Revert domain file permissions to umask 027 with explicit OpenShift override (#317)

* revert chmod settings that override WLS domain default umask 027 unless requested by the user

* if not specified, set OS group default to root

* add integration test for OpenShift target setting

Author: ddsharpe

imagetool/src/main/java/com/oracle/weblogic/imagetool/cli/menu/CommonOptions.java

@@ -54,6 +54,10 @@ public abstract class CommonOptions {
     abstract String getInstallerVersion();
 
     private void handleChown() {
+        if (osUserAndGroup == null) {
+            return;
+        }
+
         if (osUserAndGroup.length != 2) {
             throw new IllegalArgumentException(Utils.getMessage("IMG-0027"));
         }
@@ -180,6 +184,14 @@ void init(String buildId) throws InvalidCredentialException, IOException {
         handleChown();
         handleAdditionalBuildCommands();
 
+        if (kubernetesTarget == KubernetesTarget.OpenShift) {
+            dockerfileOptions.setDomainGroupAsUser(true);
+            // if the user did not set the OS user:group, make the default oracle:root, instead of oracle:oracle
+            if (osUserAndGroup == null) {
+                dockerfileOptions.setGroupId("root");
+            }
+        }
+
         logger.exiting();
     }
 
@@ -497,8 +509,7 @@ String getPassword() {
     @Option(
         names = {"--chown"},
         split = ":",
-        description = "userid:groupid for JDK/Middleware installs and patches. Default: ${DEFAULT-VALUE}.",
-        defaultValue = "oracle:oracle"
+        description = "userid:groupid for JDK/Middleware installs and patches. Default: oracle:oracle."
     )
     private String[] osUserAndGroup;
 
@@ -583,6 +594,13 @@ String getPassword() {
     )
     String buildEngine = "docker";
 
+    @Option(
+        names = {"--target"},
+        description = "Apply settings appropriate to the target environment. Default: ${DEFAULT-VALUE}"
+            + " Supported values: ${COMPLETION-CANDIDATES}"
+    )
+    KubernetesTarget kubernetesTarget = KubernetesTarget.Default;
+
     @SuppressWarnings("unused")
     @Unmatched
 

imagetool/src/main/java/com/oracle/weblogic/imagetool/cli/menu/KubernetesTarget.java

@@ -0,0 +1,9 @@
+// Copyright (c) 2021, Oracle and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+package com.oracle.weblogic.imagetool.cli.menu;
+
+public enum KubernetesTarget {
+    Default,
+    OpenShift
+}

imagetool/src/main/java/com/oracle/weblogic/imagetool/util/DockerfileOptions.java

@@ -59,6 +59,7 @@ public class DockerfileOptions {
     private PackageManagerType pkgMgr;
     private List<String> patchFilenames;
     private MiddlewareInstall mwInstallers;
+    private boolean domainGroupAsUser;
 
     // WDT values
     private String wdtHome;
@@ -88,12 +89,15 @@ public DockerfileOptions(String buildId) {
         updateOpatch = false;
         skipJavaInstall = false;
         skipMiddlewareInstall = false;
+        domainGroupAsUser = false;
 
         javaHome = DEFAULT_JAVA_HOME;
         oracleHome = DEFAULT_ORACLE_HOME;
         invLoc = DEFAULT_INV_LOC;
         oraInvDir = DEFAULT_ORAINV_DIR;
 
+        username = "oracle";
+        groupname = "oracle";
         tempDirectory = "/tmp/imagetool";
 
         baseImageName = "ghcr.io/oracle/oraclelinux:7-slim";
@@ -1016,4 +1020,14 @@ public DockerfileOptions setWdtBase(String value) {
         wdtBase = value;
         return this;
     }
+
+    public DockerfileOptions setDomainGroupAsUser(boolean value) {
+        domainGroupAsUser = value;
+        return this;
+    }
+
+    @SuppressWarnings("unused")
+    public boolean domainGroupAsUser() {
+        return domainGroupAsUser;
+    }
 }

imagetool/src/main/resources/docker-files/Rebase_Image.mustache

@@ -72,7 +72,9 @@ RUN mkdir -p {{domain_home}}
     {{/isWdtModelHomeOutsideWdtHome}}
 {{/modelOnly}}
 
-RUN chmod g+w {{{domain_home}}}
+{{#domainGroupAsUser}}
+    RUN chmod g=u {{{domain_home}}}
+{{/domainGroupAsUser}}
 
 WORKDIR {{{work_dir}}}
 

imagetool/src/main/resources/docker-files/final-wdt-copy.mustache

@@ -10,9 +10,13 @@
     {{#isWdtModelHomeOutsideWdtHome}}
         COPY --from=wdt_build --chown={{userid}}:{{groupid}} {{wdt_model_home}} {{wdt_model_home}}/
     {{/isWdtModelHomeOutsideWdtHome}}
-    RUN chmod g+w {{{domain_parent}}} {{{wdt_home}}} {{{wdt_model_home}}}
+    {{#domainGroupAsUser}}
+        RUN chmod g=u {{{domain_parent}}} {{{wdt_home}}} {{{wdt_model_home}}}
+    {{/domainGroupAsUser}}
 {{/modelOnly}}
 {{^modelOnly}}
     COPY --from=wdt_build --chown={{userid}}:{{groupid}} {{{domain_home}}} {{{domain_home}}}/
-    RUN chmod g+w {{{domain_home}}}
+    {{#domainGroupAsUser}}
+        RUN chmod g=u {{{domain_home}}}
+    {{/domainGroupAsUser}}
 {{/modelOnly}}

imagetool/src/main/resources/docker-files/run-wdt.mustache

@@ -56,13 +56,17 @@ RUN test -d {{{wdt_home}}}/weblogic-deploy && rm -rf {{{wdt_home}}}/weblogic-dep
     {{#runRcu}}
         -run_rcu \
     {{/runRcu}}
-    {{{wdtVariableFileArgument}}} {{{wdtModelFileArgument}}} {{{wdtArchiveFileArgument}}} \
-    && chmod -R g+w {{{domain_home}}}
+    {{{wdtVariableFileArgument}}} {{{wdtModelFileArgument}}} {{{wdtArchiveFileArgument}}}
+    {{#domainGroupAsUser}}
+        RUN chmod -R g=u {{{domain_home}}}
+    {{/domainGroupAsUser}}
 {{/modelOnly}}
 {{#isWdtValidateEnabled}}
     RUN cd {{{wdt_home}}}/weblogic-deploy/bin \
     && rm ./*.cmd \
-    && chmod -R g+w {{{wdt_home}}}/weblogic-deploy/lib \
+    {{#domainGroupAsUser}}
+        && chmod -R g=u {{{wdt_home}}}/weblogic-deploy/lib \
+    {{/domainGroupAsUser}}
     && ./validateModel.sh {{^strictValidation}}-method lax{{/strictValidation}} \
     -oracle_home {{{oracle_home}}} \
     -domain_type {{domainType}} \

tests/src/test/java/com/oracle/weblogic/imagetool/tests/ITImagetool.java

@@ -16,6 +16,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.oracle.weblogic.imagetool.cli.menu.KubernetesTarget;
 import com.oracle.weblogic.imagetool.logging.LoggingFacade;
 import com.oracle.weblogic.imagetool.logging.LoggingFactory;
 import com.oracle.weblogic.imagetool.tests.annotations.IntegrationTest;
@@ -970,13 +971,13 @@ void createMiiOl8slim(TestInfo testInfo) throws Exception {
             // verify the docker image is created
             assertTrue(imageExists(tagName), "Image was not created: " + tagName);
 
-            validateFilePermissions("/u01/domains", "drwxrwxr-x", tagName, out);
-            validateFilePermissions("/u01/wdt", "drwxrwxr-x", tagName, out);
-            validateFilePermissions("/u01/wdt/models", "drwxrwxr-x", tagName, out);
-            validateFilePermissions("/u01/wdt/weblogic-deploy", "drwxr-x---", tagName, out);
-            validateFilePermissions("/u01/oracle", "drwxr-xr-x", tagName, out);
-            validateFilePermissions("/u01/wdt/weblogic-deploy/bin/createDomain.sh", "-rwxr-x---", tagName, out);
-            validateFilePermissions("/u01/wdt/weblogic-deploy/bin/validateModel.sh", "-rwxr-x---", tagName, out);
+            verifyFilePermissions("/u01/domains", "drwxr-xr-x", tagName, out);
+            verifyFilePermissions("/u01/wdt", "drwxr-xr-x", tagName, out);
+            verifyFilePermissions("/u01/wdt/models", "drwxr-xr-x", tagName, out);
+            verifyFilePermissions("/u01/wdt/weblogic-deploy", "drwxr-x---", tagName, out);
+            verifyFilePermissions("/u01/oracle", "drwxr-xr-x", tagName, out);
+            verifyFilePermissions("/u01/wdt/weblogic-deploy/bin/createDomain.sh", "-rwxr-x---", tagName, out);
+            verifyFilePermissions("/u01/wdt/weblogic-deploy/bin/validateModel.sh", "-rwxr-x---", tagName, out);
         }
     }
 
@@ -989,7 +990,7 @@ void createMiiOl8slim(TestInfo testInfo) throws Exception {
      * @throws IOException if process start fails
      * @throws InterruptedException if the wait is interrupted before the process completes
      */
-    private void validateFilePermissions(String path, String expected, String tagName, PrintWriter out)
+    private void verifyFilePermissions(String path, String expected, String tagName, PrintWriter out)
         throws IOException, InterruptedException {
         String command = String.format(" docker run --rm -t %s ls -ld %s", tagName, path);
         String actual = Runner.run(command, out, logger).stdout().trim();
@@ -1028,8 +1029,8 @@ void updateAddModel(TestInfo testInfo) throws Exception {
 
             // verify the docker image is created
             assertTrue(imageExists(tagName), "Image was not created: " + tagName);
-            validateFilePermissions("/u01/wdt/weblogic-deploy/bin/createDomain.sh", "-rwxr-x---", tagName, out);
-            validateFilePermissions("/u01/wdt/weblogic-deploy/bin/validateModel.sh", "-rwxr-x---", tagName, out);
+            verifyFilePermissions("/u01/wdt/weblogic-deploy/bin/createDomain.sh", "-rwxr-x---", tagName, out);
+            verifyFilePermissions("/u01/wdt/weblogic-deploy/bin/validateModel.sh", "-rwxr-x---", tagName, out);
         }
     }
 
@@ -1064,4 +1065,41 @@ void updateAddSecondModel(TestInfo testInfo) throws Exception {
             assertTrue(imageExists(tagName), "Image was not created: " + tagName);
         }
     }
+
+    /**
+     * create WLS image with OpenShift settings.
+     *
+     * @throws Exception - if any error occurs
+     */
+    @Test
+    @Order(30)
+    @Tag("nightly")
+    @DisplayName("Create image with OpenShift settings")
+    void createWlsImgWithOpenShiftSettings(TestInfo testInfo) throws Exception {
+        String tagName = build_tag + ":" + getMethodName(testInfo);
+        String command = new CreateCommand()
+            .jdkVersion(JDK_VERSION)
+            .tag(tagName)
+            .wdtVersion(WDT_VERSION)
+            .wdtArchive(WDT_ARCHIVE)
+            .wdtDomainHome("/u01/domains/simple_domain")
+            .wdtModel(WDT_MODEL, WDT_MODEL2)
+            .wdtVariables(WDT_VARIABLES)
+            .target(KubernetesTarget.OpenShift)
+            .build();
+
+        try (PrintWriter out = getTestMethodWriter(testInfo)) {
+            CommandResult result = Runner.run(command, out, logger);
+            assertEquals(0, result.exitValue(), "for command: " + command);
+
+            // verify the docker image is created
+            assertTrue(imageExists(tagName), "Image was not created: " + tagName);
+
+            // verify the file permissions on the domain directory were set correctly
+            verifyFilePermissions("/u01/domains/simple_domain", "drwxrwxr-x", tagName, out);
+        }
+
+    }
+
+
 }

tests/src/test/java/com/oracle/weblogic/imagetool/tests/utils/CreateCommand.java

@@ -7,6 +7,8 @@
 import java.util.Arrays;
 import java.util.stream.Collectors;
 
+import com.oracle.weblogic.imagetool.cli.menu.KubernetesTarget;
+
 public class CreateCommand extends ImageToolCommand {
     private String version;
     private String type;
@@ -20,6 +22,7 @@ public class CreateCommand extends ImageToolCommand {
     private String passwordEnv;
     private String patches;
     private String additionalBuildCommands;
+    private String kubernetesTarget;
 
     // WDT flags
     private String wdtVersion;
@@ -89,12 +92,16 @@ public CreateCommand patches(String... values) {
         return this;
     }
 
-
     public CreateCommand additionalBuildCommands(Path value) {
         additionalBuildCommands = value.toString();
         return this;
     }
 
+    public CreateCommand target(KubernetesTarget value) {
+        kubernetesTarget = value.toString();
+        return this;
+    }
+
     public CreateCommand wdtVersion(String value) {
         wdtVersion = value;
         return this;
@@ -152,6 +159,7 @@ public String build() {
             + field("--passwordEnv", passwordEnv)
             + field("--patches", patches)
             + field("--additionalBuildCommands", additionalBuildCommands)
+            + field("--target", kubernetesTarget)
             + field("--wdtVersion", wdtVersion)
             + field("--wdtModel", wdtModel)
             + field("--wdtArchive", wdtArchive)