spice-proxy: move spice-proxy to kubevirt repository

- add spice-proxy Dockerfile
- run spice-proxy as non-root user, part of the fix for kubevirt#113

Signed-off-by: Lukianov Artyom <[email protected]>

hack/config.sh

@@ -1,5 +1,5 @@
 binaries="cmd/virt-controller cmd/virt-launcher cmd/virt-handler cmd/virt-api cmd/virtctl cmd/virt-manifest"
-docker_images="$binaries images/haproxy images/iscsi-demo-target-tgtd images/vm-killer images/libvirt-kubevirt"
+docker_images="$binaries images/haproxy images/iscsi-demo-target-tgtd images/vm-killer images/libvirt-kubevirt images/spice-proxy"
 docker_prefix=kubevirt
 docker_tag=${DOCKER_TAG:-latest}
 manifest_templates="`ls manifests/*.in`"

images/spice-proxy/Dockerfile

@@ -0,0 +1,19 @@
+FROM centos:7.2.1511
+
+MAINTAINER Roman Mohr <[email protected]>
+
+EXPOSE 3128
+
+RUN yum install -y squid && yum clean all
+
+RUN sed -i -e "s/http_access deny CONNECT !SSL_ports/http_access deny CONNECT !Safe_ports/" /etc/squid/squid.conf
+RUN echo "pid_filename /home/proxy/run/squid.pid" >> /etc/squid/squid.conf
+
+RUN useradd --create-home -s /bin/bash proxy
+RUN chown -R proxy /var/log/squid && chown -R proxy /var/spool/squid
+RUN cp /etc/squid/squid.conf /home/proxy && chown proxy /home/proxy/squid.conf
+WORKDIR /home/proxy
+USER proxy
+RUN mkdir /home/proxy/run
+
+CMD squid -NCd1 -f /home/proxy/squid.conf

manifests/squid.yaml.in

@@ -23,11 +23,13 @@ spec:
     spec:
       containers:
         - name: spice-proxy
-          image: rmohr/spice-squid:latest
+          image: {{ docker_prefix }}/spice-proxy:{{ docker_tag }}
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3128
               name: "spice-proxy"
               protocol: "TCP"
+      securityContext:
+        runAsNonRoot: true
       nodeSelector:
         kubernetes.io/hostname: master