generated from ministryofjustice/analytical-platform-image-build-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
136 additions
and
140 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,49 +1,75 @@ | ||
| # checkov:skip=CKV_DOCKER_2:Healthcheck instructions have not been added to container images | ||
| # This image is an example base image for this template and can be replaced to fit user needs | ||
| FROM public.ecr.aws/ubuntu/ubuntu@sha256:12fb86d81bc4504d8261a91c83c54b9e5dcdf1d833ba0fe42ec9e0ee09a2b0ba | ||
| # hadolint global ignore=DL3008 | ||
|
|
||
| LABEL org.opencontainers.image.vendor="Ministry of Justice" \ | ||
| org.opencontainers.image.authors="Analytical Platform ([email protected])"\ | ||
| org.opencontainers.image.title="{image title}" \ | ||
| org.opencontainers.image.description="{decription}" \ | ||
| org.opencontainers.image.url="{your repo url}" | ||
| ARG r=4.3.2 | ||
| FROM rocker/r-ver:${r} | ||
|
|
||
| ENV CONTAINER_USER="analyticalplatform" \ | ||
| CONTAINER_UID="1000" \ | ||
| CONTAINER_GROUP="analyticalplatform" \ | ||
| CONTAINER_GID="1000" \ | ||
| DEBIAN_FRONTEND="noninteractive" | ||
| ARG shinyserver=1.5.20.1002 | ||
| ENV SHINY_SERVER_VERSION=${shinyserver} | ||
| ENV PANDOC_VERSION=default | ||
| RUN /rocker_scripts/install_shiny_server.sh | ||
|
|
||
| SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"] | ||
| ENV STRINGI_DISABLE_PKG_CONFIG=true \ | ||
| AWS_DEFAULT_REGION=eu-west-1 \ | ||
| TZ=Etc/UTC \ | ||
| LC_ALL=C.UTF-8 | ||
|
|
||
| # User | ||
| RUN <<EOF | ||
| groupadd \ | ||
| --gid ${CONTAINER_GID} \ | ||
| ${CONTAINER_GROUP} | ||
| WORKDIR /srv/shiny-server | ||
|
|
||
| useradd \ | ||
| --uid ${CONTAINER_UID} \ | ||
| --gid ${CONTAINER_GROUP} \ | ||
| --create-home \ | ||
| --shell /bin/bash \ | ||
| ${CONTAINER_USER} | ||
| EOF | ||
| # Cleanup shiny-server dir | ||
| RUN rm -rf ./* | ||
|
|
||
| # Base | ||
| RUN <<EOF | ||
| apt-get update --yes | ||
| # Make sure the directory for individual app logs exists | ||
| RUN mkdir -p /var/log/shiny-server | ||
|
|
||
| apt-get install --yes \ | ||
| "apt-transport-https=2.4.12" \ | ||
| "curl=7.81.0-1ubuntu1.16" | ||
| # Ensure Python venv is installed (used by reticulate). | ||
| RUN apt-get update -y && \ | ||
| apt-get install -y \ | ||
| python3 \ | ||
| python3-pip \ | ||
| python3-venv \ | ||
| python3-dev \ | ||
| libxml2-dev \ | ||
| libssl-dev \ | ||
| libudunits2-dev \ | ||
| libgdal-dev \ | ||
| libgeos-dev \ | ||
| libproj-dev\ | ||
| gdal-bin \ | ||
| git \ | ||
| libssl-dev \ | ||
| libsqlite3-dev \ | ||
| python3-boto \ | ||
| xtail | ||
|
|
||
| apt-get clean --yes | ||
|
|
||
| rm --force --recursive /var/lib/apt/lists/* | ||
| EOF | ||
| # APT Cleanup | ||
| RUN apt-get clean && rm -rf /var/lib/apt/lists/ | ||
|
|
||
| USER ${CONTAINER_USER} | ||
| COPY shiny-server.conf /etc/shiny-server/shiny-server.conf | ||
| COPY shiny-server.sh /usr/bin/shiny-server.sh | ||
| COPY gather_env_vars.py . | ||
|
|
||
| WORKDIR /home/${CONTAINER_USER} | ||
| # Patch the shiny server to allow custom headers | ||
| RUN sed -i 's/createWebSocketClient(pathInfo)/createWebSocketClient(pathInfo, conn.headers)/' /opt/shiny-server/lib/proxy/sockjs.js | ||
| RUN sed -i "s/'referer'/'referer', 'cookie', 'user_email'/" /opt/shiny-server/node_modules/sockjs/lib/transport.js | ||
|
|
||
| # Shiny runs as 'shiny' user, adjust app directory permissions | ||
| RUN groupmod -g 998 shiny | ||
| RUN usermod -u 998 -g 998 shiny | ||
| RUN chown -R 998:998 . | ||
| RUN chown -R 998:998 /etc/shiny-server | ||
| RUN chown -R 998:998 /var/lib/shiny-server | ||
|
|
||
| RUN chown -R 998:998 /opt/shiny-server | ||
| RUN chown -R 998:998 /var/log/shiny-server | ||
| RUN chown -R 998:998 /etc/init.d/shiny-server | ||
| RUN chown -R 998:998 /usr/local/lib/R/etc | ||
| RUN chown -R 998:998 /usr/local/lib/R/site-library | ||
| RUN chown 998:998 /usr/bin/shiny-server.sh | ||
| RUN chmod +x /usr/bin/shiny-server.sh | ||
|
|
||
| RUN chown 998:998 /etc/profile | ||
|
|
||
| EXPOSE 9999 | ||
|
|
||
| CMD ["/usr/bin/shiny-server.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,96 +1,7 @@ | ||
| # Analytical Platform Image Build Template | ||
| # Analytical Platform RShiny Open Source Base | ||
|
|
||
| [](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/analytical-platform-image-build-template) | ||
|
|
||
| This template repository equips you with the default initial files for building a container used in Analytical Platform. | ||
| [](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/analytical-platform-rshiny-open-source-base) | ||
|
|
||
| This repository is managed in Terraform [here](https://github.com/ministryofjustice/data-platform-github-access/blob/main/terraform/github/analytical-platform-repositories.tf). | ||
|
|
||
| ## Included Files | ||
|
|
||
| The repository comes with the following preset files: | ||
|
|
||
| <!-- generated with `tree -a -I '.git'` --> | ||
| ```text | ||
| ├── .devcontainer | ||
| │ ├── devcontainer.json | ||
| │ └── devcontainer-lock.json | ||
| ├── Dockerfile | ||
| ├── .editorconfig | ||
| ├── .github | ||
| │ ├── CODEOWNERS | ||
| │ ├── dependabot.yml | ||
| │ └── workflows | ||
| │ ├── build-and-test.yml | ||
| │ ├── dependency-review.yml | ||
| │ ├── release.yml | ||
| │ ├── scan-image.yml | ||
| │ └── super-linter.yml | ||
| ├── .gitignore | ||
| ├── LICENSE | ||
| ├── Makefile | ||
| ├── README.md | ||
| └── test | ||
| └── container-structure-test.yml | ||
| ``` | ||
|
|
||
| ## Setup Instructions | ||
|
|
||
| Once you've created your repository using this template, perform the following steps: | ||
|
|
||
| ### Update README | ||
|
|
||
| Edit this README.md file to document your project accurately. Take the time to create a clear, engaging, and informative README.md file. Include information like what your project does, how to install and run it, how to contribute, and any other pertinent details. | ||
|
|
||
| ### Update repository description | ||
|
|
||
| After you've created your repository, GitHub provides a brief description field that appears on the top of your repository's main page. This is a summary that gives visitors quick insight into the project. Using this field to provide a succinct overview of your repository is highly recommended. | ||
|
|
||
| This description and your README.md will be one of the first things people see when they visit your repository. It's a good place to make a strong, concise first impression. Remember, this is often visible in search results on GitHub and search engines, so it's also an opportunity to help people discover your project. | ||
|
|
||
| ### Grant Team Permissions | ||
|
|
||
| Assign permissions to the appropriate Ministry of Justice teams. Ensure at least one team is granted Admin permissions. Whenever possible, assign permissions to teams rather than individual users. | ||
|
|
||
| ### Read about the GitHub Repository Standards | ||
|
|
||
| Familiarise yourself with the Ministry of Justice GitHub Repository Standards. These standards ensure consistency, maintainability, and best practices across all our repositories. | ||
|
|
||
| You can find the standards [here](https://operations-engineering.service.justice.gov.uk/documentation/services/repository-standards.html). | ||
|
|
||
| Please read and understand these standards thoroughly and enable them when you feel comfortable. | ||
|
|
||
| ### Modify the GitHub Repository Standards Badge | ||
|
|
||
| Once you've ensured that all the [GitHub Repository Standards](https://operations-engineering.service.justice.gov.uk/documentation/services/repository-standards.html) have been applied to your repository, it's time to update the Ministry of Justice (MoJ) Compliance Badge located in the README file. | ||
|
|
||
| The badge demonstrates that your repository is compliant with MoJ's standards. Please follow these [instructions](https://operations-engineering.service.justice.gov.uk/documentation/runbooks/services/add-repo-badge.html) to modify the badge URL to reflect the status of your repository correctly. | ||
|
|
||
| **Please note** the badge will not function correctly if your repository is internal or private. In this case, you may remove the badge from your README. | ||
|
|
||
| ### Manage Outside Collaborators | ||
|
|
||
| To add an Outside Collaborator to the repository, follow the guidelines detailed [here](https://github.com/ministryofjustice/github-collaborators). | ||
|
|
||
| ### Update CODEOWNERS | ||
|
|
||
| (Optional) Modify the CODEOWNERS file to specify the teams or users authorized to approve pull requests. | ||
|
|
||
| ### Configure Dependabot | ||
|
|
||
| Adapt the dependabot.yml file to match your project's [dependency manager](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) and to enable [automated pull requests for package updates](https://docs.github.com/en/code-security/supply-chain-security). | ||
|
|
||
| ### Dependency Review | ||
|
|
||
| If your repository is private with no GitHub Advanced Security license, remove the `.github/workflows/dependency-review.yml` file. | ||
|
|
||
| ### Dockerfile | ||
|
|
||
| Make sure to add your own build logic to the bottom of the `Dockerfile`. | ||
|
|
||
| ### Tests | ||
|
|
||
| > [!NOTE] | ||
| > No application testing has been added to this template, this is to be implemented by the developer as required. | ||
| Please make sure to add any additional container structure tests needed to the `container-structure-test.yml`. | ||
| This source had no README. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| import os | ||
|
|
||
| R_ENV_FILE_NAME = "/srv/shiny-server/.Renviron" | ||
| R_ENV_FILE_NAME1 = "/home/shiny/.Renviron" | ||
|
|
||
|
|
||
| def gather_env_vars_to_renv_file(): | ||
| with open(R_ENV_FILE_NAME, "a") as file_handler: | ||
| for name, value in os.environ.items(): | ||
| file_handler.write(f'{name}="{value}"') | ||
| file_handler.write("\n") | ||
|
|
||
| with open(R_ENV_FILE_NAME1, "a") as file_handler: | ||
| for name, value in os.environ.items(): | ||
| file_handler.write(f'{name}="{value}"') | ||
| file_handler.write("\n") | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| gather_env_vars_to_renv_file() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Instruct Shiny Server to run applications as the user "shiny" | ||
| run_as shiny; | ||
|
|
||
| app_init_timeout 600; | ||
|
|
||
| # Define a server that listens on port 9999 | ||
| server { | ||
| listen 9999; | ||
|
|
||
| # Define a location at the base URL | ||
| location / { | ||
|
|
||
| # Host the directory of Shiny Apps stored in this directory | ||
| site_dir /srv/shiny-server; | ||
|
|
||
| # Log all Shiny output to files in this directory | ||
| log_dir /var/log/shiny-server; | ||
|
|
||
| # When a user visits the base URL rather than a particular application, | ||
| # an index of the applications available in this directory will be shown. | ||
| directory_index on; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| #!/bin/sh | ||
|
|
||
| # Make sure the directory for individual app logs exists | ||
| mkdir -p /var/log/shiny-server | ||
| chown shiny.shiny /var/log/shiny-server | ||
|
|
||
| if [ "$APPLICATION_LOGS_TO_STDOUT" != "false" ]; | ||
| then | ||
| # push the "real" application logs to stdout with xtail in detached mode | ||
| exec xtail /var/log/shiny-server/ & | ||
| fi | ||
|
|
||
| python3 ./gather_env_vars.py | ||
|
|
||
| # start shiny server | ||
| exec shiny-server 2>&1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters