Proposal to Dockerize ova-webserver

[anchal-agrawal]

From @pstroia:

I'm opening this bug to start an open discussion about Dockerizing the two processes in the OVA that listen to port 9443 and 1337.

Those processes are acting as webservers (and currently as root), so if there's any kind of compromise, it would be very beneficial to isolate them from the other processes running in the OVA.

My suggestion is to use docker-compose to spin up both services, binary which is already available at /usr/local/bin/docker-compose.

This bug does not replace #827, even if they are very similar and related. Processes in containers do not need to run as root, so that's why I'm not closing the latter.

Assigning same priority of #827, because at least one of these two needs to be closed for the next release.

bug1958949

[andrewtchin]

We will do this and switch to not running as root at the same time

[hickeng]

Nominating for 1.4.3, possibly just for the mitigation that was in #827 as it was requested for the 1.4.0 release but not included.

[DanielXiao]

During VIC appliance installation, root password is required for verification. So the user who run ova-webserver process must have enough privileges to access the shadow password database, which is currently root user of VIC appliance OS. If I run ova-webserver in a container with a non-root user, it is impossible to access password database of host OS. I would like to skip this issue unless we have better approach to verify root password.

[DanielXiao]

This is the pending PR to dockerize ova-webserver #2263.
Below is the code to verify root password and I can merge the fix when we have better approach to do it.

cmd := exec.Command("/etc/vmware/verify.py", vicPasswd) 

[hickeng]

@DanielXiao Is it viable to use PAM to do this password validation? Anything that allows access to shadow is dangerous.

See the example here: https://www.socketloop.com/tutorials/golang-verify-linux-user-password-again-before-executing-a-program-example