From 669f74349e90d737a96a966873d5f52a281073bc Mon Sep 17 00:00:00 2001 From: ecozzi-hpe <76960215+ecozzi-hpe@users.noreply.github.com> Date: Mon, 27 Sep 2021 16:35:53 -0500 Subject: [PATCH] CASMCMS-7434 Change to non-root user --- Dockerfile | 30 ++++++++++++------- Makefile | 1 - README.md | 8 ++--- config/gunicorn.py | 2 +- .../cray-ims/templates/post_upgrade_hook.yaml | 27 +++++++++++++++++ kubernetes/cray-ims/values.yaml | 6 ++-- 6 files changed, 55 insertions(+), 19 deletions(-) create mode 100644 kubernetes/cray-ims/templates/post_upgrade_hook.yaml diff --git a/Dockerfile b/Dockerfile index 0582724..3e9a7c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,15 +24,23 @@ # Create 'base' image target FROM artifactory.algol60.net/docker.io/alpine:3.13 as base WORKDIR /app -RUN mkdir -p /var/ims/data -VOLUME ["/var/ims/data"] +RUN mkdir -p /var/ims/data /app /results && \ + chown -Rv 65534:65534 /var/ims/data /app /results +VOLUME ["/var/ims/data", "/results"] -ADD requirements.txt constraints.txt /app/ RUN apk add --upgrade --no-cache apk-tools && \ apk update && \ apk add --no-cache gcc py3-pip python3-dev musl-dev libffi-dev openssl-dev && \ - apk -U upgrade --no-cache && \ - PIP_INDEX_URL=https://arti.dev.cray.com:443/artifactory/api/pypi/pypi-remote/simple \ + apk -U upgrade --no-cache + +USER 65534:65534 + +ADD requirements.txt constraints.txt /app/ +ENV VIRTUAL_ENV=/app/venv +RUN python3 -m venv $VIRTUAL_ENV +ENV PATH="$VIRTUAL_ENV/bin:$PATH" + +RUN PIP_INDEX_URL=https://arti.dev.cray.com:443/artifactory/api/pypi/pypi-remote/simple \ PIP_TRUSTED_HOST=arti.dev.cray.com \ pip3 install --no-cache-dir -U pip && \ pip3 install --no-cache-dir -U wheel && \ @@ -43,19 +51,21 @@ COPY src/ /app/src/ # Run unit tests FROM base as testing + ADD docker_test_entry.sh /app/ ADD requirements-test.txt /app/ RUN pip3 install -r /app/requirements-test.txt + COPY tests /app/tests ARG FORCE_TESTS=null CMD [ "./docker_test_entry.sh" ] # Run openapi validation on openapi.yaml FROM arti.dev.cray.com/third-party-docker-stable-local/openapitools/openapi-generator-cli:v5.1.0 as openapi-validator -RUN mkdir /api -COPY api/openapi.yaml /api +RUN mkdir /tmp/api +COPY api/openapi.yaml /tmp/api/ ARG FORCE_OPENAPI_VALIDATION_CHECK=null -RUN docker-entrypoint.sh validate -i /api/openapi.yaml || true +RUN docker-entrypoint.sh validate -i /tmp/api/openapi.yaml || true # Run code style checkers FROM testing as codestyle @@ -67,8 +77,8 @@ CMD [ "./runCodeStyleCheck.sh" ] # Build Application Image FROM base as application -EXPOSE 80 +EXPOSE 9000 # RUN apk add --no-cache py3-gunicorn py3-gevent py3-greenlet -copy .version /app/ +COPY .version /app/ COPY config/gunicorn.py /app/ ENTRYPOINT ["gunicorn", "-c", "/app/gunicorn.py", "src.server.app:app"] diff --git a/Makefile b/Makefile index 64b169a..8902552 100644 --- a/Makefile +++ b/Makefile @@ -63,7 +63,6 @@ unittests: chart_setup: mkdir -p ${CHART_PATH}/.packaged - printf "\nglobal:\n appVersion: ${CHART_VERSION}" >> ${CHART_PATH}/${NAME}/values.yaml chart_package: helm dep up ${CHART_PATH}/${NAME} diff --git a/README.md b/README.md index ecec246..6d00b0b 100644 --- a/README.md +++ b/README.md @@ -174,7 +174,7 @@ The image can be run with the following command: ```bash $ docker run --rm --name ims-service \ - -p 5000:80 \ + -p 9000:9000 \ -e "S3_ACCESS_KEY=minioadmin" \ -e "S3_SECRET_KEY=minioadmin" \ -e "S3_ENDPOINT=172.17.0.2:9000" \ @@ -185,14 +185,14 @@ $ docker run --rm --name ims-service \ ims-service:dev ``` -This will start the IMS server on `http://localhost:5000`. An S3 instance is +This will start the IMS server on `http://localhost:9000`. An S3 instance is required for the IMS server to do anything meaningful. See the [Configuration Options](#Configuration-Options) section for more information and further configuration possibilities. ``` -$ curl http://127.0.0.1:5000/images +$ curl http://127.0.0.1:9000/images [] -$ curl http://127.0.0.1:5000/recipes +$ curl http://127.0.0.1:9000/recipes [] ``` diff --git a/config/gunicorn.py b/config/gunicorn.py index 26e14c6..a6858d0 100644 --- a/config/gunicorn.py +++ b/config/gunicorn.py @@ -23,7 +23,7 @@ # Gunicorn settings for IMS import os -bind = "0.0.0.0:80" +bind = "0.0.0.0:9000" # workers = int(os.environ.get('WORKERS', 1)) # Worker diff --git a/kubernetes/cray-ims/templates/post_upgrade_hook.yaml b/kubernetes/cray-ims/templates/post_upgrade_hook.yaml new file mode 100644 index 0000000..5eeda70 --- /dev/null +++ b/kubernetes/cray-ims/templates/post_upgrade_hook.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: ims-post-upgrade + namespace: {{ .Values.ims_config.cray_ims_service_namespace }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-upgrade +spec: + template: + spec: + restartPolicy: Never + containers: + - name: ims-post-upgrade-hook1-container + image: "baseos/alpine:3.13" + command: + - bin/sh + - -c + - chown -Rv 65534:65534 /var/ims/data + volumeMounts: + - mountPath: /var/ims/data + name: cray-ims-data + volumes: + - name: cray-ims-data + persistentVolumeClaim: + claimName: cray-ims-data-claim \ No newline at end of file diff --git a/kubernetes/cray-ims/values.yaml b/kubernetes/cray-ims/values.yaml index 67da91a..d8e0389 100644 --- a/kubernetes/cray-ims/values.yaml +++ b/kubernetes/cray-ims/values.yaml @@ -56,7 +56,7 @@ cray-service: repository: cray/cray-ims-service ports: - name: http - containerPort: 80 + containerPort: 9000 envFrom: - configMapRef: name: ims-config @@ -94,7 +94,7 @@ cray-service: mountPath: /mnt/ims/v2/job_templates/customize livenessProbe: httpGet: - port: 80 + port: 9000 path: /healthz/live initialDelaySeconds: 5 periodSeconds: 60 @@ -102,7 +102,7 @@ cray-service: failureThreshold: 3 readinessProbe: httpGet: - port: 80 + port: 9000 path: /healthz/ready initialDelaySeconds: 5 periodSeconds: 10