From 00626b82eceb93a7d58bfc6ca7989fb2bb9a3b53 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Sun, 22 Dec 2024 12:19:10 +0100 Subject: [PATCH 1/4] add non-root user to frontend and backend containers also remove huey further --- backend/Dockerfile | 3 +++ backend/ciso_assistant/settings.py | 18 +++++++++--------- backend/startup.sh | 2 +- docker-compose-build.sh | 2 +- frontend/Dockerfile | 4 ++++ 5 files changed, 18 insertions(+), 11 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index f5dd68f92..e08cfd221 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -30,6 +30,9 @@ RUN pip install --upgrade pip && \ RUN poetry install RUN rm -rf $POETRY_CACHE_DIR +RUN addgroup -g 1001 -S backend && adduser -u 1001 -S -G backend backend +RUN chown -R backend:backend /code/db +USER backend ENTRYPOINT ["poetry", "run", "bash", "startup.sh"] EXPOSE 8000 diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py index c875af2be..d41c50bbf 100644 --- a/backend/ciso_assistant/settings.py +++ b/backend/ciso_assistant/settings.py @@ -375,15 +375,15 @@ def set_ciso_assistant_url(_, __, event_dict): # OTHER SETTINGS } -HUEY = { - "huey_class": "huey.SqliteHuey", # Huey implementation to use. - "name": "huey-ciso-assistant", # Use db name for huey. - "results": True, # Store return values of tasks. - "store_none": False, # If a task returns None, do not save to results. - "immediate": DEBUG, # If DEBUG=True, run synchronously. - "utc": True, # Use UTC for all times internally. - "filename": "db/huey.sqlite3", -} +# HUEY = { +# "huey_class": "huey.SqliteHuey", # Huey implementation to use. +# "name": "huey-ciso-assistant", # Use db name for huey. +# "results": True, # Store return values of tasks. +# "store_none": False, # If a task returns None, do not save to results. +# "immediate": DEBUG, # If DEBUG=True, run synchronously. +# "utc": True, # Use UTC for all times internally. +# "filename": "db/huey.sqlite3", +# } # SSO with allauth diff --git a/backend/startup.sh b/backend/startup.sh index a13cdeaab..0e5de7a01 100755 --- a/backend/startup.sh +++ b/backend/startup.sh @@ -7,7 +7,7 @@ fi if [ ! -n "$DJANGO_SECRET_KEY" ]; then if [ ! -f db/django_secret_key ]; then - cat /proc/sys/kernel/random/uuid >db/django_secret_key + install -m 600 <(cat /proc/sys/kernel/random/uuid) db/django_secret_key echo "generating initial Django secret key" fi export DJANGO_SECRET_KEY=$( Date: Sun, 22 Dec 2024 13:07:46 +0100 Subject: [PATCH 2/4] try fix broken test --- .github/workflows/startup-tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml index ac3a48c24..a102afced 100644 --- a/.github/workflows/startup-tests.yml +++ b/.github/workflows/startup-tests.yml @@ -130,7 +130,7 @@ jobs: export $(grep -v '^#' .env | xargs) - name: Config the Docker app run: | - sleep 120 # give the migrations time to finish (included in the up on the previous step) + sleep 180 # give the migrations time to finish (included in the up on the previous step) docker compose -f docker-compose-build.yml exec backend /bin/bash -c "DJANGO_SUPERUSER_EMAIL=admin@tests.com DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput && exit 0" - name: Run tests working-directory: ${{ env.frontend-directory }} @@ -261,7 +261,7 @@ jobs: export $(grep -v '^#' .env | xargs) - name: Config the Docker app run: | - sleep 120 # give the migrations time to finish (included in the up on the previous step) + sleep 180 # give the migrations time to finish (included in the up on the previous step) docker compose -f enterprise/docker-compose-build.yml exec backend /bin/bash -c "DJANGO_SUPERUSER_EMAIL=admin@tests.com DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput --settings=${{ env.enterprise-backend-settings-module }} && exit 0" - name: Run tests working-directory: ${{ env.frontend-directory }} From 240f0697ccba296cbe307017542c91b2e18b8ae4 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Sun, 22 Dec 2024 15:26:24 +0100 Subject: [PATCH 3/4] simplify dockerfile Following advice from Nathanael-Mtd --- backend/Dockerfile | 5 ++--- frontend/Dockerfile | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index e08cfd221..52dde60f3 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -30,9 +30,8 @@ RUN pip install --upgrade pip && \ RUN poetry install RUN rm -rf $POETRY_CACHE_DIR -RUN addgroup -g 1001 -S backend && adduser -u 1001 -S -G backend backend -RUN chown -R backend:backend /code/db -USER backend +RUN addgroup -g 1001 -S app && adduser -u 1001 -S -G app app +USER app ENTRYPOINT ["poetry", "run", "bash", "startup.sh"] EXPOSE 8000 diff --git a/frontend/Dockerfile b/frontend/Dockerfile index c39528aeb..892b2d805 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -22,7 +22,7 @@ EXPOSE 3000 ENV NODE_ENV=production ENV BODY_SIZE_LIMIT=20000000 -RUN addgroup -g 1002 -S frontend && adduser -u 1002 -S -G frontend frontend -USER frontend +RUN addgroup -g 1001 -S app && adduser -u 1001 -S -G app app +USER app CMD [ "node", "server" ] From ebd7c9faef4a744e6593fb62807dfb63acba990f Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Sun, 22 Dec 2024 17:45:11 +0100 Subject: [PATCH 4/4] Update startup-tests.yml tentative fix for broken startup test --- .github/workflows/startup-tests.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml index a102afced..4aa13ca12 100644 --- a/.github/workflows/startup-tests.yml +++ b/.github/workflows/startup-tests.yml @@ -122,7 +122,10 @@ jobs: working-directory: ${{ env.frontend-directory }} run: pnpm exec playwright install - name: Build the Docker app - run: docker compose -f docker-compose-build.yml up -d + run: | + rm -rf db + mkdir db + docker compose -f docker-compose-build.yml up -d - name: Create backend environment variables file working-directory: ${{ env.backend-directory }} run: | @@ -130,7 +133,7 @@ jobs: export $(grep -v '^#' .env | xargs) - name: Config the Docker app run: | - sleep 180 # give the migrations time to finish (included in the up on the previous step) + sleep 120 # give the migrations time to finish (included in the up on the previous step) docker compose -f docker-compose-build.yml exec backend /bin/bash -c "DJANGO_SUPERUSER_EMAIL=admin@tests.com DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput && exit 0" - name: Run tests working-directory: ${{ env.frontend-directory }} @@ -261,7 +264,7 @@ jobs: export $(grep -v '^#' .env | xargs) - name: Config the Docker app run: | - sleep 180 # give the migrations time to finish (included in the up on the previous step) + sleep 120 # give the migrations time to finish (included in the up on the previous step) docker compose -f enterprise/docker-compose-build.yml exec backend /bin/bash -c "DJANGO_SUPERUSER_EMAIL=admin@tests.com DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput --settings=${{ env.enterprise-backend-settings-module }} && exit 0" - name: Run tests working-directory: ${{ env.frontend-directory }}