fix(security): run as non-root user in container
This commit is contained in:
parent
70794ad61a
commit
6832843f00
24
Dockerfile
24
Dockerfile
@ -5,11 +5,25 @@
|
|||||||
|
|
||||||
FROM python:3
|
FROM python:3
|
||||||
|
|
||||||
# Install dependencies
|
# Create non-root user
|
||||||
|
ARG LUMI2_UID
|
||||||
|
ARG LUMI2_GID
|
||||||
|
ENV LUMI2_USERNAME=lumi2
|
||||||
|
ENV LUMI2_GROUPNAME=lumi2
|
||||||
|
RUN groupadd --gid ${LUMI2_GID:-1000} ${LUMI2_GROUPNAME} && \
|
||||||
|
useradd --uid ${LUMI2_UID:-1000} --gid ${LUMI2_GID:-1000} --no-create-home --shell /bin/bash ${LUMI2_USERNAME} && \
|
||||||
|
mkdir /app && chown ${LUMI2_UID:-1000}:${LUMI2_GID:-1000} /app
|
||||||
|
|
||||||
|
# Copy source files
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
COPY requirements.txt /app/
|
COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} requirements.txt /app/
|
||||||
COPY lumi2 /app/lumi2/
|
COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} lumi2 /app/lumi2/
|
||||||
COPY tests /app/tests/
|
COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} tests /app/tests/
|
||||||
COPY pytest.ini /app/
|
COPY --chown=${LUMI2_USERNAME}:${LUMI2_GROUPNAME} pytest.ini /app/
|
||||||
|
|
||||||
|
# Install dependencies
|
||||||
RUN pip install -r requirements.txt
|
RUN pip install -r requirements.txt
|
||||||
|
|
||||||
|
# Launch WSGI server
|
||||||
|
USER ${LUMI2_UID:-1000}:${LUMI2_GID:-1000}
|
||||||
ENTRYPOINT ["waitress-serve", "--listen=0.0.0.0:80", "--no-ipv6", "--call", "lumi2:create_app"]
|
ENTRYPOINT ["waitress-serve", "--listen=0.0.0.0:80", "--no-ipv6", "--call", "lumi2:create_app"]
|
||||||
|
@ -4,12 +4,16 @@ version: "3"
|
|||||||
|
|
||||||
services:
|
services:
|
||||||
lumi2:
|
lumi2:
|
||||||
build: .
|
|
||||||
container_name: lumi2
|
container_name: lumi2
|
||||||
|
build:
|
||||||
|
context: .
|
||||||
|
args:
|
||||||
|
LUMI2_UID: 1000
|
||||||
|
LUMI2_GID: 1000
|
||||||
volumes:
|
volumes:
|
||||||
- ./config.py/:/app/config.py:ro
|
- ./config.py/:/app/config.py:ro
|
||||||
environment:
|
environment:
|
||||||
- LUMI_CONFIG=/app/config.py
|
- LUMI2_CONFIG=/app/config.py
|
||||||
ports:
|
ports:
|
||||||
- "8000:80"
|
- "8000:80"
|
||||||
depends_on:
|
depends_on:
|
||||||
|
@ -20,7 +20,7 @@ def create_app(test_config=None):
|
|||||||
|
|
||||||
if test_config is None:
|
if test_config is None:
|
||||||
# Load the instance config, if it exists, when not testing
|
# Load the instance config, if it exists, when not testing
|
||||||
app.config.from_envvar('LUMI_CONFIG', silent=True)
|
app.config.from_envvar('LUMI2_CONFIG', silent=True)
|
||||||
else:
|
else:
|
||||||
# Load the test config if passed in
|
# Load the test config if passed in
|
||||||
app.config.from_mapping(test_config)
|
app.config.from_mapping(test_config)
|
||||||
|
Loading…
Reference in New Issue
Block a user