[sso-admin] Change container not to run as root

mejoras_instalacion
Evilham 2022-08-01 11:51:09 +02:00
parent c19ff6cd8d
commit 7bf216ef69
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
5 changed files with 26 additions and 46 deletions

3
dd-sso/.gitignore vendored
View File

@ -6,9 +6,6 @@ docker-compose.yml
**/custom.yaml
**/system.yaml
admin/src/node_modules
admin/src/admin/node_modules/
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]

View File

@ -20,6 +20,9 @@
FROM alpine:3.12.0 as production
MAINTAINER isard <info@isardvdi.com>
# Ensure python dependencies
COPY admin/docker/requirements.pip3 /requirements.pip3
RUN apk add python3 py3-pip py3-pyldap~=3.2.0
RUN pip3 install --upgrade pip
RUN apk add --no-cache --virtual .build_deps \
@ -27,37 +30,19 @@ RUN apk add --no-cache --virtual .build_deps \
python3-dev \
libffi-dev \
gcc python3-dev linux-headers musl-dev postgresql-dev
COPY admin/docker/requirements.pip3 /requirements.pip3
RUN pip3 install --no-cache-dir -r requirements.pip3
RUN apk del .build_deps
RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow
# Add catalan words list (issue with newer diceweare)
RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt
# SSH configuration
# ARG SSH_ROOT_PWD
# RUN apk add openssh
# RUN echo "root:$SSH_ROOT_PWD" |chpasswd
# RUN sed -i \
# -e 's|[#]*PermitRootLogin prohibit-password|PermitRootLogin yes|g' \
# -e 's|[#]*PasswordAuthentication yes|PasswordAuthentication yes|g' \
# -e 's|[#]*ChallengeResponseAuthentication yes|ChallengeResponseAuthentication yes|g' \
# -e 's|[#]*UsePAM yes|UsePAM yes|g' \
# -e 's|[#]#Port 22|Port 22|g' \
# /etc/ssh/sshd_config
# Let's test 0.26.1 python-keycloak version
# RUN apk add --no-cache git && \
# git clone -b delete_realm_roles https://github.com/isard-vdi/python-keycloak.git && \
# cd python-keycloak && \
# python3 setup.py install && \
# apk del git
# Add code and entrypoint
COPY admin/src /admin
RUN cd /admin/admin && yarn install
COPY admin/docker/run.sh /run.sh
#EXPOSE 7039
# Ensure node dependencies
RUN cd /admin/admin && HOME=/tmp su -s /bin/sh -m nobody -c "yarn install"
CMD [ "/run.sh" ]

View File

@ -18,13 +18,14 @@
# along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# ssh-keygen -A
## Only in development
cd /admin/admin
yarn install
## End Only in development
# We possibly need to fix bad old permissions
chown -R nobody:nogroup \
/admin/custom \
/admin/moodledata/saml2 /admin/saml_certs \
"${DATA_FOLDER}" \
"${LEGAL_PATH}"
cd /admin
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
python3 start.py
#&
# /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config
exec su -s /bin/sh -m nobody -c 'python3 start.py'

View File

@ -73,6 +73,7 @@ class AdminFlaskApp(Flask):
custom_dir: str
data_dir: str
domain : str
node_modules_dir : str
ready: bool = False
def __init__(self, *args: Any, **kwargs: Any):
@ -141,6 +142,7 @@ class AdminFlaskApp(Flask):
try:
self.data_dir = os.environ.get("DATA_FOLDER", ".")
self.custom_dir = os.environ.get("CUSTOM_FOLDER", ".")
self.node_modules_dir = os.environ.get("NODE_MODULES_FOLDER", "node_modules")
# Handle secrets like Flask's session key
secret_key_file = os.path.join(self.secrets_dir, "secret_key")
if not os.path.exists(self.secrets_dir):
@ -202,19 +204,19 @@ class AdminFlaskApp(Flask):
@self.route("/build/<path:path>")
def send_build(path: str) -> Response:
return send_from_directory(
os.path.join(self.root_path, "node_modules/gentelella/build"), path
os.path.join(self.node_modules_dir, "gentelella/build"), path
)
@self.route("/vendors/<path:path>")
def send_vendors(path: str) -> Response:
return send_from_directory(
os.path.join(self.root_path, "node_modules/gentelella/vendors"), path
os.path.join(self.node_modules_dir, "gentelella/vendors"), path
)
@self.route("/node_modules/<path:path>")
def send_nodes(path: str) -> Response:
return send_from_directory(
os.path.join(self.root_path, "node_modules"), path
self.node_modules_dir, path
)
@self.route("/templates/<path:path>")

View File

@ -25,20 +25,14 @@ services:
context: ${BUILD_SSO_ROOT_PATH}
dockerfile: admin/docker/Dockerfile
target: production
# args: ## DEVELOPMENT
# SSH_ROOT_PWD: ${IPA_ADMIN_PWD}
# SSH_PORT: 2022
networks:
- dd_net
# ports:
# - "2022:22"
# - "9000:9000"
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
- ${BUILD_SSO_ROOT_PATH}/admin/src:/admin # Revome in production
- ${BUILD_SSO_ROOT_PATH}/admin/src:/admin:ro
- ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
- ${CUSTOM_PATH}/custom:/admin/custom
- ${CUSTOM_PATH}/custom:/admin/custom:rw
- ${DATA_FOLDER}/avatars:/admin/avatars:ro
- ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
- ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
@ -52,3 +46,4 @@ services:
- MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
- DATA_FOLDER=/data
- CUSTOM_FOLDER=/admin/custom
- LEGAL_PATH=/admin/admin/static/templates/pages/legal