cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2024-12-04 19:15:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

USER instruction enabled in Dockerfile

Browse Source 
- avoid running gunicorn as root user
- use setcap to allow gunicorn starting with a privileged port
- write permission only on /app/configs folder
- su command removed from entrypoint.sh, because it runs as pda user
This commit is contained in:
Birk Bohne 2020-09-19 19:58:51 +02:00
parent 4e63f8380b
commit 9228128907
2 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docker/Dockerfile
View File

@ -74,22 +74,28 @@ RUN pip install pip-autoremove && \
# Build image
FROM alpine:3.11
ENV FLASK_APP=/app/powerdnsadmin/__init__.py
ENV FLASK_APP=/app/powerdnsadmin/__init__.py \
USER=pda
RUN apk add --no-cache mariadb-connector-c postgresql-client py3-gunicorn py3-psycopg2 xmlsec tzdata && \
addgroup -S pda && \
adduser -S -D -G pda pda && \
RUN apk add --no-cache mariadb-connector-c postgresql-client py3-gunicorn py3-psycopg2 xmlsec tzdata libcap && \
addgroup -S ${USER} && \
adduser -S -D -G ${USER} ${USER} && \
mkdir /data && \
chown pda:pda /data
chown ${USER}:${USER} /data && \
setcap cap_net_bind_service=+ep $(readlink -f /usr/bin/python3) && \
apk del libcap
COPY --from=builder /usr/bin/flask /usr/bin/
COPY --from=builder /usr/lib/python3.8/site-packages /usr/lib/python3.8/site-packages/
COPY --from=builder --chown=pda:pda /app /app/
COPY --from=builder --chown=root:${USER} /app /app/
COPY ./docker/entrypoint.sh /usr/bin/
WORKDIR /app
RUN chown ${USER}:${USER} ./configs && \
cat ./powerdnsadmin/default_config.py ./configs/docker_config.py > ./powerdnsadmin/docker_config.py
EXPOSE 80/tcp
USER ${USER}
HEALTHCHECK CMD ["wget","--output-document=-","--quiet","--tries=1","http://127.0.0.1/"]
ENTRYPOINT ["entrypoint.sh"]
CMD ["gunicorn","powerdnsadmin:create_app()","--user","pda","--group","pda"]
CMD ["gunicorn","powerdnsadmin:create_app()"]

6
docker/entrypoint.sh
View File

@ -7,13 +7,9 @@ GUNICORN_WORKERS="${GUNICORN_WORKERS:-4}"
GUNICORN_LOGLEVEL="${GUNICORN_LOGLEVEL:-info}"
BIND_ADDRESS="${BIND_ADDRESS:-0.0.0.0:80}"
cat ./powerdnsadmin/default_config.py ./configs/docker_config.py > ./powerdnsadmin/docker_config.py
GUNICORN_ARGS="-t ${GUNICORN_TIMEOUT} --workers ${GUNICORN_WORKERS} --bind ${BIND_ADDRESS} --log-level ${GUNICORN_LOGLEVEL}"
if [ "$1" == gunicorn ]; then
# run as user pda so that if a SQLite database is generated it is writeable
# by that user
su pda -s /bin/sh -c "flask db upgrade"
/bin/sh -c "flask db upgrade"
exec "$@" $GUNICORN_ARGS
else