Drop privs in Dockerfile

Closes #284
eventoL · Mar 30, 2018 · 9571d51 · 9571d51
1 parent 0fe1978
commit 9571d51
Showing 1 changed file with 43 additions and 25 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,16 @@
 FROM python:3.5
 
-RUN mkdir -p /usr/src/app
-WORKDIR /usr/src/app
+ENV APP_ROOT /usr/src/app
+ENV APP_USER_NAME app
+ENV APP_USER_UID 1000
+
+# Prepare environment
+RUN useradd -m -d ${APP_ROOT} \
+    --shell /bin/bash \
+    --uid ${APP_USER_UID} \
+    ${APP_USER_NAME}
+RUN mkdir -p ${APP_ROOT}
+WORKDIR ${APP_ROOT}
 
 # Install nodejs and gettext
 ENV NODE_VERSION 8.x
@@ -11,61 +20,70 @@ RUN apt-get install -y nodejs gettext \
   && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Install python requirements
-COPY ./requirements.txt /usr/src/app/
-COPY ./requirements-dev.txt /usr/src/app/
+COPY ./requirements.txt ${APP_ROOT}
+COPY ./requirements-dev.txt ${APP_ROOT}
 RUN pip install --no-cache-dir -r requirements.txt
 RUN pip install --no-cache-dir -r requirements-dev.txt
 RUN pip install psycopg2
 
 # Install node modules
-COPY ./eventol/front/package.json /usr/src/app/eventol/front/
-COPY ./eventol/front/yarn.lock /usr/src/app/eventol/front/
+COPY ./eventol/front/package.json ${APP_ROOT}/eventol/front/
+COPY ./eventol/front/yarn.lock ${APP_ROOT}/eventol/front/
 RUN npm install -g yarn webpack@^1.12.13
-RUN cd /usr/src/app/eventol/front && yarn install
+RUN cd ${APP_ROOT}/eventol/front && yarn install
 
 # Install bower dependencies
-COPY ./eventol/front/bower.json /usr/src/app/eventol/front/
-COPY ./eventol/front/.bowerrc /usr/src/app/eventol/front/
+COPY ./eventol/front/bower.json ${APP_ROOT}/eventol/front/
+COPY ./eventol/front/.bowerrc ${APP_ROOT}/eventol/front/
 RUN npm install -g bower
-RUN cd /usr/src/app/eventol/front && bower install --allow-root
+RUN cd ${APP_ROOT}/eventol/front && bower install --allow-root
 
 # Copy test script file
-COPY ./test.sh /usr/src/app/test.sh
+COPY ./test.sh ${APP_ROOT}/test.sh
 
 # Create log file
 RUN touch /var/log/eventol.log
 
 # Copy python code
-COPY ./eventol /usr/src/app/eventol
-RUN mkdir -p /usr/src/app/eventol/manager/static
-RUN mkdir -p /usr/src/app/eventol/front/eventol/static
+COPY ./eventol ${APP_ROOT}/eventol
+RUN mkdir -p ${APP_ROOT}/eventol/manager/static
+RUN mkdir -p ${APP_ROOT}/eventol/front/eventol/static
 
 # Compile scss
 RUN npm install -g less
-RUN mkdir -p /usr/src/app/eventol/manager/static/manager/css/
-RUN lessc /usr/src/app/eventol/front/eventol/static/manager/less/eventol.less > /usr/src/app/eventol/manager/static/manager/css/eventol.css
-RUN lessc /usr/src/app/eventol/front/eventol/static/manager/less/eventol-bootstrap.less > /usr/src/app/eventol/manager/static/manager/css/eventol-bootstrap.css
+RUN mkdir -p ${APP_ROOT}/eventol/manager/static/manager/css/
+RUN lessc ${APP_ROOT}/eventol/front/eventol/static/manager/less/eventol.less > ${APP_ROOT}/eventol/manager/static/manager/css/eventol.css
+RUN lessc ${APP_ROOT}/eventol/front/eventol/static/manager/less/eventol-bootstrap.less > ${APP_ROOT}/eventol/manager/static/manager/css/eventol-bootstrap.css
 
 # Copy script for docker-compose wait and start-eventol
 COPY ./deploy/docker/scripts/wait-for-it.sh /root
-COPY ./deploy/docker/scripts/start_eventol.sh /usr/src/app/start_eventol.sh
+COPY ./deploy/docker/scripts/start_eventol.sh ${APP_ROOT}/start_eventol.sh
 
 # Compile reactjs code
-RUN cd /usr/src/app/eventol/front && webpack --config webpack.prod.config.js
+RUN cd ${APP_ROOT}/eventol/front && webpack --config webpack.prod.config.js
 
 # Collect statics
-RUN mkdir -p /usr/src/app/eventol/static
-RUN cd /usr/src/app/eventol && python manage.py collectstatic --noinput
+RUN mkdir -p ${APP_ROOT}/eventol/static
+RUN cd ${APP_ROOT}/eventol && python manage.py collectstatic --noinput
 
 # Create media folder
-RUN mkdir -p /usr/src/app/eventol/media
+RUN mkdir -p ${APP_ROOT}/eventol/media
+
+# Chown files
+RUN chmod 0750 ${APP_ROOT}
+RUN chown --recursive ${APP_USER_NAME}:${APP_USER_NAME} ${APP_ROOT}
+
+# Drop privs
+USER ${APP_USER_NAME}
 
 # Compile .po files
-RUN sed -i 's@#~ @@g' /usr/src/app/eventol/conf/locale/*/LC_MESSAGES/djangojs.po
-RUN cd /usr/src/app/eventol && python manage.py compilemessages
+RUN sed -i 's@#~ @@g' ${APP_ROOT}/eventol/conf/locale/*/LC_MESSAGES/djangojs.po
+RUN cd ${APP_ROOT}/eventol && python manage.py compilemessages
 
 EXPOSE 8000
 
-VOLUME /usr/src/app
+VOLUME ${APP_ROOT}/eventol/media
+VOLUME ${APP_ROOT}/eventol/static
+
 
 CMD ["tail", "-f", "/dev/null"]