[sso-admin] Change container not to run as root
parent
c19ff6cd8d
commit
7bf216ef69
|
@ -6,9 +6,6 @@ docker-compose.yml
|
|||
**/custom.yaml
|
||||
**/system.yaml
|
||||
|
||||
admin/src/node_modules
|
||||
admin/src/admin/node_modules/
|
||||
|
||||
# Byte-compiled / optimized / DLL files
|
||||
__pycache__/
|
||||
*.py[cod]
|
||||
|
|
|
@ -20,6 +20,9 @@
|
|||
FROM alpine:3.12.0 as production
|
||||
MAINTAINER isard <info@isardvdi.com>
|
||||
|
||||
# Ensure python dependencies
|
||||
COPY admin/docker/requirements.pip3 /requirements.pip3
|
||||
|
||||
RUN apk add python3 py3-pip py3-pyldap~=3.2.0
|
||||
RUN pip3 install --upgrade pip
|
||||
RUN apk add --no-cache --virtual .build_deps \
|
||||
|
@ -27,37 +30,19 @@ RUN apk add --no-cache --virtual .build_deps \
|
|||
python3-dev \
|
||||
libffi-dev \
|
||||
gcc python3-dev linux-headers musl-dev postgresql-dev
|
||||
COPY admin/docker/requirements.pip3 /requirements.pip3
|
||||
RUN pip3 install --no-cache-dir -r requirements.pip3
|
||||
RUN apk del .build_deps
|
||||
|
||||
RUN apk add --no-cache curl py3-yaml yarn libpq openssl py3-pillow
|
||||
|
||||
# Add catalan words list (issue with newer diceweare)
|
||||
RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_ascii.txt https://raw.githubusercontent.com/1ma/diceware-cat/master/cat-wordlist-ascii.txt
|
||||
|
||||
# SSH configuration
|
||||
# ARG SSH_ROOT_PWD
|
||||
# RUN apk add openssh
|
||||
# RUN echo "root:$SSH_ROOT_PWD" |chpasswd
|
||||
# RUN sed -i \
|
||||
# -e 's|[#]*PermitRootLogin prohibit-password|PermitRootLogin yes|g' \
|
||||
# -e 's|[#]*PasswordAuthentication yes|PasswordAuthentication yes|g' \
|
||||
# -e 's|[#]*ChallengeResponseAuthentication yes|ChallengeResponseAuthentication yes|g' \
|
||||
# -e 's|[#]*UsePAM yes|UsePAM yes|g' \
|
||||
# -e 's|[#]#Port 22|Port 22|g' \
|
||||
# /etc/ssh/sshd_config
|
||||
|
||||
# Let's test 0.26.1 python-keycloak version
|
||||
# RUN apk add --no-cache git && \
|
||||
# git clone -b delete_realm_roles https://github.com/isard-vdi/python-keycloak.git && \
|
||||
# cd python-keycloak && \
|
||||
# python3 setup.py install && \
|
||||
# apk del git
|
||||
|
||||
# Add code and entrypoint
|
||||
COPY admin/src /admin
|
||||
RUN cd /admin/admin && yarn install
|
||||
|
||||
COPY admin/docker/run.sh /run.sh
|
||||
|
||||
#EXPOSE 7039
|
||||
CMD [ "/run.sh" ]
|
||||
# Ensure node dependencies
|
||||
RUN cd /admin/admin && HOME=/tmp su -s /bin/sh -m nobody -c "yarn install"
|
||||
|
||||
CMD [ "/run.sh" ]
|
||||
|
|
|
@ -18,13 +18,14 @@
|
|||
# along with DD. If not, see <https://www.gnu.org/licenses/>.
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# ssh-keygen -A
|
||||
## Only in development
|
||||
cd /admin/admin
|
||||
yarn install
|
||||
## End Only in development
|
||||
|
||||
# We possibly need to fix bad old permissions
|
||||
chown -R nobody:nogroup \
|
||||
/admin/custom \
|
||||
/admin/moodledata/saml2 /admin/saml_certs \
|
||||
"${DATA_FOLDER}" \
|
||||
"${LEGAL_PATH}"
|
||||
|
||||
cd /admin
|
||||
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
|
||||
python3 start.py
|
||||
#&
|
||||
# /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config
|
||||
exec su -s /bin/sh -m nobody -c 'python3 start.py'
|
||||
|
|
|
@ -73,6 +73,7 @@ class AdminFlaskApp(Flask):
|
|||
custom_dir: str
|
||||
data_dir: str
|
||||
domain : str
|
||||
node_modules_dir : str
|
||||
ready: bool = False
|
||||
|
||||
def __init__(self, *args: Any, **kwargs: Any):
|
||||
|
@ -141,6 +142,7 @@ class AdminFlaskApp(Flask):
|
|||
try:
|
||||
self.data_dir = os.environ.get("DATA_FOLDER", ".")
|
||||
self.custom_dir = os.environ.get("CUSTOM_FOLDER", ".")
|
||||
self.node_modules_dir = os.environ.get("NODE_MODULES_FOLDER", "node_modules")
|
||||
# Handle secrets like Flask's session key
|
||||
secret_key_file = os.path.join(self.secrets_dir, "secret_key")
|
||||
if not os.path.exists(self.secrets_dir):
|
||||
|
@ -202,19 +204,19 @@ class AdminFlaskApp(Flask):
|
|||
@self.route("/build/<path:path>")
|
||||
def send_build(path: str) -> Response:
|
||||
return send_from_directory(
|
||||
os.path.join(self.root_path, "node_modules/gentelella/build"), path
|
||||
os.path.join(self.node_modules_dir, "gentelella/build"), path
|
||||
)
|
||||
|
||||
@self.route("/vendors/<path:path>")
|
||||
def send_vendors(path: str) -> Response:
|
||||
return send_from_directory(
|
||||
os.path.join(self.root_path, "node_modules/gentelella/vendors"), path
|
||||
os.path.join(self.node_modules_dir, "gentelella/vendors"), path
|
||||
)
|
||||
|
||||
@self.route("/node_modules/<path:path>")
|
||||
def send_nodes(path: str) -> Response:
|
||||
return send_from_directory(
|
||||
os.path.join(self.root_path, "node_modules"), path
|
||||
self.node_modules_dir, path
|
||||
)
|
||||
|
||||
@self.route("/templates/<path:path>")
|
||||
|
|
|
@ -25,20 +25,14 @@ services:
|
|||
context: ${BUILD_SSO_ROOT_PATH}
|
||||
dockerfile: admin/docker/Dockerfile
|
||||
target: production
|
||||
# args: ## DEVELOPMENT
|
||||
# SSH_ROOT_PWD: ${IPA_ADMIN_PWD}
|
||||
# SSH_PORT: 2022
|
||||
networks:
|
||||
- dd_net
|
||||
# ports:
|
||||
# - "2022:22"
|
||||
# - "9000:9000"
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- ${BUILD_SSO_ROOT_PATH}/admin/src:/admin # Revome in production
|
||||
- ${BUILD_SSO_ROOT_PATH}/admin/src:/admin:ro
|
||||
- ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
|
||||
- ${CUSTOM_PATH}/custom:/admin/custom
|
||||
- ${CUSTOM_PATH}/custom:/admin/custom:rw
|
||||
- ${DATA_FOLDER}/avatars:/admin/avatars:ro
|
||||
- ${DATA_FOLDER}/moodle/saml2:/admin/moodledata/saml2:rw
|
||||
- ${DATA_FOLDER}/saml_certs:/admin/saml_certs:rw
|
||||
|
@ -52,3 +46,4 @@ services:
|
|||
- MANAGED_EMAIL_DOMAIN=${MANAGED_EMAIL_DOMAIN}
|
||||
- DATA_FOLDER=/data
|
||||
- CUSTOM_FOLDER=/admin/custom
|
||||
- LEGAL_PATH=/admin/admin/static/templates/pages/legal
|
||||
|
|
Loading…
Reference in New Issue