fix(security): run as non-root user in container

This commit is contained in:
Julian Lobbes 2022-12-01 14:36:27 +01:00
parent 3ef08de465
commit 19aba86bd0
3 changed files with 26 additions and 8 deletions

View File

@ -5,11 +5,25 @@
FROM python:3 FROM python:3
# Install dependencies # Create non-root user
ARG LUMI2_UID
ARG LUMI2_GID
ENV LUMI2_USERNAME=lumi2
ENV LUMI2_GROUPNAME=lumi2
RUN groupadd --gid ${LUMI2_GID:-1000} ${LUMI2_GROUPNAME} && \
useradd --uid ${LUMI2_UID:-1000} --gid ${LUMI2_GID:-1000} --no-create-home --shell /bin/bash ${LUMI2_USERNAME} && \
mkdir /app && chown ${LUMI2_UID:-1000}:${LUMI2_GID:-1000} /app
# Copy source files
WORKDIR /app WORKDIR /app
COPY requirements.txt /app/ COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} requirements.txt /app/
COPY lumi2 /app/lumi2/ COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} lumi2 /app/lumi2/
COPY tests /app/tests/ COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} tests /app/tests/
COPY pytest.ini /app/ COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} pytest.ini /app/
# Install dependencies
RUN pip install -r requirements.txt RUN pip install -r requirements.txt
# Launch WSGI server
USER ${LUMI2_UID:-1000}:${LUMI2_GID:-1000}
ENTRYPOINT ["waitress-serve", "--listen=0.0.0.0:80", "--no-ipv6", "--call", "lumi2:create_app"] ENTRYPOINT ["waitress-serve", "--listen=0.0.0.0:80", "--no-ipv6", "--call", "lumi2:create_app"]

View File

@ -4,12 +4,16 @@ version: "3"
services: services:
lumi2: lumi2:
build: .
container_name: lumi2 container_name: lumi2
build:
context: .
args:
LUMI2_UID: 1000
LUMI2_GID: 1000
volumes: volumes:
- ./config.py/:/app/config.py:ro - ./config.py/:/app/config.py:ro
environment: environment:
- LUMI_CONFIG=/app/config.py - LUMI2_CONFIG=/app/config.py
ports: ports:
- "8000:80" - "8000:80"
depends_on: depends_on:

View File

@ -20,7 +20,7 @@ def create_app(test_config=None):
if test_config is None: if test_config is None:
# Load the instance config, if it exists, when not testing # Load the instance config, if it exists, when not testing
app.config.from_envvar('LUMI_CONFIG', silent=True) app.config.from_envvar('LUMI2_CONFIG', silent=True)
else: else:
# Load the test config if passed in # Load the test config if passed in
app.config.from_mapping(test_config) app.config.from_mapping(test_config)