release="6.1.2.0" \
      summary="IBM Sterling Global Mailbox helps companies address demands for high availability operations and redundancy with a robust and reliable data storage solution available across geographically distributed locations." \
      description="Achieve highly available, always-on file transfer operations"

USER root

RUN microdnf install shadow-utils \
    && microdnf install findutils \
    && microdnf install procps \
    && microdnf clean all \
    && if [ ${GROUP_ID} -ne 0 ] ; then groupadd -g ${GROUP_ID} ${GROUP_NAME} ; fi \
	&& if [ ${USER_ID} -ne 0 ]; then adduser -l -r -u ${USER_ID} -m -d /home/${USER_NAME} -s /sbin/nologin -c "Base user" -g ${GROUP_ID} ${USER_NAME}; chmod 755 /home/${USER_NAME} ;fi

COPY --from=gm-base --chown=${USER_NAME}:${GROUP_NAME} /ibm /ibm

WORKDIR $INSTALL_DIR/globalmailbox/schemainit/bin

USER ${USER_ID}

ENTRYPOINT ["./schemaInit.sh"]
  2. Edit Dockerfile to change the repository and tag name from gm-db-setup:latest to the appropriate repository and tag name for the Global Mailbox db-setup image you downloaded.
  3. Run the following command to extend the Global Mailbox Certified Container image to include the host user: 
    
docker build -t ${desired tag}:${product version} --build-arg 
USER_ID=${host_user_id} --build-arg GROUP_ID=${host_user_group_id} --build-arg 
USER_NAME=${host_user_name} --build-arg GROUP_NAME=${host_user_group_name} 
${path/to/dockerfile}
    Note:
    • The build arguments host_user_id and host_user_group_id must be the uids for the selected host user and group. The build arguments host_user_name and host_user_group_name must be the names for the selected host user and group.
    • If --build-arg for USER_NAME/GROUP_NAME is missing from the command, b2biuser/b2bigroup is considered as the default USER_NAME/GROUP_NAME.
    • Use docker version 19.03.5 or above to build the image. If the version is lower that suggested one, then you must hard code the USER_NAME and GROUP_NAME in the command below, present in Dockerfile.
      COPY --from=gm-base --chown=<hard coded username>:<hard coded groupname> /ibm /ibm
      Use the new image id/tag for all subsequent Certified Container installation configurations.
    • If a user wants to use a completely different non root user id on the newly created image, it is needed to set the runAsGroup as used group id, i.e. ${host_user_group_id}.