Owls 91448 - Prevent insecure file system warnings by ensuring files are at a minimum of umask 027 and handle Openshift platform.

kubernetes/charts/weblogic-operator/templates/_operator-dep.tpl

@@ -64,6 +64,8 @@ spec:
           value: "false"
         - name: "JAVA_LOGGING_LEVEL"
           value: {{ .javaLoggingLevel | quote }}
+        - name: "KUBERNETES_PLATFORM"
+          value: {{ .kubernetesPlatform | quote }}
         - name: "JAVA_LOGGING_MAXSIZE"
           value: {{ .javaLoggingFileSizeLimit | default 20000000 | quote }}
         - name: "JAVA_LOGGING_COUNT"

operator/scripts/operator.sh

@@ -59,6 +59,10 @@ if [ "${MOCK_WLS}" == 'true' ]; then
   MOCKING_WLS="-DmockWLS=true"
 fi
 
+if [ ! -z "${KUBERNETES_PLATFORM}" ]; then
+  PLATFORM="-DkubernetesPlatform=$KUBERNETES_PLATFORM"
+fi
+
 LOGGING="-Djava.util.logging.config.file=${LOGGING_CONFIG}"
 mkdir -m 777 -p /logs
 cp /operator/logstash.conf /logs/logstash.conf
@@ -69,6 +73,6 @@ cp /operator/logstash.conf /logs/logstash.conf
 HEAP="-XshowSettings:vm"
 
 # Start operator
-java $HEAP $MOCKING_WLS $DEBUG $LOGGING -jar /operator/weblogic-kubernetes-operator.jar &
+java $HEAP $MOCKING_WLS $DEBUG $LOGGING $PLATFORM -jar /operator/weblogic-kubernetes-operator.jar &
 PID=$!
 wait $PID

operator/src/main/java/oracle/kubernetes/operator/helpers/PodStepContext.java

@@ -929,6 +929,7 @@ void addStartupEnvVars(List<V1EnvVar> vars) {
     Optional.ofNullable(getDataHome()).ifPresent(v -> addEnvVar(vars, ServerEnvVars.DATA_HOME, v));
     Optional.ofNullable(getServerSpec().getAuxiliaryImages()).ifPresent(cm -> addAuxiliaryImageEnv(cm, vars));
     addEnvVarIfTrue(mockWls(), vars, "MOCK_WLS");
+    Optional.ofNullable(getKubernetesPlatform()).ifPresent(v -> addEnvVar(vars, ServerEnvVars.KUBERNETES_PLATFORM, v));
   }
 
   protected void addAuxiliaryImageEnv(List<AuxiliaryImage> auxiliaryImageList, List<V1EnvVar> vars) {
@@ -1079,6 +1080,10 @@ private boolean mockWls() {
     return Boolean.getBoolean("mockWLS");
   }
 
+  private String getKubernetesPlatform() {
+    return System.getProperty("kubernetesPlatform");
+  }
+
   private abstract class BaseStep extends Step {
     BaseStep() {
       this(null);

operator/src/main/java/oracle/kubernetes/weblogic/domain/model/ServerEnvVars.java

@@ -62,10 +62,12 @@ public class ServerEnvVars {
   /** If present, pod scripts will watch for changes to override configurations and move them into place. */
   public static final String DYNAMIC_CONFIG_OVERRIDE = "DYNAMIC_CONFIG_OVERRIDE";
 
+  public static final String KUBERNETES_PLATFORM = "KUBERNETES_PLATFORM";
+
   private static final List<String> RESERVED_NAMES = Arrays.asList(
         DOMAIN_UID, DOMAIN_NAME, DOMAIN_HOME, NODEMGR_HOME, SERVER_NAME, SERVICE_NAME,
         ADMIN_NAME, AS_SERVICE_NAME, ADMIN_PORT, ADMIN_PORT_SECURE, ADMIN_SERVER_PORT_SECURE,
-        LOG_HOME, SERVER_OUT_IN_POD_LOG, DATA_HOME, ACCESS_LOG_IN_LOG_HOME, DYNAMIC_CONFIG_OVERRIDE);
+        LOG_HOME, SERVER_OUT_IN_POD_LOG, DATA_HOME, ACCESS_LOG_IN_LOG_HOME, DYNAMIC_CONFIG_OVERRIDE, KUBERNETES_PLATFORM);
 
   static boolean isReserved(String name) {
     return RESERVED_NAMES.contains(name);

operator/src/main/resources/scripts/modelInImage.sh

@@ -541,7 +541,7 @@ function createModelDomain() {
       trace "Using newly created domain"
     elif [ -f ${PRIMORDIAL_DOMAIN_ZIPPED} ] ; then
       trace "Using existing primordial domain"
-      cd / && base64 -d ${PRIMORDIAL_DOMAIN_ZIPPED} > ${LOCAL_PRIM_DOMAIN_ZIP} && tar -xzf ${LOCAL_PRIM_DOMAIN_ZIP}
+      cd / && base64 -d ${PRIMORDIAL_DOMAIN_ZIPPED} > ${LOCAL_PRIM_DOMAIN_ZIP} && tar -pxzf ${LOCAL_PRIM_DOMAIN_ZIP}
       # create empty lib since we don't archive it in primordial zip and WDT will fail without it
       mkdir ${DOMAIN_HOME}/lib
       # Since the SerializedSystem ini is encrypted, restore it first
@@ -564,7 +564,7 @@ function createModelDomain() {
 function restoreDomainConfig() {
   restoreEncodedTar "domainzip.secure" || return 1
 
-  chmod +x ${DOMAIN_HOME}/bin/*.sh ${DOMAIN_HOME}/*.sh  || return 1
+  chmod u+x ${DOMAIN_HOME}/bin/*.sh ${DOMAIN_HOME}/*.sh  || return 1
 }
 
 # Expands into the root directory the MII primordial domain, stored in one or more config maps
@@ -580,7 +580,7 @@ function restoreEncodedTar() {
   cat $(ls ${OPERATOR_ROOT}/introspector*/${1} | sort -t- -k3) > /tmp/domain.secure || return 1
   base64 -d "/tmp/domain.secure" > /tmp/domain.tar.gz || return 1
 
-  tar -xzf /tmp/domain.tar.gz || return 1
+  tar -pxzf /tmp/domain.tar.gz || return 1
 }
 
 # This is before WDT compareModel implementation

operator/src/main/resources/scripts/startServer.sh

@@ -290,12 +290,27 @@ createFolder ${DOMAIN_HOME}/servers/${SERVER_NAME}/security
 copyIfChanged /weblogic-operator/introspector/boot.properties \
               ${DOMAIN_HOME}/servers/${SERVER_NAME}/security/boot.properties
 
+# remove write and execute permissions for group to prevent insecure file system warnings.
+chmod g-wx  ${DOMAIN_HOME}/servers/${SERVER_NAME}/security/boot.properties
+
+
 if [ ${DOMAIN_SOURCE_TYPE} != "FromModel" ]; then
   trace "Copying situational configuration files from operator cm to ${DOMAIN_HOME}/optconfig directory"
   copySitCfgWhileBooting /weblogic-operator/introspector ${DOMAIN_HOME}/optconfig             'Sit-Cfg-CFG--'
   copySitCfgWhileBooting /weblogic-operator/introspector ${DOMAIN_HOME}/optconfig/jms         'Sit-Cfg-JMS--'
   copySitCfgWhileBooting /weblogic-operator/introspector ${DOMAIN_HOME}/optconfig/jdbc        'Sit-Cfg-JDBC--'
   copySitCfgWhileBooting /weblogic-operator/introspector ${DOMAIN_HOME}/optconfig/diagnostics 'Sit-Cfg-WLDF--'
+else
+  if [[ ${KUBERNETES_PLATFORM^^} == "OPENSHIFT" ]]; then
+    # Operator running on Openshift platform - change file permissions in the DOMAIN_HOME dir to give
+    # group same permissions as user .
+    chmod -R g=u ${DOMAIN_HOME} || return 1
+  fi
+fi
+
+if [[ ${KUBERNETES_PLATFORM^^} == "OPENSHIFT" ]]; then
+    # When the Operator is running on Openshift platform, disable insecure file system warnings.
+    export JAVA_OPTIONS="-Dweblogic.SecureMode.WarnOnInsecureFileSystem=false $JAVA_OPTIONS"
 fi
 
 #

operator/src/test/sh/modelInImageTest.sh

@@ -82,13 +82,13 @@ testOnRestoreDomainConfig_base64DecodeZip() {
 testOnRestoreDomainConfig_unTarDomain() {
   restoreDomainConfig
 
-  assertEquals "TAR command arguments" "-xzf /tmp/domain.tar.gz" "$TAR_ARGS"
+  assertEquals "TAR command arguments" "-pxzf /tmp/domain.tar.gz" "$TAR_ARGS"
 }
 
 testOnRestoreDomainConfig_makeScriptsExecutable() {
   restoreDomainConfig
 
-  assertEquals "CD command arguments" "+x ${DOMAIN_HOME}/bin/*.sh ${DOMAIN_HOME}/*.sh" "$CHMOD_ARGS"
+  assertEquals "CD command arguments" "u+x ${DOMAIN_HOME}/bin/*.sh ${DOMAIN_HOME}/*.sh" "$CHMOD_ARGS"
 }
 
 testOnRestorePrimordialDomain_useRootDirectory() {
@@ -119,7 +119,7 @@ testOnRestoreDomainConfig_whenNoIndexesDefinedCatSingleFile() {
 testOnRestorePrimordialDomain_unTarDomain() {
   restorePrimordialDomain
 
-  assertEquals "TAR command arguments" "-xzf /tmp/domain.tar.gz" "$TAR_ARGS"
+  assertEquals "TAR command arguments" "-pxzf /tmp/domain.tar.gz" "$TAR_ARGS"
 }
 
 ######################### Mocks for the tests ###############
@@ -168,4 +168,4 @@ chmod() {
 . ${SCRIPTPATH}/modelInImage.sh
 
 # shellcheck source=target/classes/shunit/shunit2
-. ${SHUNIT2_PATH}
+. ${SHUNIT2_PATH}