Run everything as non-root

2024-01-14 12:59:31 +00:00 · 2024-01-14 12:59:31 +00:00 · bbf7411f50
parent f5a18fdca0
commit bbf7411f50
8 changed files with 14 additions and 10 deletions
--- a/4
+++ b/4
@ -43,7 +43,7 @@ ENV PATH=$VIRTUAL_ENV/bin:$PATH \

 EXPOSE 8000

-RUN ln -fs /app/etc/nginx.conf /etc/nginx/sites-available/default
+RUN ln -fs /app/etc/nginx.conf /etc/nginx/sites-available/default && chown -R website /var/log/nginx

 USER website

@ -64,8 +64,6 @@ RUN SECRET_KEY=none python manage.py collectstatic --noinput --clear

 COPY ./etc/s6-rc.d /etc/s6-overlay/s6-rc.d

-# Become root at the last minute for s6
-USER root
 ENTRYPOINT [ "/init" ]

 # Just dev stuff
--- a/docker/dev/docker-compose.yml
+++ b/docker/dev/docker-compose.yml
@ -11,6 +11,8 @@ services:
      - DATABASE_URL=postgres://website:website@db/website
    volumes:
      - ../../:/app
+    tmpfs:
+      - /tmp
    depends_on:
      - redis
      - db
--- a/etc/nginx.conf
+++ b/etc/nginx.conf
@ -1,5 +1,11 @@
 proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=nginxcache:10m max_size=150m;

+client_body_temp_path /tmp/client_temp;
+proxy_temp_path /tmp/proxy_temp_path;
+fastcgi_temp_path /tmp/fastcgi_temp;
+uwsgi_temp_path /tmp/uwsgi_temp;
+scgi_temp_path /tmp/scgi_temp;
+
 server {
  listen 8000;

--- a/etc/s6-rc.d/django/run
+++ b/etc/s6-rc.d/django/run
@ -4,4 +4,4 @@ set -e

 cd /app

-exec s6-setuidgid website gunicorn -c etc/gunicorn.conf.py
+exec gunicorn -c etc/gunicorn.conf.py
--- a/etc/s6-rc.d/migrate/up
+++ b/etc/s6-rc.d/migrate/up
@ -1 +1 @@
-s6-setuidgid website with-contenv bash -c "cd /app && python manage.py migrate --noinput"
+with-contenv bash -c "cd /app && python manage.py migrate --noinput"
--- a/etc/s6-rc.d/nginx/run
+++ b/etc/s6-rc.d/nginx/run
@ -2,6 +2,4 @@

 set -e

-cd /app
-
 exec nginx -g "daemon off;"
--- a/etc/s6-rc.d/rq/run
+++ b/etc/s6-rc.d/rq/run
@ -4,4 +4,4 @@ set -e

 cd /app

-exec s6-setuidgid website python manage.py rqworker --with-scheduler
+exec python manage.py rqworker --with-scheduler
--- a/4
+++ b/4
@ -9,7 +9,7 @@ DEV_COMPOSE := justfile_directory() + "/docker/dev/docker-compose.yml"
 build:
  docker-compose -f {{ DEV_COMPOSE }} pull
  docker-compose -f {{ DEV_COMPOSE }} build
-  docker-compose -f {{ DEV_COMPOSE }} run --user=website --rm --no-deps web -c "npm ci"
+  docker-compose -f {{ DEV_COMPOSE }} run --entrypoint=bash --rm --no-deps web -c "npm ci"

@compose +ARGS:
  docker-compose -f {{ DEV_COMPOSE }} {{ ARGS }}
@ -50,7 +50,7 @@ lint_python:

@sh:
  docker-compose -f {{ DEV_COMPOSE }} up -d
-  docker-compose -f {{ DEV_COMPOSE }} exec --user=website web bash
+  docker-compose -f {{ DEV_COMPOSE }} exec web bash

@down:
  docker-compose -f {{ DEV_COMPOSE }} down