Srt 2872 fix crashloopback error when using default developer configuration on a readonly root filesystem enabled (#556)

* Fix default devimage with rorfs issue

* Added new docker test

Author: ShashikanthRaoT

Dockerfile-server

@@ -181,7 +181,7 @@ LABEL summary="IBM MQ Advanced for Developers Server" \
   base-image-release=$BASE_TAG
 USER 0
 COPY --from=cbuilder /opt/app-root/src/authservice/mqhtpass/build/mqhtpass.so /opt/mqm/lib64/
-COPY etc/mqm/qm-service-component.ini /run
+COPY etc/mqm/qm-service-component.ini.default /etc/mqm/
 COPY incubating/mqadvanced-server-dev/install-extra-packages.sh /usr/local/bin/
 RUN chmod u+x /usr/local/bin/install-extra-packages.sh \
   && sleep 1 \
@@ -196,8 +196,6 @@ RUN ln -s /run/10-dev.mqsc /etc/mqm/10-dev.mqsc \
 RUN chown -R 1001:root /etc/mqm/* \
   && chmod -R g+w /etc/mqm/web \
   && chmod +x /usr/local/bin/runmq* \
-  # Allow contents of qm-service-component.ini to be cleaned if MQ_CONNAUTH_USE_HTP is not set to true
-  && chmod 0660 /run/qm-service-component.ini \
   && ln -s /run/qm-service-component.ini /etc/mqm/qm-service-component.ini
 
 ENV MQ_DEV=true \

cmd/runmqdevserver/main.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/ibm-messaging/mq-container/internal/copy"
 	"github.com/ibm-messaging/mq-container/internal/htpasswd"
 	"github.com/ibm-messaging/mq-container/pkg/containerruntimelogger"
 	"github.com/ibm-messaging/mq-container/pkg/logger"
@@ -127,6 +128,14 @@ func doMain() error {
 		return err
 	}
 
+	// Initialise /run/qm-service-component.ini file on ephemeral volume
+	// #nosec G306 - its a read by owner/s group, and pose no harm.
+	err = os.WriteFile("/run/qm-service-component.ini", []byte(""), 0660)
+	if err != nil {
+		logTermination(err)
+		return err
+	}
+
 	// Enable mq htpasswd if MQ_CONNAUTH_USE_HTP is set true
 	// and either or both of MQ_APP_PASSWORD and MQ_ADMIN_PASSWORD
 	// environment variables specified.
@@ -135,6 +144,11 @@ func doMain() error {
 	appPassword, appPwdset := os.LookupEnv("MQ_APP_PASSWORD")
 	if set && strings.EqualFold(enableHtPwd, "true") &&
 		(adminPwdset && len(strings.TrimSpace(adminPassword)) > 0 || appPwdset && len(strings.TrimSpace(appPassword)) > 0) {
+		err = copy.CopyFile("/etc/mqm/qm-service-component.ini.default", "/run/qm-service-component.ini")
+		if err != nil {
+			logTermination(err)
+			return err
+		}
 		// Create an empty mq.htpasswd file on ephemeral volume
 		// #nosec G306 - its a write by owner/s group, and pose no harm.
 		err = os.WriteFile("/run/mq.htpasswd", []byte(""), 0660)
@@ -158,15 +172,6 @@ func doMain() error {
 				return err
 			}
 		}
-	} else {
-		// Clean contents of qm-service-component.ini if MQ_CONNAUTH_USE_HTP is not set to true
-		// so that mq.htpasswd exit is not loaded by queue manager
-		// #nosec G306 - its a write by owner/s group, and pose no harm.
-		err = os.WriteFile("/run/qm-service-component.ini", []byte(""), 0660)
-		if err != nil {
-			logTermination(err)
-			return err
-		}
 	}
 
 	err = updateMQSC(set)

etc/mqm/qm-service-component.ini renamed to etc/mqm/qm-service-component.ini.default

@@ -847,3 +847,68 @@ func testDevNoDefaultCredsUtil(t *testing.T, mqhtpassEnvs []string, htpwdInLog b
 		}
 	}
 }
+
+// Test REST messaging with default developer configuration
+// MQ_CONNAUTH_USE_HTP is set to true in the dev image with
+// read only root filesystem enabled. The test
+// specifies password for admin userId via MQ_ADMIN_PASSWORD
+// environment variable but then attempts to do REST messaging
+// usig 'app' userId. HTTP 401 is expected.
+func TestRORFSDevNoAppPassword(t *testing.T) {
+	t.Parallel()
+	cli := ce.NewContainerClient()
+	qm := "QM1"
+	containerConfig := ce.ContainerConfig{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=" + qm,
+			"DEBUG=true",
+			"MQ_CONNAUTH_USE_HTP=true",
+			"MQ_ADMIN_PASSWORD=" + defaultAdminPassword,
+		},
+		Image: imageName(),
+	}
+
+	// Create volumes for mounting into container
+	ephData := createVolume(t, cli, "ephData"+t.Name())
+	defer removeVolume(t, cli, ephData)
+	ephRun := createVolume(t, cli, "ephRun"+t.Name())
+	defer removeVolume(t, cli, ephRun)
+	ephTmp := createVolume(t, cli, "ephTmp"+t.Name())
+	defer removeVolume(t, cli, ephTmp)
+
+	hostConfig := ce.ContainerHostConfig{
+		Binds: []string{
+			coverageBind(t),
+			ephRun + ":/run",
+			ephTmp + ":/tmp",
+			ephData + ":/mnt/mqm",
+		},
+		ReadOnlyRootfs: true, //Enable read only root filesystem
+	}
+	// Assign a random port for the web server on the host
+	var binding ce.PortBinding
+	ports := []int{9443}
+	for _, p := range ports {
+		port := fmt.Sprintf("%v/tcp", p)
+		binding = ce.PortBinding{
+			ContainerPort: port,
+			HostIP:        "0.0.0.0",
+		}
+		hostConfig.PortBindings = append(hostConfig.PortBindings, binding)
+	}
+	networkingConfig := ce.ContainerNetworkSettings{}
+	id, err := cli.ContainerCreate(&containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, id)
+	startContainer(t, cli, id)
+
+	waitForReady(t, cli, id)
+	waitForWebReady(t, cli, id, insecureTLSConfig)
+	// Expect a 401 Unauthorized HTTP Response
+	testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "app", defaultAppPasswordWeb, "401 Unauthorized")
+	// Stop the container cleanly
+	stopContainer(t, cli, id)
+}