allow supervisord to drop privileges to APP_USER

Author: anarchivist

Dockerfile

@@ -27,6 +27,7 @@ RUN apt-get update -qq
 RUN apt-get install -y --no-install-recommends \
     curl \
     dnsutils \
+    gettext \
     iputils-ping
 
 # =============================================================================
@@ -48,6 +49,11 @@ RUN apt-get install -y --no-install-recommends \
 RUN apt-get install -y --no-install-recommends openjdk-21-jre-headless
 
 RUN rm -rf /usr/local/WowzaStreamingEngine/java
+
+# for some reason, OpenJDK's default directory includes the architecture
+# name and does not symlink it to something more straightforward like
+# /usr/lib/jvm/java-21-openjdk so we have to detect the architecture
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) ln -s "/usr/lib/jvm/java-21-openjdk-${arch}" /usr/local/WowzaStreamingEngine/java
 
@@ -67,6 +73,10 @@ RUN usermod -u $APP_UID $APP_USER && \
 # transfer now-orphaned files to new wowza user (-h to chown symlinks)
 RUN find / -xdev -nouser -exec chown -h $APP_USER:$APP_USER {} \;
 
+# set variables to be used by envsubst to overwrite the default wowza config
+ENV SUPERVISORD_PID_FILE=/tmp/supervisord.pid
+ENV SUPERVISORD_SOCKET_FILE=/tmp/supervisor.sock
+
 # =============================================================================
 # Set working directory
 
@@ -81,7 +91,7 @@ RUN venv/bin/pip3 install unittest-xml-reporting
 
 COPY --chown=$APP_USER test /opt/app/test
 
-# Put artifacts where Jenkins can get at them
+# Put artifacts where Github Actions can get at them
 RUN mkdir /opt/app/artifacts && \
     chown $APP_USER:$APP_USER /opt/app/artifacts
 
@@ -98,6 +108,7 @@ RUN for app in vod live; \
 # Copy our scripts, configs, templates, etc. into the container
 COPY --chown=$APP_USER WowzaStreamingEngine /usr/local/WowzaStreamingEngine
 COPY --chown=$APP_USER log4j-templates /opt/app/log4j-templates
+COPY --chown=$APP_USER etc_templates /opt/app/etc_templates
 COPY --chown=$APP_USER bin /opt/app/bin
 
 # =============================================================================
@@ -135,11 +146,10 @@ RUN rm -r /opt/app/WEB-INF
 # Uninstall zip
 RUN apt-get remove -y zip
 
-# TODO: Fix this? Wowza's default image expects to run Wowza as root.
 # =============================================================================
-# Run as the wowza user to minimize risk to the host.
-
-# USER $APP_USER
+# Unlike most of our containers, this container starts as root as privileges
+# are dropped by supervisord instead of setting the `USER` set in the
+# Dockerfile.
 
 # =============================================================================
 # Default command

WowzaStreamingEngine/bin/startup.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# this is a BerkeleyLibrary modified version of the WSE startup script
+
+# check for root access. If not, put up message and exit
+# if [ "$(/usr/bin/id -u)" -ne "0" ] ; then
+#     echo "The Wowza Streaming Engine requires root access to start. Please run script again using sudo."
+#     exit
+# fi
+
+systemctl >> /dev/null 2>&1
+if [ $? -eq 0 ]; then
+	# Restart XRM service
+	SERVICE_NAME="xrmd.service"
+	systemctl list-units --full -all | grep -Fq $SERVICE_NAME
+
+	if [ $? -eq 0 ]; then
+		echo "Restarting XRM service"
+		systemctl restart $SERVICE_NAME
+		. /opt/xilinx/xcdr/setup.sh
+	fi
+fi
+
+. /usr/local/WowzaStreamingEngine/bin/setenv.sh
+mode=standalone
+if [ "$#" -eq 1 ];
+then
+mode=$1
+fi
+
+#chmod 600 /usr/local/WowzaStreamingEngine/conf/jmxremote.password
+#chmod 600 /usr/local/WowzaStreamingEngine/conf/jmxremote.access
+
+# NOTE: Here you can configure the JVM's built in JMX interface.
+# See the "Server Management Console and Monitoring" chapter
+# of the "User's Guide" for more information on how to configure the
+# remote JMX interface in the [install-dir]/conf/Server.xml file.
+
+JMXOPTIONS=-Dcom.sun.management.jmxremote=true
+#JMXOPTIONS="$JMXOPTIONS -Djava.rmi.server.hostname=192.168.1.7"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.port=1099"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.authenticate=true"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.ssl=false"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.password.file=$WMSCONFIG_HOME/conf/jmxremote.password"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.access.file=$WMSCONFIG_HOME/conf/jmxremote.access"
+
+ulimit -n 64000 > /dev/null 2>&1
+
+rc=144
+while [ $rc -eq 144 ]
+do
+
+WMSTUNE_OPTS=`$WMSAPP_HOME/bin/tune.sh $mode`
+export LD_PRELOAD=`$WMSAPP_HOME/bin/ldpreload.sh`
+
+# log interceptor com.wowza.wms.logging.LogNotify - see Javadocs for ILogNotify
+
+$_EXECJAVA $WMSTUNE_OPTS $JMXOPTIONS -Dorg.slf4j.simpleLogger.defaultLogLevel=warn -Dcom.wowza.wms.runmode="$mode" -Dcom.wowza.wms.native.base="linux" -Dlog4j.configurationFile="$WMSCONFIG_HOME/conf/log4j2-config.xml" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" -cp $WMSAPP_HOME/bin/wms-bootstrap.jar com.wowza.wms.bootstrap.Bootstrap start
+
+rc=$?
+if [ $rc -ge 10 ] && [ $rc -le 15 ] ; then
+    WSE_EXIT_CODE=$rc
+    $_EXECJAVA $WMSTUNE_OPTS $JMXOPTIONS -Dcom.wowza.wms.runmode="$mode" -Dcom.wowza.wms.native.base="linux" -Dlog4j.configurationFile="$WMSCONFIG_HOME/conf/log4j2-config.xml" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" -cp $WMSAPP_HOME/bin/wms-bootstrap.jar com.wowza.wms.bootstrap.Bootstrap startLicenseUpdateServer
+    rc=$?
+fi
+done

bin/docker-entrypoint.sh

@@ -31,6 +31,12 @@ export WSE_MGR_USER=$WOWZA_MANAGER_USER
 export WSE_MGR_PASS=$WOWZA_MANAGER_PASSWORD
 export WSE_LIC=$WOWZA_LICENSE_KEY
 
+# use envsubst to transform templates into supervisord config files
+echo "Creating supervisord configuration files from templates..."
+envsubst < /opt/app/etc_templates/supervisor/supervisord.conf.tmpl > /etc/supervisor/supervisord.conf
+envsubst < /opt/app/etc_templates/supervisor/conf.d/WowzaStreamingEngine.conf.tmpl > /etc/supervisor/conf.d/WowzaStreamingEngine.conf
+envsubst < /opt/app/etc_templates/supervisor/conf.d/WowzaStreamingEngineManager.conf.tmpl > /etc/supervisor/conf.d/WowzaStreamingEngineManager.conf
+
 # ########################################
 # Start server and manager by handing off to Wowza's entrypoint
 

etc_templates/supervisor/conf.d/WowzaStreamingEngine.conf.tmpl

@@ -0,0 +1,9 @@
+[program:WowzaStreamingEngine]
+priority=10
+directory=/usr/local/WowzaStreamingEngine/bin
+command=/usr/local/WowzaStreamingEngine/bin/startup.sh
+user=${APP_USER}
+autostart=true
+autorestart=true
+stdout_logfile=/usr/local/supervisor/supervisorStdOut.log
+stderr_logfile=/usr/local/supervisor/supervisorStdErr.log

etc_templates/supervisor/conf.d/WowzaStreamingEngineManager.conf.tmpl

@@ -0,0 +1,9 @@
+[program:WowzaStreamingEngineManager]
+priority=20
+directory=/usr/local/WowzaStreamingEngine/manager/bin
+command=/usr/local/WowzaStreamingEngine/manager/bin/startmgr.sh
+user=${APP_USER}
+autostart=true
+autorestart=true
+stdout_logfile=/usr/local/supervisor/supervisorStdOut.log
+stderr_logfile=/usr/local/supervisor/supervisorStdErr.log

etc_templates/supervisor/supervisord.conf.tmpl

@@ -0,0 +1,29 @@
+; supervisor config file
+
+[unix_http_server]
+file=${SUPERVISORD_SOCKET_FILE}   ; (the path to the socket file)
+chmod=0700                       ; sockef file mode (default 0700)
+
+[supervisord]
+logfile=/usr/local/supervisor/supervisord.log ;
+pidfile=${SUPERVISORD_PID_FILE} ; (supervisord pidfile;default supervisord.pid)
+childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
+user=${APP_USER}
+
+; the below section must remain in the config file for RPC
+; (supervisorctl/web interface) to work, additional interfaces may be
+; added by defining them in separate rpcinterface: sections
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix://${SUPERVISORD_SOCKET_FILE} ; use a unix:// URL  for a unix socket
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
+
+[include]
+files = /etc/supervisor/conf.d/*.conf