CASMCMS-7434 Change to non-root user

Cray-HPE · Oct 27, 2021 · 669f743 · 669f743
1 parent abefd0a
commit 669f743
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 19 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -24,15 +24,23 @@
 # Create 'base' image target
 FROM artifactory.algol60.net/docker.io/alpine:3.13 as base
 WORKDIR /app
-RUN mkdir -p /var/ims/data
-VOLUME ["/var/ims/data"]
+RUN mkdir -p /var/ims/data /app /results && \
+ chown -Rv 65534:65534 /var/ims/data /app /results
+VOLUME ["/var/ims/data", "/results"]
 
-ADD requirements.txt constraints.txt /app/
 RUN apk add --upgrade --no-cache apk-tools && \
  apk update && \
  apk add --no-cache gcc py3-pip python3-dev musl-dev libffi-dev openssl-dev && \
- apk -U upgrade --no-cache && \
- PIP_INDEX_URL=https://arti.dev.cray.com:443/artifactory/api/pypi/pypi-remote/simple \
+ apk -U upgrade --no-cache
+
+USER 65534:65534
+
+ADD requirements.txt constraints.txt /app/
+ENV VIRTUAL_ENV=/app/venv
+RUN python3 -m venv $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
+RUN PIP_INDEX_URL=https://arti.dev.cray.com:443/artifactory/api/pypi/pypi-remote/simple \
  PIP_TRUSTED_HOST=arti.dev.cray.com \
  pip3 install --no-cache-dir -U pip && \
  pip3 install --no-cache-dir -U wheel && \
@@ -43,19 +51,21 @@ COPY src/ /app/src/
 
 # Run unit tests
 FROM base as testing
+
 ADD docker_test_entry.sh /app/
 ADD requirements-test.txt /app/
 RUN pip3 install -r /app/requirements-test.txt
+
 COPY tests /app/tests
 ARG FORCE_TESTS=null
 CMD [ "./docker_test_entry.sh" ]
 
 # Run openapi validation on openapi.yaml
 FROM arti.dev.cray.com/third-party-docker-stable-local/openapitools/openapi-generator-cli:v5.1.0 as openapi-validator
-RUN mkdir /api
-COPY api/openapi.yaml /api
+RUN mkdir /tmp/api
+COPY api/openapi.yaml /tmp/api/
 ARG FORCE_OPENAPI_VALIDATION_CHECK=null
-RUN docker-entrypoint.sh validate -i /api/openapi.yaml || true
+RUN docker-entrypoint.sh validate -i /tmp/api/openapi.yaml || true
 
 # Run code style checkers
 FROM testing as codestyle
@@ -67,8 +77,8 @@ CMD [ "./runCodeStyleCheck.sh" ]
 # Build Application Image
 FROM base as application
 
-EXPOSE 80
+EXPOSE 9000
 # RUN apk add --no-cache py3-gunicorn py3-gevent py3-greenlet
-copy .version /app/
+COPY .version /app/
 COPY config/gunicorn.py /app/
 ENTRYPOINT ["gunicorn", "-c", "/app/gunicorn.py", "src.server.app:app"]
diff --git a/Makefile b/Makefile
@@ -63,7 +63,6 @@ unittests:
 
 chart_setup:
  mkdir -p ${CHART_PATH}/.packaged
- printf "\nglobal:\n appVersion: ${CHART_VERSION}" >> ${CHART_PATH}/${NAME}/values.yaml
 
 chart_package:
  helm dep up ${CHART_PATH}/${NAME}

diff --git a/README.md b/README.md
@@ -174,7 +174,7 @@ The image can be run with the following command:
 
 ```bash
 $ docker run --rm --name ims-service \
- -p 5000:80 \
+ -p 9000:9000 \
  -e "S3_ACCESS_KEY=minioadmin" \
  -e "S3_SECRET_KEY=minioadmin" \
  -e "S3_ENDPOINT=172.17.0.2:9000" \
@@ -185,14 +185,14 @@ $ docker run --rm --name ims-service \
  ims-service:dev
 ```
 
-This will start the IMS server on `http://localhost:5000`. An S3 instance is
+This will start the IMS server on `http://localhost:9000`. An S3 instance is
 required for the IMS server to do anything meaningful. See the [Configuration Options](#Configuration-Options)
 section for more information and further configuration possibilities.
 
 ```
-$ curl http://127.0.0.1:5000/images
+$ curl http://127.0.0.1:9000/images
 []
-$ curl http://127.0.0.1:5000/recipes
+$ curl http://127.0.0.1:9000/recipes
 []
 ```
 

diff --git a/config/gunicorn.py b/config/gunicorn.py
@@ -23,7 +23,7 @@
 # Gunicorn settings for IMS
 import os
 
-bind = "0.0.0.0:80"
+bind = "0.0.0.0:9000"
 # workers = int(os.environ.get('WORKERS', 1))
 
 # Worker

diff --git a/kubernetes/cray-ims/templates/post_upgrade_hook.yaml b/kubernetes/cray-ims/templates/post_upgrade_hook.yaml
@@ -0,0 +1,27 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ims-post-upgrade
+ namespace: {{ .Values.ims_config.cray_ims_service_namespace }}
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ "helm.sh/hook": post-upgrade
+spec:
+ template:
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: ims-post-upgrade-hook1-container
+ image: "baseos/alpine:3.13"
+ command:
+ - bin/sh
+ - -c
+ - chown -Rv 65534:65534 /var/ims/data
+ volumeMounts:
+ - mountPath: /var/ims/data
+ name: cray-ims-data
+ volumes:
+ - name: cray-ims-data
+ persistentVolumeClaim:
+ claimName: cray-ims-data-claim
diff --git a/kubernetes/cray-ims/values.yaml b/kubernetes/cray-ims/values.yaml
@@ -56,7 +56,7 @@ cray-service:
  repository: cray/cray-ims-service
  ports:
  - name: http
- containerPort: 80
+ containerPort: 9000
  envFrom:
  - configMapRef:
  name: ims-config
@@ -94,15 +94,15 @@ cray-service:
  mountPath: /mnt/ims/v2/job_templates/customize
  livenessProbe:
  httpGet:
- port: 80
+ port: 9000
  path: /healthz/live
  initialDelaySeconds: 5
  periodSeconds: 60
  timeoutSeconds: 5
  failureThreshold: 3
  readinessProbe:
  httpGet:
- port: 80
+ port: 9000
  path: /healthz/ready
  initialDelaySeconds: 5
  periodSeconds: 10