Files for building a customized version of geonode/geonode-base for use with Inteligeo.
Docker Hub: mirandadam/geonode-base.
References:
- GeoNode dockerfiles
- Specific dockerfile for geonode-base.
- Specific dockerfile for geonode-project
- Upstream geonode/geonode-base.
Define a TAG to identify the image version. Replace testing with the chosen tag:
export tagname=testingRemove any images with the same name:
podman rmi -i mirandadam/geonode-base:$tagnameBuild an image from scratch in the local folder (.), discarding local caches (--no-cache), taging it as mirandadam/geonode-base:tagname, and squashing all the layers to reduce size (--squash):
podman build --no-cache --squash --build-arg=IMAGE_VERSION=$tagname -t mirandadam/geonode-base:$tagname .Make sure you have not introduced a python environment with active CVEs. If you find any CVEs with either pip-audit or safety, fix the Dockerfile to address them and rebuild the image.
# Get a shell into the image:
podman run -it --rm --entrypoint "bash" localhost/mirandadam/geonode-base:tagname
# Inside the image, install and run pip-audit:
pip install pip-audit
pip-audit
# Also install and run safety:
pip install safety
safety checkYou can also use the grype tool to test for vulnerabilities, but the messages produced are a bit overwhelming, seem to have false positives and don't ultimately provide a path to fixing most of the problems since, in the case of this image, they are related to the undelying OS. To install and run it:
# installing on ~/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/bin
grype mirandadam/geonode-base:tagnameMake sure that the recent layers were squashed. Check the two last lines of the following output to make sure that this image needs only one layer (the last one) and that the one above it is an upstream image:
podman image tree localhost/mirandadam/geonode-base:$tagnamePushes the image to the Docker Hub registry with credentials "user:password".
podman push --creds "user:password" mirandadam/geonode-base:$tagnameAfter pushing the image to Docker Hub, tag the commit with the same tag as the image. Add a comment with the specific date of the build.
Example:
git tag -a "5.2.0-v1" -m "Used to build 5.2.0-v1 in 2023-02-02"
git push origin "5.2.0-v1"Download the .whl file of GeoNode and look into its metadata (see https://pypi.org/pypi/Geonode/json for the link), all the required packages will be listed there. You can use that to check whether there are any new packages to include or packages that were included before and are no longer necessary.
To update the version of the packages in the requirements.txt file while keeping the major version of Django the same:
$ pip install pur
$ pur --minor Django -r requirements.txt- implement provenance/sboms as in https://docs.docker.com/build/ci/github-actions/attestations/#add-sbom-and-provenance-attestations-with-github-actions, but for docker. RedHat also has documentation on creating a secure workflow with provenance and SBOM.