Dockerfile improvements (#2839)

* dockerfile improvements
DefectDojo · Sep 11, 2020 · 10a94e3 · 10a94e3
1 parent 683849a
commit 10a94e3
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 29 deletions.
diff --git a/Dockerfile.django b/Dockerfile.django
@@ -26,6 +26,9 @@ RUN pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
 
 FROM python:3.6.12-slim-buster@sha256:09bb81730d8d3f1b208d9c5ba4be66747ef29323597bedab6404b884a016685d
 WORKDIR /app
+ARG uid=1001
+ARG appuser=defectdojo
+ENV appuser ${appuser}
 RUN \
   apt-get -y update && \
   # ugly fix to install postgresql-client without errors
@@ -75,11 +78,17 @@ COPY tests/ ./tests/
 RUN \
   mkdir -p dojo/migrations && \
   chmod g=u dojo/migrations && \
-  chmod g=u /var/run && \
   true
 USER root
-RUN chmod -R 0777 /app
-USER 1001
+RUN \
+    adduser --system --no-create-home --disabled-password --gecos '' \
+        --uid ${uid} ${appuser} && \
+    chown -R ${appuser} /app && \
+    chmod 0700 /app && \
+    chmod 0750 -R /app/* && \
+    mkdir /var/run/${appuser} && \
+    chown ${appuser} /var/run/${appuser}
+USER ${appuser}
 ENV \
   DD_ADMIN_USER=admin \
   DD_ADMIN_MAIL=admin@defectdojo.local \

diff --git a/Dockerfile.nginx b/Dockerfile.nginx
@@ -65,13 +65,16 @@ RUN \
   true
 
 FROM nginx:1.19.2-alpine@sha256:4635b632d2aaf8c37c8a1cf76a1f96d11b899f74caa2c6946ea56d0a5af02c0c
+ARG uid=1001
+ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/
 COPY wsgi_params nginx/nginx.conf nginx/nginx_TLS.conf /etc/nginx/
 COPY docker/entrypoint-nginx.sh /
 RUN \
   apk add --no-cache openssl && \
   chmod -R g=u /var/cache/nginx && \
-  chmod -R g=u /var/run && \
+  mkdir /var/run/defectdojo && \
+  chmod -R g=u /var/run/defectdojo && \
   mkdir -p /etc/nginx/ssl && \
   chmod -R g=u /etc/nginx && \
   true
@@ -84,6 +87,6 @@ ENV \
   NGINX_METRICS_ENABLED="false" \
   METRICS_HTTP_AUTH_USER="" \
   METRICS_HTTP_AUTH_PASSWORD=""
-USER 1001
+USER ${uid}
 EXPOSE 8080
 ENTRYPOINT ["/entrypoint-nginx.sh"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -2,13 +2,13 @@
 version: '3.7'
 services:
   nginx:
-    build: 
+    build:
       context: ./
       dockerfile: Dockerfile.nginx
     image: defectdojo/defectdojo-nginx:${NGINX_VERSION:-latest}
     depends_on:
       - uwsgi
-    environment: 
+    environment:
       NGINX_METRICS_ENABLED: ${NGINX_METRICS_ENABLED:-false}
     ports:
       - target: ${DD_PORT:-8080}
@@ -20,7 +20,7 @@ services:
         protocol: tcp
         mode: host
   uwsgi:
-    build: 
+    build:
       context: ./
       dockerfile: Dockerfile.django
     image: defectdojo/defectdojo-django:${DJANGO_VERSION:-latest}
@@ -38,6 +38,8 @@ services:
       DD_CREDENTIAL_AES_256_KEY: ${DD_CREDENTIAL_AES_256_KEY:-&91a*agLqesc*0DJ+2*bAbsUZfR*4nLw}
   celerybeat:
     image: defectdojo/defectdojo-django:latest
+    # needed to run as root, in order to drop privileges on celery. what's worst?
+    user: root
     depends_on:
       - mysql
       - rabbitmq

diff --git a/docker/entrypoint-celery-beat.sh b/docker/entrypoint-celery-beat.sh
@@ -1,7 +1,8 @@
 #!/bin/sh
-
 umask 0002
 
+id
+
 echo -n "Waiting for database to be reachable "
 until echo "select 1;" | python3 manage.py dbshell > /dev/null
 do
@@ -10,7 +11,8 @@ do
 done
 echo
 
-C_FORCE_ROOT=true exec celery \
+exec celery beat \
   --app=dojo \
-  beat \
-  --pidfile=/run/celery-beat.pid
+  --pidfile=/var/run/defectdojo/celery-beat.pid \
+  --schedule=/var/run/defectdojo/celerybeat-schedule \
+  --uid=${appuser}
diff --git a/docker/entrypoint-celery-worker.sh b/docker/entrypoint-celery-worker.sh
@@ -1,7 +1,8 @@
 #!/bin/sh
-
 umask 0002
 
+id
+
 echo -n "Waiting for database to be reachable "
 until echo "select 1;" | python3 manage.py dbshell > /dev/null
 do
@@ -10,9 +11,8 @@ do
 done
 echo
 
-C_FORCE_ROOT=true exec celery \
-  --app=dojo \
-  worker \
-  --loglevel="${DD_CELERY_LOG_LEVEL}" \
-  --pool=solo \
-  --concurrency=1
+exec celery worker \
+    --app=dojo \
+    --loglevel="${DD_CELERY_LOG_LEVEL}" \
+    --pool=solo \
+    --concurrency=1
diff --git a/docker/entrypoint-nginx.sh b/docker/entrypoint-nginx.sh
@@ -32,7 +32,7 @@ else
   echo "Basic auth is off (HTTP_AUTH_PASSWORD not provided)"
 fi
 
-echo "uwsgi_pass ${DD_UWSGI_PASS};" > /run/uwsgi_pass
-echo "server ${DD_UWSGI_HOST}:${DD_UWSGI_PORT};" > /run/uwsgi_server
+echo "uwsgi_pass ${DD_UWSGI_PASS};" > /run/defectdojo/uwsgi_pass
+echo "server ${DD_UWSGI_HOST}:${DD_UWSGI_PORT};" > /run/defectdojo/uwsgi_server
 
 exec nginx -c $NGINX_CONFIG -g "daemon off;"
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -1,6 +1,6 @@
 worker_processes 1;
 error_log /var/log/nginx/error.log warn;
-pid /var/run/nginx.pid;
+pid /var/run/defectdojo/nginx.pid;
 events {
   worker_connections  1024;
 }
@@ -15,7 +15,7 @@ http {
   sendfile on;
   keepalive_timeout 65;
   upstream uwsgi_server {
-    include /run/uwsgi_server;
+    include /run/defectdojo/uwsgi_server;
   }
   server {
     listen 8080;
@@ -29,7 +29,7 @@ http {
         alias /usr/share/nginx/html/media;
     }
     location / {
-      include /run/uwsgi_pass;
+      include /run/defectdojo/uwsgi_pass;
       include /etc/nginx/wsgi_params;
       uwsgi_read_timeout 1800;
     }
@@ -38,7 +38,7 @@ http {
       # variables METRICS_HTTP_AUTH_USER and METRICS_HTTP_AUTH_PASSWORD
       #auth_basic "Metrics";
       #auth_basic_user_file /etc/nginx/.htpasswd;
-      include /run/uwsgi_pass;
+      include /run/defectdojo/uwsgi_pass;
       include /etc/nginx/wsgi_params;
       uwsgi_read_timeout 1800;
     }

diff --git a/nginx/nginx_TLS.conf b/nginx/nginx_TLS.conf
@@ -1,6 +1,6 @@
 worker_processes 1;
 error_log /var/log/nginx/error.log warn;
-pid /var/run/nginx.pid;
+pid /var/run/defectdojo/nginx.pid;
 events {
     worker_connections    32;
 }
@@ -16,7 +16,7 @@ http {
   sendfile on;
   keepalive_timeout 65;
   upstream uwsgi_server {
-    include /run/uwsgi_server;
+    include /run/defectdojo/uwsgi_server;
   }
   server {
       listen 8080;
@@ -69,7 +69,7 @@ http {
       # variables METRICS_HTTP_AUTH_USER and METRICS_HTTP_AUTH_PASSWORD
       #auth_basic "Metrics";
       #auth_basic_user_file /etc/nginx/.htpasswd;
-      include /run/uwsgi_pass;
+      include /run/defectdojo/uwsgi_pass;
       include /etc/nginx/wsgi_params;
       uwsgi_read_timeout 1800;
 
@@ -115,4 +115,4 @@ http {
     }
     error_page 500 502 503 504 /50x.html;
   }
-}
+}