repos/website
1
Fork 0
Code Issues 1 Pull requests 27 Activity

Run everything as non-root

Browse source
This commit is contained in:
Jake Howard 2024-01-14 12:59:31 +00:00
parent f5a18fdca0
commit bbf7411f50
Signed by: jake
GPG key ID: 57AFB45680EDD477
8 changed files with 14 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Dockerfile
View file

@ -43,7 +43,7 @@ ENV PATH=$VIRTUAL_ENV/bin:$PATH \
EXPOSE 8000 EXPOSE 8000
RUN ln -fs /app/etc/nginx.conf /etc/nginx/sites-available/default RUN ln -fs /app/etc/nginx.conf /etc/nginx/sites-available/default && chown -R website /var/log/nginx
USER website USER website
@ -64,8 +64,6 @@ RUN SECRET_KEY=none python manage.py collectstatic --noinput --clear
COPY ./etc/s6-rc.d /etc/s6-overlay/s6-rc.d COPY ./etc/s6-rc.d /etc/s6-overlay/s6-rc.d
# Become root at the last minute for s6
USER root
ENTRYPOINT [ "/init" ] ENTRYPOINT [ "/init" ]
# Just dev stuff # Just dev stuff

2
docker/dev/docker-compose.yml
View file

@ -11,6 +11,8 @@ services:
- DATABASE_URL=postgres://website:website@db/website - DATABASE_URL=postgres://website:website@db/website
volumes: volumes:
- ../../:/app - ../../:/app
tmpfs:
- /tmp
depends_on: depends_on:
- redis - redis
- db - db

6
etc/nginx.conf
View file

@ -1,5 +1,11 @@
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=nginxcache:10m max_size=150m; proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=nginxcache:10m max_size=150m;
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
server { server {
listen 8000; listen 8000;

2
etc/s6-rc.d/django/run
View file

@ -4,4 +4,4 @@ set -e
cd /app cd /app
exec s6-setuidgid website gunicorn -c etc/gunicorn.conf.py exec gunicorn -c etc/gunicorn.conf.py

2
etc/s6-rc.d/migrate/up
View file

@ -1 +1 @@
s6-setuidgid website with-contenv bash -c "cd /app && python manage.py migrate --noinput" with-contenv bash -c "cd /app && python manage.py migrate --noinput"

2
etc/s6-rc.d/nginx/run
View file

@ -2,6 +2,4 @@
set -e set -e
cd /app
exec nginx -g "daemon off;" exec nginx -g "daemon off;"

2
etc/s6-rc.d/rq/run
View file

@ -4,4 +4,4 @@ set -e
cd /app cd /app
exec s6-setuidgid website python manage.py rqworker --with-scheduler exec python manage.py rqworker --with-scheduler

4
justfile
View file

@ -9,7 +9,7 @@ DEV_COMPOSE := justfile_directory() + "/docker/dev/docker-compose.yml"
build: build:
docker-compose -f {{ DEV_COMPOSE }} pull docker-compose -f {{ DEV_COMPOSE }} pull
docker-compose -f {{ DEV_COMPOSE }} build docker-compose -f {{ DEV_COMPOSE }} build
docker-compose -f {{ DEV_COMPOSE }} run --user=website --rm --no-deps web -c "npm ci" docker-compose -f {{ DEV_COMPOSE }} run --entrypoint=bash --rm --no-deps web -c "npm ci"
@compose +ARGS: @compose +ARGS:
docker-compose -f {{ DEV_COMPOSE }} {{ ARGS }} docker-compose -f {{ DEV_COMPOSE }} {{ ARGS }}
@ -50,7 +50,7 @@ lint_python:
@sh: @sh:
docker-compose -f {{ DEV_COMPOSE }} up -d docker-compose -f {{ DEV_COMPOSE }} up -d
docker-compose -f {{ DEV_COMPOSE }} exec --user=website web bash docker-compose -f {{ DEV_COMPOSE }} exec web bash
@down: @down:
docker-compose -f {{ DEV_COMPOSE }} down docker-compose -f {{ DEV_COMPOSE }} down