WIP: allow supervisord to drop privileges to APP_USER

anarchivist · anarchivist · commit b00a8ba7d940 · 2025-12-01T12:45:41.000-08:00
diff --git a/Dockerfile b/Dockerfile
@@ -48,6 +48,11 @@ RUN apt-get install -y --no-install-recommends \
 RUN apt-get install -y --no-install-recommends openjdk-21-jre-headless
 
 RUN rm -rf /usr/local/WowzaStreamingEngine/java
+
+# for some reason, OpenJDK's default directory includes the architecture
+# name and does not symlink it to something more straightforward like
+# /usr/lib/jvm/java-21-openjdk so we have to detect the architecture
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) ln -s "/usr/lib/jvm/java-21-openjdk-${arch}" /usr/local/WowzaStreamingEngine/java
 
@@ -81,7 +86,7 @@ RUN venv/bin/pip3 install unittest-xml-reporting
 
 COPY --chown=$APP_USER test /opt/app/test
 
-# Put artifacts where Jenkins can get at them
+# Put artifacts where Github Actions can get at them
 RUN mkdir /opt/app/artifacts && \
     chown $APP_USER:$APP_USER /opt/app/artifacts
 
@@ -95,6 +100,13 @@ RUN for app in vod live; \
         rm -r /usr/local/WowzaStreamingEngine/conf/${app}; \
     done
 
+# modify supervisord configurations to run as $APP_USER
+# TODO: use templates to produce these files
+RUN sed -i "s/^user=root$/user=${APP_USER}/g" \
+    /etc/supervisor/conf.d/WowzaStreamingEngine.conf \
+    /etc/supervisor/conf.d/WowzaStreamingEngineManager.conf
+COPY etc/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
+
 # Copy our scripts, configs, templates, etc. into the container
 COPY --chown=$APP_USER WowzaStreamingEngine /usr/local/WowzaStreamingEngine
 COPY --chown=$APP_USER log4j-templates /opt/app/log4j-templates
@@ -135,11 +147,10 @@ RUN rm -r /opt/app/WEB-INF
 # Uninstall zip
 RUN apt-get remove -y zip
 
-# TODO: Fix this? Wowza's default image expects to run Wowza as root.
 # =============================================================================
-# Run as the wowza user to minimize risk to the host.
-
-# USER $APP_USER
+# Unlike most of our containers, this container starts as root as privileges
+# are dropped by supervisord instead of settingg the `USER` set in the 
+# Dockerfile.
 
 # =============================================================================
 # Default command
diff --git a/WowzaStreamingEngine/bin/startup.sh b/WowzaStreamingEngine/bin/startup.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+# this is a BerkeleyLibrary modified version of the WSE startup script
+
+# check for root access. If not, put up message and exit
+# if [ "$(/usr/bin/id -u)" -ne "0" ] ; then
+#     echo "The Wowza Streaming Engine requires root access to start. Please run script again using sudo."
+#     exit
+# fi
+
+systemctl >> /dev/null 2>&1
+if [ $? -eq 0 ]; then
+	# Restart XRM service
+	SERVICE_NAME="xrmd.service"
+	systemctl list-units --full -all | grep -Fq $SERVICE_NAME
+
+	if [ $? -eq 0 ]; then
+		echo "Restarting XRM service"
+		systemctl restart $SERVICE_NAME
+		. /opt/xilinx/xcdr/setup.sh
+	fi
+fi
+
+. /usr/local/WowzaStreamingEngine/bin/setenv.sh
+mode=standalone
+if [ "$#" -eq 1 ];
+then
+mode=$1
+fi
+
+#chmod 600 /usr/local/WowzaStreamingEngine/conf/jmxremote.password
+#chmod 600 /usr/local/WowzaStreamingEngine/conf/jmxremote.access
+
+# NOTE: Here you can configure the JVM's built in JMX interface.
+# See the "Server Management Console and Monitoring" chapter
+# of the "User's Guide" for more information on how to configure the
+# remote JMX interface in the [install-dir]/conf/Server.xml file.
+
+JMXOPTIONS=-Dcom.sun.management.jmxremote=true
+#JMXOPTIONS="$JMXOPTIONS -Djava.rmi.server.hostname=192.168.1.7"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.port=1099"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.authenticate=true"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.ssl=false"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.password.file=$WMSCONFIG_HOME/conf/jmxremote.password"
+#JMXOPTIONS="$JMXOPTIONS -Dcom.sun.management.jmxremote.access.file=$WMSCONFIG_HOME/conf/jmxremote.access"
+
+ulimit -n 64000 > /dev/null 2>&1
+
+rc=144
+while [ $rc -eq 144 ]
+do
+
+WMSTUNE_OPTS=`$WMSAPP_HOME/bin/tune.sh $mode`
+export LD_PRELOAD=`$WMSAPP_HOME/bin/ldpreload.sh`
+
+# log interceptor com.wowza.wms.logging.LogNotify - see Javadocs for ILogNotify
+
+$_EXECJAVA $WMSTUNE_OPTS $JMXOPTIONS -Dorg.slf4j.simpleLogger.defaultLogLevel=warn -Dcom.wowza.wms.runmode="$mode" -Dcom.wowza.wms.native.base="linux" -Dlog4j.configurationFile="$WMSCONFIG_HOME/conf/log4j2-config.xml" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" -cp $WMSAPP_HOME/bin/wms-bootstrap.jar com.wowza.wms.bootstrap.Bootstrap start
+
+rc=$?
+if [ $rc -ge 10 ] && [ $rc -le 15 ] ; then
+    WSE_EXIT_CODE=$rc
+    $_EXECJAVA $WMSTUNE_OPTS $JMXOPTIONS -Dcom.wowza.wms.runmode="$mode" -Dcom.wowza.wms.native.base="linux" -Dlog4j.configurationFile="$WMSCONFIG_HOME/conf/log4j2-config.xml" -Dcom.wowza.wms.AppHome="$WMSAPP_HOME" -Dcom.wowza.wms.ConfigURL="$WMSCONFIG_URL" -Dcom.wowza.wms.ConfigHome="$WMSCONFIG_HOME" -cp $WMSAPP_HOME/bin/wms-bootstrap.jar com.wowza.wms.bootstrap.Bootstrap startLicenseUpdateServer
+    rc=$?
+fi
+done
diff --git a/etc/supervisor/supervisord.conf b/etc/supervisor/supervisord.conf
@@ -0,0 +1,29 @@
+; supervisor config file
+
+[unix_http_server]
+file=/tmp/supervisor.sock   ; (the path to the socket file)
+chmod=0700                       ; sockef file mode (default 0700)
+
+[supervisord]
+logfile=/usr/local/supervisor/supervisord.log ;
+pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
+user=wowza
+
+; the below section must remain in the config file for RPC
+; (supervisorctl/web interface) to work, additional interfaces may be
+; added by defining them in separate rpcinterface: sections
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
+
+[include]
+files = /etc/supervisor/conf.d/*.conf
