[sso-admin] Change container not to run as root
parent
c19ff6cd8d
commit
7bf216ef69
|
@ -6,9 +6,6 @@ docker-compose.yml
|
||||||
**/custom.yaml
|
**/custom.yaml
|
||||||
**/system.yaml
|
**/system.yaml
|
||||||
|
|
||||||
admin/src/node_modules
|
|
||||||
admin/src/admin/node_modules/
|
|
||||||
|
|
||||||
# Byte-compiled / optimized / DLL files
|
# Byte-compiled / optimized / DLL files
|
||||||
__pycache__/
|
__pycache__/
|
||||||
*.py[cod]
|
*.py[cod]
|
||||||
|
|
|
@ -20,6 +20,9 @@
|
||||||
FROM alpine:3.12.0 as production
|
FROM alpine:3.12.0 as production
|
||||||
MAINTAINER isard <info@isardvdi.com>
|
MAINTAINER isard <info@isardvdi.com>
|
||||||
|
|
||||||
|
# Ensure python dependencies
|
||||||
|
COPY admin/docker/requirements.pip3 /requirements.pip3
|
||||||
|
|
||||||
RUN apk add python3 py3-pip py3-pyldap~=3.2.0
|
RUN apk add python3 py3-pip py3-pyldap~=3.2.0
|
||||||
RUN pip3 install --upgrade pip
|
RUN pip3 install --upgrade pip
|
||||||
RUN apk add --no-cache --virtual .build_deps \
|
RUN apk add --no-cache --virtual .build_deps \
|
||||||
|
@ -27,37 +30,19 @@ RUN apk add --no-cache --virtual .build_deps \
|
||||||
python3-dev \
|
python3-dev \
|
||||||
libffi-dev \
|
libffi-dev \
|
||||||
gcc python3-dev linux-headers musl-dev postgresql-dev
|
gcc python3-dev linux-headers musl-dev postgresql-dev
|
||||||
COPY admin/docker/requirements.pip3 /requirements.pip3
|
|
||||||
RUN pip3 install --no-cache-dir -r requirements.pip3
|
RUN pip3 install --no-cache-dir -r requirements.pip3
|
||||||
RUN apk del .build_deps
|
RUN apk del .build_deps
|
||||||
|
|
||||||
RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow
|
RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow
|
||||||
|
|
||||||
|
# Add catalan words list (issue with newer diceweare)
|
||||||
RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt
|
RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt
|
||||||
|
|
||||||
# SSH configuration
|
# Add code and entrypoint
|
||||||
# ARG SSH_ROOT_PWD
|
|
||||||
# RUN apk add openssh
|
|
||||||
# RUN echo "root:$SSH_ROOT_PWD" |chpasswd
|
|
||||||
# RUN sed -i \
|
|
||||||
# -e 's|[#]*PermitRootLogin prohibit-password|PermitRootLogin yes|g' \
|
|
||||||
# -e 's|[#]*PasswordAuthentication yes|PasswordAuthentication yes|g' \
|
|
||||||
# -e 's|[#]*ChallengeResponseAuthentication yes|ChallengeResponseAuthentication yes|g' \
|
|
||||||
# -e 's|[#]*UsePAM yes|UsePAM yes|g' \
|
|
||||||
# -e 's|[#]#Port 22|Port 22|g' \
|
|
||||||
# /etc/ssh/sshd_config
|
|
||||||
|
|
||||||
# Let's test 0.26.1 python-keycloak version
|
|
||||||
# RUN apk add --no-cache git && \
|
|
||||||
# git clone -b delete_realm_roles https://github.com/isard-vdi/python-keycloak.git && \
|
|
||||||
# cd python-keycloak && \
|
|
||||||
# python3 setup.py install && \
|
|
||||||
# apk del git
|
|
||||||
|
|
||||||
COPY admin/src /admin
|
COPY admin/src /admin
|
||||||
RUN cd /admin/admin && yarn install
|
|
||||||
|
|
||||||
COPY admin/docker/run.sh /run.sh
|
COPY admin/docker/run.sh /run.sh
|
||||||
|
|
||||||
#EXPOSE 7039
|
# Ensure node dependencies
|
||||||
|
RUN cd /admin/admin && HOME=/tmp su -s /bin/sh -m nobody -c "yarn install"
|
||||||
|
|
||||||
CMD [ "/run.sh" ]
|
CMD [ "/run.sh" ]
|
|
@ -18,13 +18,14 @@
|
||||||
# along with DD. If not, see <https://www.gnu.org/licenses/>.
|
# along with DD. If not, see <https://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
# ssh-keygen -A
|
|
||||||
## Only in development
|
# We possibly need to fix bad old permissions
|
||||||
cd /admin/admin
|
chown -R nobody:nogroup \
|
||||||
yarn install
|
/admin/custom \
|
||||||
## End Only in development
|
/admin/moodledata/saml2 /admin/saml_certs \
|
||||||
|
"${DATA_FOLDER}" \
|
||||||
|
"${LEGAL_PATH}"
|
||||||
|
|
||||||
cd /admin
|
cd /admin
|
||||||
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
|
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
|
||||||
python3 start.py
|
exec su -s /bin/sh -m nobody -c 'python3 start.py'
|
||||||
#&
|
|
||||||
# /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config
|
|
||||||
|
|
|
@ -73,6 +73,7 @@ class AdminFlaskApp(Flask):
|
||||||
custom_dir: str
|
custom_dir: str
|
||||||
data_dir: str
|
data_dir: str
|
||||||
domain : str
|
domain : str
|
||||||
|
node_modules_dir : str
|
||||||
ready: bool = False
|
ready: bool = False
|
||||||
|
|
||||||
def __init__(self, *args: Any, **kwargs: Any):
|
def __init__(self, *args: Any, **kwargs: Any):
|
||||||
|
@ -141,6 +142,7 @@ class AdminFlaskApp(Flask):
|
||||||
try:
|
try:
|
||||||
self.data_dir = os.environ.get("DATA_FOLDER", ".")
|
self.data_dir = os.environ.get("DATA_FOLDER", ".")
|
||||||
self.custom_dir = os.environ.get("CUSTOM_FOLDER", ".")
|
self.custom_dir = os.environ.get("CUSTOM_FOLDER", ".")
|
||||||
|
self.node_modules_dir = os.environ.get("NODE_MODULES_FOLDER", "node_modules")
|
||||||
# Handle secrets like Flask's session key
|
# Handle secrets like Flask's session key
|
||||||
secret_key_file = os.path.join(self.secrets_dir, "secret_key")
|
secret_key_file = os.path.join(self.secrets_dir, "secret_key")
|
||||||
if not os.path.exists(self.secrets_dir):
|
if not os.path.exists(self.secrets_dir):
|
||||||
|
@ -202,19 +204,19 @@ class AdminFlaskApp(Flask):
|
||||||
@self.route("/build/<path:path>")
|
@self.route("/build/<path:path>")
|
||||||
def send_build(path: str) -> Response:
|
def send_build(path: str) -> Response:
|
||||||
return send_from_directory(
|
return send_from_directory(
|
||||||
os.path.join(self.root_path, "node_modules/gentelella/build"), path
|
os.path.join(self.node_modules_dir, "gentelella/build"), path
|
||||||
)
|
)
|
||||||
|
|
||||||
@self.route("/vendors/<path:path>")
|
@self.route("/vendors/<path:path>")
|
||||||
def send_vendors(path: str) -> Response:
|
def send_vendors(path: str) -> Response:
|
||||||
return send_from_directory(
|
return send_from_directory(
|
||||||
os.path.join(self.root_path, "node_modules/gentelella/vendors"), path
|
os.path.join(self.node_modules_dir, "gentelella/vendors"), path
|
||||||
)
|
)
|
||||||
|
|
||||||
@self.route("/node_modules/<path:path>")
|
@self.route("/node_modules/<path:path>")
|
||||||
def send_nodes(path: str) -> Response:
|
def send_nodes(path: str) -> Response:
|
||||||
return send_from_directory(
|
return send_from_directory(
|
||||||
os.path.join(self.root_path, "node_modules"), path
|
self.node_modules_dir, path
|
||||||
)
|
)
|
||||||
|
|
||||||
@self.route("/templates/<path:path>")
|
@self.route("/templates/<path:path>")
|
||||||
|
|
|
@ -25,20 +25,14 @@ services:
|
||||||
context: ${BUILD_SSO_ROOT_PATH}
|
context: ${BUILD_SSO_ROOT_PATH}
|
||||||
dockerfile: admin/docker/Dockerfile
|
dockerfile: admin/docker/Dockerfile
|
||||||
target: production
|
target: production
|
||||||
# args: ## DEVELOPMENT
|
|
||||||
# SSH_ROOT_PWD: ${IPA_ADMIN_PWD}
|
|
||||||
# SSH_PORT: 2022
|
|
||||||
networks:
|
networks:
|
||||||
- dd_net
|
- dd_net
|
||||||
# ports:
|
|
||||||
# - "2022:22"
|
|
||||||
# - "9000:9000"
|
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
volumes:
|
volumes:
|
||||||
- /etc/localtime:/etc/localtime:ro
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- ${BUILD_SSO_ROOT_PATH}/admin/src:/admin # Revome in production
|
- ${BUILD_SSO_ROOT_PATH}/admin/src:/admin:ro
|
||||||
- ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
|
- ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
|
||||||
- ${CUSTOM_PATH}/custom:/admin/custom
|
- ${CUSTOM_PATH}/custom:/admin/custom:rw
|
||||||
- ${DATA_FOLDER}/avatars:/admin/avatars:ro
|
- ${DATA_FOLDER}/avatars:/admin/avatars:ro
|
||||||
- ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
|
- ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
|
||||||
- ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
|
- ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
|
||||||
|
@ -52,3 +46,4 @@ services:
|
||||||
- MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
|
- MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
|
||||||
- DATA_FOLDER=/data
|
- DATA_FOLDER=/data
|
||||||
- CUSTOM_FOLDER=/admin/custom
|
- CUSTOM_FOLDER=/admin/custom
|
||||||
|
- LEGAL_PATH=/admin/admin/static/templates/pages/legal
|
||||||
|
|
Loading…
Reference in New Issue