centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
oncall-engine/engine/Dockerfile
Alexander Cherepanov f67cfd0494
Run containers as a non-root user (#2053) 
# What this PR does

Create a custom non-root user and use it to start an app. So uwsgi does
not require to use `setUid` and `setGid` system calls.

It handles errors while starting in Kubernetes with `runAsNonRoot: true`
check.

## Which issue(s) this PR fixes

closes https://github.com/grafana/oncall/issues/445

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [ ] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)

---------

Co-authored-by: Joey Orlando <joey.orlando@grafana.com>
Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
2023-06-08 07:12:00 +00:00

61 lines
2.2 KiB
Docker
Raw Blame History

FROM python:3.11.3-slim-buster AS base
# Create a group and user to run an app
ENV APP_USER=appuser
RUN groupadd --system --gid 2000 ${APP_USER} && \
useradd --no-log-init --system --uid 1000 --gid ${APP_USER} ${APP_USER}
RUN apt-get update && apt-get install -y \
python3-dev \
gcc \
libmariadb-dev \
libpq-dev \
netcat \
curl \
bash \
git \
libpcre3 \
libpcre3-dev
WORKDIR /etc/app
COPY ./requirements.txt ./
RUN pip install --upgrade pip
RUN pip install -r requirements.txt
# we intentionally have two COPY commands, this is to have the requirements.txt in a separate build step
# which only invalidates when the requirements.txt actually changes. This avoids having to unneccasrily reinstall deps (which is time-consuming)
# https://stackoverflow.com/questions/34398632/docker-how-to-run-pip-requirements-txt-only-if-there-was-a-change/34399661#34399661
COPY ./ ./
# Collect static files
RUN DJANGO_SETTINGS_MODULE=settings.prod_without_db DATABASE_TYPE=sqlite3 DATABASE_NAME=/var/lib/oncall/oncall.db SECRET_KEY="ThEmUsTSecretKEYforBUILDstage123" SILK_PROFILER_ENABLED="True" python manage.py collectstatic --no-input
# Change permissions for the app folder, as previous commands run as root
RUN chown -R ${APP_USER}:${APP_USER} /etc/app
# Create SQLite database and set permissions
RUN mkdir -p /var/lib/oncall
RUN DATABASE_TYPE=sqlite3 DATABASE_NAME=/var/lib/oncall/oncall.db python manage.py create_sqlite_db
RUN chown -R ${APP_USER}:${APP_USER} /var/lib/oncall
# This is required for silk profilers to sync between uwsgi workers
RUN mkdir -p /tmp/silk_profiles;
RUN chown -R ${APP_USER}:${APP_USER} /tmp/silk_profiles
# This is required for prometheus_client to sync between uwsgi workers
RUN mkdir -p /tmp/prometheus_django_metrics;
RUN chown -R ${APP_USER}:${APP_USER} /tmp/prometheus_django_metrics
ENV prometheus_multiproc_dir "/tmp/prometheus_django_metrics"
FROM base AS dev
RUN apt-get install -y sqlite3 default-mysql-client postgresql-client
FROM dev AS dev-enterprise
RUN pip install -r requirements-enterprise-docker.txt
FROM base AS prod
# Change to a non-root user (number is required by Kubernetes runAsNonRoot check)
USER 1000
CMD [ "uwsgi", "--ini", "uwsgi.ini" ]
Reference in a new issue View git blame Copy permalink