BOT-2003 Applied Security Best Practices (not run as root user)

botium-build · botium-build · commit 7ad1a96f514e · 2022-02-28T11:29:09.000Z
diff --git a/README.md b/README.md
@@ -180,6 +180,10 @@ This project is standing on the shoulders of giants.
 
 ## Changelog
 
+### 2022-02-28
+
+* Applied Security Best Practices (not run as root user)
+
 ### 2022-01-12
 
 * Added support for Azure Speech Services
diff --git a/frontend/resources/.env b/frontend/resources/.env
@@ -29,8 +29,8 @@ BOTIUM_SPEECH_MARYTTS_URL=http://tts:59125
 BOTIUM_SPEECH_PICO_CMDPREFIX=pico2wave
 
 # STT Provider Kaldi URLs
-BOTIUM_SPEECH_KALDI_URL_EN=http://stt-en:80/client/dynamic/recognize
-BOTIUM_SPEECH_KALDI_URL_DE=http://stt-de:80/client/dynamic/recognize
+BOTIUM_SPEECH_KALDI_URL_EN=http://stt-en:56180/client/dynamic/recognize
+BOTIUM_SPEECH_KALDI_URL_DE=http://stt-de:56180/client/dynamic/recognize
 
 # STT Provider Google
 #BOTIUM_SPEECH_GOOGLE_KEYFILE=./resources/google.json
diff --git a/nginx.conf b/nginx.conf
@@ -29,7 +29,7 @@ http {
       proxy_set_header            Connection "Upgrade";
       proxy_set_header            Host $host;
       proxy_set_header            X-Forwarded-Host $http_host;
-      proxy_pass                  http://$upstream_stt_en;
+      proxy_pass                  http://$upstream_stt_en:56180;
       proxy_read_timeout          300;
     }
     rewrite ^/stt-de$ /stt-de/ redirect;
@@ -43,7 +43,7 @@ http {
       proxy_set_header            Connection "Upgrade";
       proxy_set_header            Host $host;
       proxy_set_header            X-Forwarded-Host $http_host;
-      proxy_pass                  http://$upstream_stt_de;
+      proxy_pass                  http://$upstream_stt_de:56180;
       proxy_read_timeout          300;
     }
     rewrite ^/dictate$ /dictate/ redirect;
diff --git a/scripts/k8s/README.md b/scripts/k8s/README.md
@@ -9,4 +9,4 @@ To use it:
  * deploy it `kubectl apply -R -f default`
  * undeploy it `kubectl delete -R -f default` 
 
-Do not modify and commit directly. Workload files are generated from helm chat!
+Do not modify and commit directly. Workload files are generated from helm chart!
diff --git a/stt/Dockerfile.kaldi.de b/stt/Dockerfile.kaldi.de
@@ -14,6 +14,9 @@ RUN apt-get update && \
 COPY models/zamia_20190328_tdnn_f_de.yaml /opt/models/zamia_20190328_tdnn_f_de.yaml
 COPY supervisord.kaldi.de.conf /etc/supervisor/conf.d/supervisord.conf
 
-EXPOSE 80
+EXPOSE 56180
 
-CMD ["/usr/bin/supervisord"]
+RUN groupadd --gid 1000 kaldi && useradd --uid 1000 --gid kaldi --shell /bin/bash --create-home kaldi
+RUN mkdir /opt/logs && chown -R 1000:1000 /opt/models /opt/logs
+USER kaldi
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
diff --git a/stt/Dockerfile.kaldi.en b/stt/Dockerfile.kaldi.en
@@ -14,6 +14,9 @@ RUN apt-get update && \
 COPY models/zamia_20190609_tdnn_fl_en.yaml /opt/models/zamia_20190609_tdnn_fl_en.yaml
 COPY supervisord.kaldi.en.conf /etc/supervisor/conf.d/supervisord.conf
 
-EXPOSE 80
+EXPOSE 56180
 
-CMD ["/usr/bin/supervisord"]
+RUN groupadd --gid 1000 kaldi && useradd --uid 1000 --gid kaldi --shell /bin/bash --create-home kaldi
+RUN mkdir /opt/logs && chown -R 1000:1000 /opt/models /opt/logs
+USER kaldi
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
diff --git a/stt/models/zamia_20190328_tdnn_f_de.yaml b/stt/models/zamia_20190328_tdnn_f_de.yaml
@@ -18,7 +18,7 @@ decoder:
     chunk-length-in-secs: 0.25
     num-nbest: 10
     phone-syms: /opt/models/kaldi-generic-de-tdnn_f-r20190328/model/graph/phones.txt
-out-dir: tmp
+out-dir: /opt/models/tmp
 
 use-vad: False
 silence-timeout: 15
diff --git a/stt/models/zamia_20190609_tdnn_fl_en.yaml b/stt/models/zamia_20190609_tdnn_fl_en.yaml
@@ -18,7 +18,7 @@ decoder:
     chunk-length-in-secs: 0.25
     num-nbest: 10
     phone-syms: /opt/models/kaldi-generic-en-tdnn_fl-r20190609/model/graph/phones.txt
-out-dir: tmp
+out-dir: /opt/models/tmp
 
 use-vad: False
 silence-timeout: 15
diff --git a/stt/supervisord.kaldi.de.conf b/stt/supervisord.kaldi.de.conf
@@ -1,25 +1,31 @@
 [supervisord]
 nodaemon=true
+logfile=/opt/logs/kaldi-de-supervisord.log
+pidfile=/opt/logs/kaldi-de-supervisord.pid
 
 [program:master]
-command=python /opt/kaldi-gstreamer-server/kaldigstserver/master_server.py --port=80
+environment=HOME="/home/kaldi",USER="kaldi"
+command=python /opt/kaldi-gstreamer-server/kaldigstserver/master_server.py --port=56180
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/opt/logs/master.log
+user=kaldi
+stderr_logfile=/opt/logs/kaldi-de-master.log
 
 [program:worker1]
-environment=GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
-command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190328_tdnn_f_de.yaml -u ws://localhost:80/worker/ws/speech
+environment=HOME="/home/kaldi",USER="kaldi",GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
+command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190328_tdnn_f_de.yaml -u ws://localhost:56180/worker/ws/speech
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/opt/logs/worker1.log
+user=kaldi
+stderr_logfile=/opt/logs/kaldi-de-worker1.log
 
 [program:worker2]
-environment=GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
-command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190328_tdnn_f_de.yaml -u ws://localhost:80/worker/ws/speech
+environment=HOME="/home/kaldi",USER="kaldi",GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
+command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190328_tdnn_f_de.yaml -u ws://localhost:56180/worker/ws/speech
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/opt/logs/worker2.log
+user=kaldi
+stderr_logfile=/opt/logs/kaldi-de-worker2.log
diff --git a/stt/supervisord.kaldi.en.conf b/stt/supervisord.kaldi.en.conf
@@ -1,25 +1,31 @@
 [supervisord]
 nodaemon=true
+logfile=/opt/logs/kaldi-en-supervisord.log
+pidfile=/opt/logs/kaldi-en-supervisord.pid
 
 [program:master]
-command=python /opt/kaldi-gstreamer-server/kaldigstserver/master_server.py --port=80
+environment=HOME="/home/kaldi",USER="kaldi"
+command=python /opt/kaldi-gstreamer-server/kaldigstserver/master_server.py --port=56180
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/opt/logs/master.log
+user=kaldi
+stderr_logfile=/opt/logs/kaldi-en-master.log
 
 [program:worker1]
-environment=GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
-command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190609_tdnn_fl_en.yaml -u ws://localhost:80/worker/ws/speech
+environment=HOME="/home/kaldi",USER="kaldi",GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
+command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190609_tdnn_fl_en.yaml -u ws://localhost:56180/worker/ws/speech
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/opt/logs/worker1.log
+user=kaldi
+stderr_logfile=/opt/logs/kaldi-en-worker1.log
 
 [program:worker2]
-environment=GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
-command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190609_tdnn_fl_en.yaml -u ws://localhost:80/worker/ws/speech
+environment=HOME="/home/kaldi",USER="kaldi",GST_PLUGIN_PATH=/opt/gst-kaldi-nnet2-online/src/:/opt/kaldi/src/gst-plugin/:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
+command=python /opt/kaldi-gstreamer-server/kaldigstserver/worker.py -c /opt/models/zamia_20190609_tdnn_fl_en.yaml -u ws://localhost:56180/worker/ws/speech
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/opt/logs/worker2.log
+user=kaldi
+stderr_logfile=/opt/logs/kaldi-en-worker2.log
diff --git a/tts/Dockerfile.marytts b/tts/Dockerfile.marytts
@@ -10,5 +10,10 @@ WORKDIR /app/marytts-installer
 RUN cat components.json | jq .[].artifact | xargs ./marytts install
 
 EXPOSE 59125
+
+RUN addgroup --gid 1000 marytts && adduser --uid 1000 --ingroup marytts --disabled-password --shell /bin/bash marytts
+RUN chown -R 1000:1000 /app/marytts-installer
+USER marytts
+
 ENV JAVA_OPTS -Xmx2g
 CMD ./marytts
diff --git a/watcher/Dockerfile b/watcher/Dockerfile
@@ -6,10 +6,11 @@ RUN apt-get update && \
     apt-get autoremove -y && \
     rm -rf /var/lib/apt/lists/*
 
-VOLUME /app/watch
-
 COPY watch_stt.sh /app/watch_stt.sh
 COPY watch_tts.sh /app/watch_tts.sh
 COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
-CMD ["/usr/bin/supervisord"]
+RUN groupadd --gid 1000 watcher && useradd --uid 1000 --gid watcher --shell /bin/bash --create-home watcher
+RUN mkdir /app/logs && chown -R 1000:1000 /app
+USER watcher
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
diff --git a/watcher/supervisord.conf b/watcher/supervisord.conf
@@ -1,16 +1,22 @@
 [supervisord]
 nodaemon=true
+logfile=/app/logs/watcher-supervisord.log
+pidfile=/app/logs/watcher-supervisord.pid
 
 [program:watch_stt]
+environment=HOME="/home/watcher",USER="watcher"
 command=/app/watch_stt.sh
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/app/logs/stt.log
+user=watcher
+stderr_logfile=/app/logs/watcher-stt.log
 
 [program:watch_tts]
+environment=HOME="/home/watcher",USER="watcher"
 command=/app/watch_tts.sh
 numprocs=1
 autostart=true
 autorestart=true
-stderr_logfile=/app/logs/tts.log
+user=watcher
+stderr_logfile=/app/logs/watcher-tts.log
