From ba23619f6ab8a3d1a7ea65a43609024a4f9d75ca Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:01:01 -0400 Subject: [PATCH 1/4] Prettify a comment --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 248d6cf..6c50a0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,9 +4,12 @@ FROM python:3.10.1-alpine ARG VERSION +### # For a list of pre-defined annotation keys and value types see: # https://github.com/opencontainers/image-spec/blob/master/annotations.md +# # Note: Additional labels are added by the build workflow. +### LABEL org.opencontainers.image.authors="mark.feldhousen@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" From 343c0cb236fbf288f2574e6b5544000200d97e0a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:03:46 -0400 Subject: [PATCH 2/4] Rework creation of unprivileged user and installation of dependencies Also add a section to update pip and setuptools via pip. --- Dockerfile | 62 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6c50a0f..54bd465 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,17 +13,65 @@ ARG VERSION LABEL org.opencontainers.image.authors="mark.feldhousen@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" -ARG CISA_UID=421 +### +# Unprivileged user setup variables +### +ARG CISA_GID=421 +ARG CISA_UID=${CISA_GID} +ENV CISA_USER="cisa" +ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/cisa" ENV ECHO_MESSAGE="Hello World from Dockerfile" -RUN addgroup --system --gid ${CISA_UID} cisa \ - && adduser --system --uid ${CISA_UID} --ingroup cisa cisa +### +# Unprivileged user setup dependencies +# +# Install shadow, so we have adduser and addgroup. +# +# Note that we use apk --no-cache to avoid writing to a local cache. +# This results in a smaller final image, at the cost of slightly +# longer install times. +# +# Setup user dependencies are only needed for setting up the user and +# will be removed at the end of that process. +### +ENV SETUP_USER_DEPS \ + shadow +RUN apk --update --no-cache --quiet upgrade +RUN apk --no-cache --quiet add ${SETUP_USER_DEPS} + +### +# Create unprivileged user +### +RUN addgroup --system --gid ${CISA_UID} ${CISA_GROUP} \ + && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} + +### +# Remove build dependencies for unprivileged user +### +RUN apk --no-cache --quiet del ${SETUP_USER_DEPS} + +### +# Dependencies +# +# Note that we use apk --no-cache to avoid writing to a local cache. +# This results in a smaller final image, at the cost of slightly +# longer install times. +### +ENV DEPS \ + ca-certificates \ + openssl \ + py-pip +RUN apk --no-cache --quiet add ${DEPS} -RUN apk --update --no-cache add \ -ca-certificates \ -openssl \ -py-pip +### +# Make sure pip and setuptools are the latest versions +# +# Note that we use pip --no-cache-dir to avoid writing to a local +# cache. This results in a smaller final image, at the cost of +# slightly longer install times. +### +RUN pip install --no-cache-dir --upgrade pip setuptools WORKDIR ${CISA_HOME} From 717334c62cb1c972a16795d0e2bebd0ab724327f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:05:06 -0400 Subject: [PATCH 3/4] Add comments and prefer long CLI options --- Dockerfile | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 54bd465..de48f7c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -75,14 +75,24 @@ RUN pip install --no-cache-dir --upgrade pip setuptools WORKDIR ${CISA_HOME} -RUN wget -O sourcecode.tgz https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz && \ - tar xzf sourcecode.tgz --strip-components=1 && \ - pip install --requirement requirements.txt && \ - ln -snf /run/secrets/quote.txt src/example/data/secret.txt && \ - rm sourcecode.tgz +### +# Install Python dependencies +# +# Note that we use pip --no-cache-dir to avoid writing to a local +# cache. This results in a smaller final image, at the cost of +# slightly longer install times. +### +RUN wget --output-document sourcecode.tgz \ + https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz && \ + tar --extract --gzip --file sourcecode.tgz --strip-components=1 && \ + pip install --no-cache-dir --requirement requirements.txt && \ + ln -snf /run/secrets/quote.txt src/example/data/secret.txt && \ + rm sourcecode.tgz +### +# Prepare to run +### USER cisa - EXPOSE 8080/TCP VOLUME ["/var/log"] ENTRYPOINT ["example"] From 2a72bf612a152a0a4b32a481363cf394f5fbbf3b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:16:05 -0400 Subject: [PATCH 4/4] Move ECHO_MESSAGE declaration to the "Prepare to run" section --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index de48f7c..f4dddd9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,6 @@ ARG CISA_UID=${CISA_GID} ENV CISA_USER="cisa" ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/cisa" -ENV ECHO_MESSAGE="Hello World from Dockerfile" ### # Unprivileged user setup dependencies @@ -92,6 +91,7 @@ RUN wget --output-document sourcecode.tgz \ ### # Prepare to run ### +ENV ECHO_MESSAGE="Hello World from Dockerfile" USER cisa EXPOSE 8080/TCP VOLUME ["/var/log"]