Security - Backend - wolfi container base image with support for rootless user

packages/.dockerignore

@@ -1,4 +1,9 @@
+**/*.pyc
+
 grid/data
 grid/packer
 grid/.devspace
-syftcli
+syftcli
+
+syft/tests
+syft/README.md

packages/grid/backend/backend.dockerfile

@@ -1,65 +1,75 @@
-ARG PYTHON_VERSION='3.11'
+ARG PYTHON_VERSION="3.11"
+ARG TZ="Etc/UTC"
+ARG SYFT_WORKDIR="/home/nonroot/app"
+ARG NONROOT_UG="nonroot:nonroot"
 
-FROM python:3.11-slim as build
+# ==================== [BUILD STEP] Python Dev Base ==================== #
 
-# set UTC timezone
-ENV TZ=Etc/UTC
-RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+FROM cgr.dev/chainguard/wolfi-base as python_dev
 
-RUN mkdir -p /root/.local
+ARG PYTHON_VERSION
+ARG TZ
 
-RUN apt-get update && apt-get upgrade -y
-RUN --mount=type=cache,sharing=locked,target=/var/cache/apt \
-    DEBIAN_FRONTEND=noninteractive \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-    curl python3-dev gcc make build-essential cmake git
+# Setup Python DEV
+RUN apk update && \
+    apk add build-base gcc tzdata python-$PYTHON_VERSION-dev py$PYTHON_VERSION-pip && \
+    ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 
-RUN --mount=type=cache,target=/root/.cache \
-    pip install -U pip
+# ==================== [BUILD STEP] Install Syft Dependency ==================== #
 
-#install jupyterlab
-RUN --mount=type=cache,target=/root/.cache \
-    pip install --user jupyterlab
+FROM python_dev as syft_deps
 
-WORKDIR /app
+ARG SYFT_WORKDIR
+ARG NONROOT_UG
 
-# Backend
-FROM python:$PYTHON_VERSION-slim as backend
-RUN apt-get update && apt-get upgrade -y
-COPY --from=build /root/.local /root/.local
+USER nonroot
+WORKDIR $SYFT_WORKDIR
+ENV PATH=$PATH:/home/nonroot/.local/bin
 
-ENV PYTHONPATH=/app
-ENV PATH=/root/.local/bin:$PATH
+# copy skeleton to do package install
+COPY --chown=$NONROOT_UG syft/setup.py ./syft/setup.py
+COPY --chown=$NONROOT_UG syft/setup.cfg ./syft/setup.cfg
+COPY --chown=$NONROOT_UG syft/pyproject.toml ./syft/pyproject.toml
+COPY --chown=$NONROOT_UG syft/MANIFEST.in ./syft/MANIFEST.in
+COPY --chown=$NONROOT_UG syft/src/syft/VERSION ./syft/src/syft/VERSION
+COPY --chown=$NONROOT_UG syft/src/syft/capnp ./syft/src/syft/capnp
+
+# Install all dependencies together here to avoid any version conflicts across pkgs
+RUN --mount=type=cache,target=/home/nonroot/.cache/,rw,uid=65532 \
+    pip install --user pip-autoremove jupyterlab==4.0.7 -e ./syft/ && \
+    pip-autoremove ansible ansible-core -y
+
+# ==================== [Final] Setup Syft Server ==================== #
+
+FROM cgr.dev/chainguard/wolfi-base as backend
+
+# inherit from global
+ARG PYTHON_VERSION
+ARG TZ
+ARG SYFT_WORKDIR
+ARG NONROOT_UG
 
-RUN --mount=type=cache,target=/root/.cache \
-    pip install -U pip
+# Setup Python
+RUN apk update && \
+    apk add --no-cache tzdata bash python-$PYTHON_VERSION py$PYTHON_VERSION-pip && \
+    ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
+    rm -rf /var/cache/apk/*
 
-WORKDIR /app
+USER nonroot
+WORKDIR $SYFT_WORKDIR
+
+# Update environment variables
+ENV PATH=$PATH:/home/nonroot/.local/bin \
+    PYTHONPATH=$SYFT_WORKDIR \
+    APPDIR=$SYFT_WORKDIR
+
+# Copy pre-built jupyterlab, syft dependencies
+COPY --chown=$NONROOT_UG --from=syft_deps /home/nonroot/.local /home/nonroot/.local
 
 # copy grid
-COPY grid/backend /app/
+COPY --chown=$NONROOT_UG grid/backend/grid ./grid
 
-# copy skeleton to do package install
-COPY syft/setup.py /app/syft/setup.py
-COPY syft/setup.cfg /app/syft/setup.cfg
-COPY syft/pyproject.toml /app/syft/pyproject.toml
-COPY syft/MANIFEST.in /app/syft/MANIFEST.in
-COPY syft/src/syft/VERSION /app/syft/src/syft/VERSION
-COPY syft/src/syft/capnp /app/syft/src/syft/capnp
-
-# install syft
-RUN --mount=type=cache,target=/root/.cache \
-    pip install --user -e /app/syft && \
-    pip uninstall ansible ansible-core -y && \
-    rm -rf ~/.local/lib/python3.11/site-packages/ansible_collections
-
-# security patches
-RUN apt purge --auto-remove linux-libc-dev -y || true
-RUN apt purge --auto-remove libldap-2.5-0 -y || true
-
-# copy any changed source
-COPY syft/src /app/syft/src
-
-# change to worker-start.sh or start-reload.sh as needed
-CMD ["bash", "/app/grid/start.sh"]
+# copy syft
+COPY --chown=$NONROOT_UG syft/ ./syft/
+
+CMD ["bash", "./grid/start.sh"]

packages/grid/backend/grid/bootstrap.py

@@ -29,7 +29,7 @@ def get_env(key: str, default: str = "") -> Optional[str]:
     return None
 
 
-CREDENTIALS_PATH = str(get_env("CREDENTIALS_PATH", "/storage/credentials.json"))
+CREDENTIALS_PATH = str(get_env("CREDENTIALS_PATH", "./storage/credentials.json"))
 NODE_PRIVATE_KEY = "NODE_PRIVATE_KEY"
 NODE_UID = "NODE_UID"
 

packages/grid/backend/grid/core/node.py

@@ -26,7 +26,7 @@
 mongo_store_config = MongoStoreConfig(client_config=mongo_client_config)
 
 
-client_config = SQLiteStoreClientConfig(path="/storage/")
+client_config = SQLiteStoreClientConfig(path="./storage/")
 sql_store_config = SQLiteStoreConfig(client_config=client_config)
 
 node_type = get_node_type()

packages/grid/backend/grid/start.sh

@@ -15,12 +15,12 @@ if [[ ${DEV_MODE} == "True" ]];
 then
     echo "DEV_MODE Enabled"
     RELOAD="--reload"
-    pip install -e "/app/syft[telemetry]"
+    pip install -e "$APPDIR/syft[telemetry]"
 fi
 
 set +e
-NODE_PRIVATE_KEY=$(python /app/grid/bootstrap.py --private_key)
-NODE_UID=$(python /app/grid/bootstrap.py --uid)
+NODE_PRIVATE_KEY=$(python $APPDIR/grid/bootstrap.py --private_key)
+NODE_UID=$(python $APPDIR/grid/bootstrap.py --uid)
 set -e
 
 echo "NODE_PRIVATE_KEY=$NODE_PRIVATE_KEY"

packages/grid/devspace.yaml

@@ -313,8 +313,8 @@ dev:
         value: "True"
     logs: {}
     sync:
-      - path: ./backend/grid:/app/grid
-      - path: ../syft:/app/syft
+      - path: ./backend/grid:/home/nonroot/app/grid
+      - path: ../syft:/home/nonroot/app/syft
 
 profiles:
   - name: gateway

packages/grid/worker/worker.py

@@ -34,7 +34,7 @@
 worker = worker_class(
     name=node_name,
     local_db=True,
-    sqlite_path="/storage/",
+    sqlite_path="./storage/",
     node_type=node_type,
     enable_warnings=enable_warnings,
     node_side_type=node_side_type,