From 1e9f0f0fe0de7a313f744c06fa346deaa5c3855b Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Mon, 25 Nov 2024 11:55:21 +0000 Subject: [PATCH] dockerfiles: switch to hardcoded UIDs Based on the discussion in https://github.com/rackerlabs/understack/pull/499#discussion_r1852786416 this commit removes the repetitive directives to set the application UIDs, GIDs as well as the name and home directory. The new, standardised way is to use: - user with name appuser and UID 1000 - group with name appgroup and GID 1000 - location of the code in /app --- containers/bmc-utils/Dockerfile.bmc_utils | 19 ++---------- .../Dockerfile.ironic-nautobot-client | 22 +++----------- .../Dockerfile.python311_alpine | 30 ++++++++----------- .../Dockerfile.python312_alpine | 30 ++++++++----------- 4 files changed, 31 insertions(+), 70 deletions(-) diff --git a/containers/bmc-utils/Dockerfile.bmc_utils b/containers/bmc-utils/Dockerfile.bmc_utils index 69a30144..ceebb76a 100644 --- a/containers/bmc-utils/Dockerfile.bmc_utils +++ b/containers/bmc-utils/Dockerfile.bmc_utils @@ -2,21 +2,10 @@ ARG BASE=ghcr.io/rackerlabs/understack/argo-python3.11.8-alpine3.19:latest FROM ${BASE} AS builder -ARG APP_PATH=/app -ARG APP_USER=appuser -ARG APP_GROUP=appgroup -ARG APP_USER_UID=1000 -ARG APP_GROUP_GID=1000 - -COPY --chown=${APP_USER}:${APP_GROUP} requirements.txt /app +COPY --chown=appuser:appgroup requirements.txt /app RUN --mount=type=cache,target=/root/.cache/.pip pip install --no-cache-dir -r /app/requirements.txt FROM ${BASE} AS prod -ARG APP_PATH=/app -ARG APP_USER=appuser -ARG APP_GROUP=appgroup -ARG APP_USER_UID=1000 -ARG APP_GROUP_GID=1000 LABEL org.opencontainers.image.title="Python 3.11 image with BMC utils" LABEL org.opencontainers.image.base.name="ghcr.io/rackerlabs/understack/argo-bmc-utils-python3.11.8" @@ -26,8 +15,6 @@ ENV PATH="/opt/venv/bin:$PATH" COPY --from=builder /opt/venv /opt/venv WORKDIR /app - -USER $APP_USER - -COPY --chown=${APP_USER}:${APP_GROUP} code/ /app +USER appuser +COPY --chown=appuser:appgroup code/ /app CMD ["python", "-"] diff --git a/containers/ironic-nautobot-client/Dockerfile.ironic-nautobot-client b/containers/ironic-nautobot-client/Dockerfile.ironic-nautobot-client index 78e1499d..40b8cc98 100644 --- a/containers/ironic-nautobot-client/Dockerfile.ironic-nautobot-client +++ b/containers/ironic-nautobot-client/Dockerfile.ironic-nautobot-client @@ -1,12 +1,6 @@ ARG BASE=ghcr.io/rackerlabs/understack/argo-python3.11.8-alpine3.19:latest FROM ${BASE} AS builder -ARG APP_PATH=/app -ARG APP_USER=appuser -ARG APP_GROUP=appgroup -ARG APP_USER_UID=1000 -ARG APP_GROUP_GID=1000 - RUN --mount=type=cache,target=/var/cache/apk apk add --virtual build-deps gcc python3-dev musl-dev linux-headers RUN --mount=type=cache,target=/root/.cache/.pip pip install 'wheel==0.43.0' RUN --mount=type=cache,target=/root/.cache/.pip \ @@ -15,29 +9,21 @@ RUN --mount=type=cache,target=/root/.cache/.pip \ /opt/poetry/bin/poetry self add 'poetry-dynamic-versioning[plugin]==1.3.0' # copy in the code -COPY --chown=${APP_USER}:${APP_GROUP} python/understack-workflows /app -COPY --chown=${APP_USER}:${APP_GROUP} python/understack-flavor-matcher /understack-flavor-matcher +COPY --chown=appuser:appgroup python/understack-workflows /app +COPY --chown=appuser:appgroup python/understack-flavor-matcher /understack-flavor-matcher # need netifaces built as a wheel RUN --mount=type=cache,target=/root/.cache/.pip pip wheel --wheel-dir /app/dist netifaces # build wheels and requirements.txt, skip hashes due to building of netifaces above which won't match RUN cd /app && /opt/poetry/bin/poetry build -f wheel && /opt/poetry/bin/poetry export --without-hashes -f requirements.txt -o dist/requirements.txt FROM ${BASE} AS prod -ARG APP_PATH=/app -ARG APP_USER=appuser -ARG APP_GROUP=appgroup -ARG APP_USER_UID=1000 -ARG APP_GROUP_GID=1000 - - LABEL org.opencontainers.image.description="UnderStack Workflows" - WORKDIR /app RUN mkdir -p /opt/venv/wheels/ COPY --from=builder /app/dist/*.whl /app/dist/requirements.txt /opt/venv/wheels/ -COPY --chown=${APP_USER}:${APP_GROUP} python/understack-flavor-matcher /understack-flavor-matcher +COPY --chown=appuser:appgroup python/understack-flavor-matcher /understack-flavor-matcher RUN --mount=type=cache,target=/root/.cache/.pip /opt/venv/bin/pip install --find-links /opt/venv/wheels/ --only-binary netifaces -r /opt/venv/wheels/requirements.txt understack-workflows -USER $APP_USER +USER appuser diff --git a/containers/python311_alpine/Dockerfile.python311_alpine b/containers/python311_alpine/Dockerfile.python311_alpine index f981e98b..5cbbbc06 100644 --- a/containers/python311_alpine/Dockerfile.python311_alpine +++ b/containers/python311_alpine/Dockerfile.python311_alpine @@ -9,36 +9,30 @@ ENV PYTHONUNBUFFERED=1 RUN python -m venv /opt/venv ENV PATH="/opt/venv/bin:$PATH" -ARG APP_PATH=/app -ARG APP_USER=appuser -ARG APP_GROUP=appgroup -ARG APP_USER_UID=1000 -ARG APP_GROUP_GID=1000 - -RUN addgroup -g $APP_GROUP_GID -S $APP_GROUP && \ - adduser -S -s /sbin/nologin -u $APP_USER_UID -G $APP_GROUP $APP_USER && \ - mkdir $APP_PATH && \ - chown $APP_USER:$APP_GROUP $APP_PATH +RUN addgroup -g 1000 -S appgroup && \ + adduser -S -s /sbin/nologin -u 1000 -G appgroup appuser && \ + mkdir /app && \ + chown appuser:appgroup /app WORKDIR /app CMD ["python", "-"] +# Instructions for using this template as a base image: +# 1. Place your Python code in /app. +# 2. A pre-created Python virtual environment is available in /opt/venv. +# 3. Run your application as user 'appuser' with UID=1000. This account has been pre-created. +# Note: After installing dependencies, switch back to `USER appuser` if root access was required at build time. +# # Example usage in final image # FROM ghcr.io/rackerlabs/understack/argo-python3.11.8-alpine3.19 # -# # This section needs to be repeated in child images -# ARG APP_PATH=/app -# ARG APP_USER=appuser -# ARG APP_GROUP=appgroup -# ARG APP_USER_UID=1000 -# ARG APP_GROUP_GID=1000 -# -# # RUN --mount=type=cache,target=/var/cache/apk apk add --virtual build-deps gcc python3-dev musl-dev linux-headers # RUN --mount=type=cache,target=/root/.cache/.pip pip install --no-cache-dir python-ironicclient==5.4.0 # # FROM ghcr.io/rackerlabs/understack/argo-python3.11.8-alpine3.19 as prod # ENV PATH="/opt/venv/bin:$PATH" # COPY --from=builder /opt/venv /opt/venv +# USER appuser # +# COPY --chown=appuser:appgroup src/ /app/code # WORKDIR /app # CMD ["python", "-"] diff --git a/containers/python312_alpine/Dockerfile.python312_alpine b/containers/python312_alpine/Dockerfile.python312_alpine index 08c8dcf1..e7b6faf2 100644 --- a/containers/python312_alpine/Dockerfile.python312_alpine +++ b/containers/python312_alpine/Dockerfile.python312_alpine @@ -9,36 +9,30 @@ ENV PYTHONUNBUFFERED=1 RUN python -m venv /opt/venv ENV PATH="/opt/venv/bin:$PATH" -ARG APP_PATH=/app -ARG APP_USER=appuser -ARG APP_GROUP=appgroup -ARG APP_USER_UID=1000 -ARG APP_GROUP_GID=1000 - -RUN addgroup -g $APP_GROUP_GID -S $APP_GROUP && \ - adduser -S -s /sbin/nologin -u $APP_USER_UID -G $APP_GROUP $APP_USER && \ - mkdir $APP_PATH && \ - chown $APP_USER:$APP_GROUP $APP_PATH +RUN addgroup -g 1000 -S appgroup && \ + adduser -S -s /sbin/nologin -u 1000 -G appgroup appuser && \ + mkdir /app && \ + chown appuser:appgroup /app WORKDIR /app CMD ["python", "-"] +# Instructions for using this template as a base image: +# 1. Place your Python code in /app. +# 2. A pre-created Python virtual environment is available in /opt/venv. +# 3. Run your application as user 'appuser' with UID=1000. This account has been pre-created. +# Note: After installing dependencies, switch back to `USER appuser` if root access was required at build time. +# # Example usage in final image # FROM ghcr.io/rackerlabs/understack/argo-python3.12.2-alpine3.19 # -# # This section needs to be repeated in child images -# ARG APP_PATH=/app -# ARG APP_USER=appuser -# ARG APP_GROUP=appgroup -# ARG APP_USER_UID=1000 -# ARG APP_GROUP_GID=1000 -# -# # RUN --mount=type=cache,target=/var/cache/apk apk add --virtual build-deps gcc python3-dev musl-dev linux-headers # RUN --mount=type=cache,target=/root/.cache/.pip pip install --no-cache-dir python-ironicclient==5.4.0 # # FROM ghcr.io/rackerlabs/understack/argo-python3.12.2-alpine3.19 as prod # ENV PATH="/opt/venv/bin:$PATH" # COPY --from=builder /opt/venv /opt/venv +# USER appuser # +# COPY --chown=appuser:appgroup src/ /app/code # WORKDIR /app # CMD ["python", "-"]