Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't run docker containers as root #400

Open
wants to merge 81 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
81 commits
Select commit Hold shift + click to select a range
93e99d5
Make packages easier to read
jeremyestein May 8, 2024
4b1f8fa
Remove unneeded packages
jeremyestein May 8, 2024
d087520
Merge three pixl python docker images into one multi-stage dockerfile to
jeremyestein May 8, 2024
1e1c18e
Specify healthcheck command in only one place
jeremyestein May 8, 2024
63d6edb
De-dupe the pre-reqs installation code using a build arg
jeremyestein May 8, 2024
46a08e0
De-dupe the actual install as well
jeremyestein May 8, 2024
64fcbc5
Add (failing) test for the condition we are aiming for: containers to
jeremyestein May 8, 2024
0d5cb39
Run as user pixl, which we have to create inside the image with a
jeremyestein May 9, 2024
397cb68
The system test already builds the required docker images, and passes
jeremyestein May 9, 2024
d7fa46e
Semi-WIP: Create pixl user+group on the GHA test runner so that we ca…
jeremyestein May 9, 2024
d8525b1
Fix variable usage and exports dir location
jeremyestein May 9, 2024
6facef9
More debugging
jeremyestein May 9, 2024
55db93c
debug
jeremyestein May 9, 2024
6f7c8dd
debug
jeremyestein May 9, 2024
0ff9148
split build and up
jeremyestein May 9, 2024
cce26a5
Create user home dir in the GHA script to avoid error from failed
jeremyestein May 9, 2024
1e3ed88
Why is pytest not found? Some kind of env change caused by sudo?
jeremyestein May 9, 2024
8abcb5f
Preserve path when running sudo
jeremyestein May 9, 2024
de4e1e9
Run tests as normal runner user
jeremyestein May 9, 2024
5736f30
Don't see why this needs to have docker group
jeremyestein May 9, 2024
09f37ea
Debugging for perm failure on file deletes
jeremyestein May 9, 2024
0edcf17
Fix scope error
jeremyestein May 9, 2024
d0201d8
OK maybe this was needed after all
jeremyestein May 9, 2024
077a304
Since CLI creates everything in exports dir these days, it makes more
jeremyestein May 9, 2024
cd93adc
Try not creating home dir for pixl - what is even using this?
jeremyestein May 9, 2024
c0c0d96
and therefore I can't do this any more
jeremyestein May 9, 2024
9507816
Remove debugging
jeremyestein May 10, 2024
bd5cf84
Document the reason for the permissions setup better. Don't need to
jeremyestein May 10, 2024
de2ea9d
If Export API is believed to only read from the export dir, then let's
jeremyestein May 10, 2024
9aaf2c7
First attempt at documentation on docker permissions.
jeremyestein May 10, 2024
0bd75fb
CLI user needs to be able to write to export dir.
jeremyestein May 10, 2024
db201d9
Clarify docs
jeremyestein May 10, 2024
928a092
Go with the assumption that the host machine will have a "pixl" user and
jeremyestein May 15, 2024
e13fe01
oops left in empty arg
jeremyestein May 15, 2024
017a0a9
Set the setgid bit so that subdirs/files in exports will be owned by the
jeremyestein May 15, 2024
9eb831b
debugging
jeremyestein May 15, 2024
8e9771b
fix debugging
jeremyestein May 15, 2024
15b98c8
doesn't exist?
jeremyestein May 15, 2024
572144d
Make debugging more useful and permanent. More docs
jeremyestein May 15, 2024
2d7c902
more debugging
jeremyestein May 15, 2024
cf1900e
Set the FACL
jeremyestein May 15, 2024
eb5da97
usermod doesn't change groups of existing shells. Need to run the system
jeremyestein May 15, 2024
995b35b
Invoking a new shell with "bash" doesn't re-read groups, but using sudo
jeremyestein May 15, 2024
303374c
Need to preserve envs
jeremyestein May 15, 2024
edde878
more debugging
jeremyestein May 15, 2024
ef1b113
Unlikely to work because su will prompt
jeremyestein May 15, 2024
806449d
Will just passing PATH be enough?
jeremyestein May 15, 2024
629a5e4
Pass through all env as well as PATH
jeremyestein May 15, 2024
8bbe273
Remove debugging
jeremyestein May 15, 2024
b9edf54
Merge branch 'main' into jeremy/docker-uid-new
jeremyestein May 20, 2024
d167c13
Merge branch 'main' into jeremy/docker-uid-new
jeremyestein May 21, 2024
4c6f6d1
Unite orthanc Dockerfiles
jeremyestein May 21, 2024
1b46c83
Add orthanc containers to test
jeremyestein May 21, 2024
468d908
Make orthanc run as orthanc user instead of root
jeremyestein May 22, 2024
1004681
Can also use non-root for fakes in system test
jeremyestein May 22, 2024
668ebc0
Non-root orthanc works for core and imaging tests too
jeremyestein May 22, 2024
695f64f
Add fakes to system test container user check
jeremyestein May 22, 2024
b34abbc
Remove debugging
jeremyestein May 22, 2024
02e3b79
Use same orthanc version everywhere
jeremyestein May 22, 2024
420fb7f
Use existing YAML anchors
jeremyestein May 22, 2024
b4d2526
Don't think this is needed since we moved this code to the export-api
jeremyestein May 22, 2024
cca7b93
Try adding orthanc to PIXL group
stefpiatek Jun 14, 2024
5925520
Try adding orthanc to PIXL group
stefpiatek Jun 14, 2024
3437005
Try adding orthanc to PIXL group
stefpiatek Jun 14, 2024
905e741
Try adding orthanc to PIXL group
stefpiatek Jun 14, 2024
19be6c7
Change owner of pixl file
stefpiatek Jun 14, 2024
4c39072
Try setting pixl user before copying
stefpiatek Jun 14, 2024
32ca6bb
Change owner of python projects on copy
stefpiatek Jun 14, 2024
81eabb7
Change owner of python projects on copy
stefpiatek Jun 14, 2024
21ccb13
Change owner of python projects on copy
stefpiatek Jun 14, 2024
9ef77e7
Merge branch 'main' into jeremy/docker-uid-new
stefpiatek Jun 14, 2024
ee1b97c
Define wait for images to be exported in conftest
stefpiatek Jun 14, 2024
47822a9
Add group ID to test build args
stefpiatek Jun 14, 2024
242aacf
Merge branch 'main' into jeremy/docker-uid-new
milanmlft Jul 4, 2024
6e945c3
Update README.md
stefpiatek Jul 18, 2024
c7b2711
Merge branch 'main' into jeremy/docker-uid-new
milanmlft Jul 30, 2024
521b1cd
Consolidate `RUN` commands
milanmlft Jul 30, 2024
653a921
Merge branch 'main' into jeremy/docker-uid-new
stefpiatek Jul 30, 2024
5d1937d
Add @dram1964's instructions for setting up a PIXL user on GAE
milanmlft Jul 31, 2024
b8a6de5
Merge remote-tracking branch 'origin/main' into jeremy/docker-uid-new
stefpiatek Oct 7, 2024
75af526
Merge remote-tracking branch 'origin/main' into jeremy/docker-uid-new
stefpiatek Oct 7, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
De-dupe the actual install as well
  • Loading branch information
jeremyestein committed May 8, 2024
commit 46a08e07e768ed53b3a77ce30cc3f8eaba5591d8
30 changes: 6 additions & 24 deletions docker/pixl-python/Dockerfile
Original file line number Diff line number Diff line change
@@ -32,6 +32,7 @@ RUN apt-get autoremove && apt-get clean && rm -rf /var/lib/apt/lists/*
HEALTHCHECK CMD /usr/bin/curl -f http://0.0.0.0:8000/heart-beat || exit 1

WORKDIR /app
# specify what we're installing using build time arg
ARG PIXL_PACKAGE_DIR

# Install requirements before copying modules
@@ -40,39 +41,20 @@ COPY ./$PIXL_PACKAGE_DIR/pyproject.toml ./$PIXL_PACKAGE_DIR/pyproject.toml
RUN pip3 install --no-cache-dir pixl_core/ \
&& pip3 install --no-cache-dir $PIXL_PACKAGE_DIR/



FROM pixl_python_base AS export_api

# Install our code
COPY ./pixl_core/ pixl_core/
COPY ./pixl_export/ .
COPY ./$PIXL_PACKAGE_DIR/ .
RUN pip install --no-cache-dir --force-reinstall --no-deps pixl_core/ \
--no-cache-dir --force-reinstall --no-deps . && \
if [ "$TEST" = "true" ]; then pip install --no-cache-dir pixl_core/[test] .[test]; fi

ENTRYPOINT ["uvicorn", "pixl_export.main:app", "--host", "0.0.0.0", "--port", "8000"]

# Each container should be run with a different entry point
FROM pixl_python_base AS export_api
ENTRYPOINT ["uvicorn", "pixl_export.main:app", "--host", "0.0.0.0", "--port", "8000"]

FROM pixl_python_base AS hasher_api

COPY ./pixl_core/ pixl_core/
COPY ./hasher/ .
RUN --mount=type=cache,target=/root/.cache \
pip install --no-cache-dir --force-reinstall --no-deps pixl_core/ . && \
if [ "$TEST" = "true" ]; \
then pip install --no-cache-dir --force-reinstall --no-deps pixl_core/[test] \
--no-cache-dir --force-reinstall --no-deps .[test]; fi
ENTRYPOINT ["uvicorn", "hasher.main:app", "--host", "0.0.0.0", "--port", "8000"]


FROM pixl_python_base AS imaging_api

COPY ./pixl_core/ pixl_core/
COPY ./pixl_imaging/ .
RUN --mount=type=cache,target=/root/.cache \
pip install --no-cache-dir --force-reinstall --no-deps pixl_core/ . && \
if [ "$TEST" = "true" ]; \
then pip install --no-cache-dir --force-reinstall --no-deps pixl_core/[test] \
--no-cache-dir --force-reinstall --no-deps .[test]; fi

ENTRYPOINT ["/app/scripts/migrate_and_run.sh"]