Cleanup PATH variable mangling

[jerome-benoit]

Description

Checklist

• Code compiles correctly
• Relevant tests were added (unit / contract / integration)
• Relevant logs were added
• Formatting and linting run locally successfully
• All tests pass
• UA review
• Design is documented
• Extended the README / documentation, if necessary
• Open source is approved

[rodibrin]

wonder why USER/USER_HOME_DIR instead of MTA_USER/MTA_USER_HOME is used!?

[jerome-benoit]

Cut&paste typo ...

Thanks.

[rodibrin]

according to the spec it's
ENV <key>=<value>
does it work without the equal too?

[jerome-benoit]

Both are working. The current Dockerfile use space, so let's keep it consistent with the style already used.

[rodibrin]

on the image i used i do not have this path entry:

mta@63fceb6d640d:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

is it intended that the root user has the home of mta?

root@b40df04c7063:/project# id
uid=0(root) gid=0(root) groups=0(root)
root@b40df04c7063:/project# echo $HOME
/home/mta

[jerome-benoit]

It's not intended and a genuine security bug, and as well as the HOME env variable redefinition.
The PATH env variable mangling is buggy as hell in that Dockerfile. I plan to fix it but in another PR.

Thanks.

[rodibrin]

Does this PR solve #1018 ?

How does this PR relate to #1023 ?

[jerome-benoit]

Does this PR solve #1018 ?

As stated in the PR description, yes, but for currently supported node.js/java versions combination. It does not include node 14 and java 8.

How does this PR relate to #1023 ?

That PR is a duplicate of #1013 unrelated to the issue fixed here.
It's relevant for you as it reintroduces the support for the version combination you are using.
The original image with the issue have been built with the previous Dockerfile before its rewrite and has serious security issues. In the meantime, you can use the one you've successfully tested to work that introduce the fix in that PR until the java 8 support is re-added and that fix goes in. It does not contain the insecure chmod -R 777 usage in #1023.

[rodibrin]

As stated in the PR description, yes, but for currently supported node.js/java versions combination. It does not include node 14 and java 8.

Which node/java versions does it cover. we offer the following to the customer:

• devxci/mbtci-java11-node14:
• devxci/mbtci-java11-node16:
• devxci/mbtci-java11-node18:
• devxci/mbtci-java8-node16:
• devxci/mbtci-java8-node18:
• devxci/mbtci-java8-node14:

In the meantime, you can use the one you've successfully tested to ...

Unfortunately, the CICD service doesn't allow to easily switch to an arbitrary image. So we have to wait for the release of #1023, right?

[jerome-benoit]

devxci/mbtci-java11-node14: devxci/mbtci-java11-node16: devxci/mbtci-java11-node18: —

Only Java 8 based images are not yet shipped as images generated with the latest Dockerfile in that repo.

…

-- Jerome BENOIT - SAP E-Mobility R&D Security and Software Engineer SAP S/4HANA IC & Q2C ENG Europe III SAP Labs France SAS, BP1216,805 Av. du Dr. Maurice Donat, 06254 Mougins Cedex, France ***@***.*** - +33 6 35 50 78 40 OpenPGP Key ID : 27B535D3 Key fingerprint : B799 BBF6 8EC8 911B B8D7 CDBC C3B1 92C6 27B5 35D3 Please consider the impact on the environment before printing this email.

[rodibrin]

LGTM

[jerome-benoit]

LGTM

@young-yang03: I think the HOME variable override is causing issues at creating the directory structure under NPM_CONFIG_PREFIX path. I will remove it in that PR.

Since that PR can't cause any regressions as as long as npm -g is used, it's fine to merge it, ship the images and let @rodibrin confirm it works.

[jerome-benoit]

LGTM

@rodibrin: Have you also tested the node 16 java variant: https://hub.docker.com/repository/docker/fraggle0/mbt-node16-java8-docker/general?
If not, could you please confirm (or infirm) it works?

[rodibrin]

Test of
fraggle0/mbt-node16-java8-docker:latest 0f64f79118ce 9 days ago 665MB
failed:

npm ERR! code 254
npm ERR! path /project/node_modules/hana-cli
npm ERR! command failed
npm ERR! command sh -c -- npm link @sap/cds-dk --local
npm ERR! npm ERR! code ENOENT
npm ERR! npm ERR! syscall lstat
npm ERR! npm ERR! path /home/mta/.npm-global/lib
npm ERR! npm ERR! errno -2
npm ERR! npm ERR! enoent ENOENT: no such file or directory, lstat '/home/mta/.npm-global/lib'
npm ERR! npm ERR! enoent This is related to npm not being able to find a file.
npm ERR! npm ERR! enoent
npm ERR!
npm ERR! npm ERR! A complete log of this run can be found in:
npm ERR! npm ERR!     /home/mta/.npm/_logs/2023-02-02T09_12_44_959Z-debug-0.log

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/mta/.npm/_logs/2023-02-02T08_55_30_802Z-debug-0.log

mta@ba01bd395d75:/project$ ls -ali /home/mta/
total 48
1926508 drwxrwxrwx 1 mta  mta  4096 Feb  2 09:12 .
1926507 drwxr-xr-x 1 root root 4096 Jan 16 22:47 ..
1926509 -rw-r--r-- 1 mta  mta   220 Mar 27  2022 .bash_logout
1926510 -rw-r--r-- 1 mta  mta  3526 Mar 27  2022 .bashrc
1934075 drwxr-xr-x 3 mta  mta  4096 Feb  2 09:12 .cache
1934070 drwx------ 3 mta  mta  4096 Feb  2 09:12 .hdb
1926511 drwxr-xr-x 1 mta  mta  4096 Feb  2 08:55 .npm
1926517 drwxr-xr-x 2 mta  mta  4096 Jan 23 10:52 .npm-global
1926518 -rw-r--r-- 1 mta  mta   807 Mar 27  2022 .profile
mta@ba01bd395d75:/project$ ls -ali /home/mta/.npm-global/
total 12
1926517 drwxr-xr-x 2 mta mta 4096 Jan 23 10:52 .
1926508 drwxrwxrwx 1 mta mta 4096 Feb  2 09:12 ..

[jerome-benoit]

Test of fraggle0/mbt-node16-java8-docker:latest 0f64f79118ce 9 days ago 665MB failed:

Ok, thanks. I'm pushing the test images with the directory pre-creation. Dunno why npm does not properly populate it with latest version.

Could you please re-test?

[rodibrin]

test succeeded:

fraggle0/mbt-node16-java8-docker latest bcc6a780a618 3 hours ago 665MB