Skip to content

Commit

Permalink
Fix/userguide dockerfile (#1089)
Browse files Browse the repository at this point in the history
### Feature or Bugfix
- Bugfix

### Detail
- view #1087 

### Relates
- <URL or Ticket>

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Noah Paige <noahpaig@amazon.com>
  • Loading branch information
dlpzx and noah-paige authored Mar 7, 2024
1 parent c0cf338 commit a463374
Showing 1 changed file with 23 additions and 16 deletions.
39 changes: 23 additions & 16 deletions documentation/userguide/docker/prod/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ RUN dnf upgrade -y;\
dnf autoremove -y; \
dnf clean all; rm -rfv /var/cache/dnf

# Installing libraries
# Installing libraries
RUN dnf -y install shadow-utils wget
RUN dnf -y install openssl-devel bzip2-devel libffi-devel postgresql-devel gcc unzip tar gzip
Expand All @@ -24,31 +23,39 @@ RUN dnf -y install python$PYTHON_VERSION
RUN dnf -y install python$PYTHON_VERSION-pip

RUN groupadd -r ${CONTAINER_USER_GROUP} && useradd -r -m -g ${CONTAINER_USER_GROUP} ${CONTAINER_USER}
RUN chown -R ${CONTAINER_USER_GROUP}:root /usr/local/
RUN chown -R ${CONTAINER_USER}:root /tmp

USER ${CONTAINER_USER}
RUN mkdir -p /var/cache/nginx /var/log/nginx /var/lib/nginx /var/run/nginx /var/www/html && \
chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /var/cache/nginx /var/log/nginx /var/lib/nginx /var/run/nginx /var/www/html && \
touch /run/nginx.pid && chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /run/nginx.pid && \
mkdir -p /etc/nginx/templates /etc/nginx/ssl/certs && \
chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /etc/nginx

RUN touch ~/.bashrc
# Install necessary packages and grant permissions
RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx

COPY --chown=${CONTAINER_USER}:root . ./
WORKDIR /app

RUN python$PYTHON_VERSION -m pip install -r documentation/userguide/requirements.txt
RUN python$PYTHON_VERSION -m mkdocs build
RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /usr/local/
RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /tmp
RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /usr/share/nginx
RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /etc/nginx
RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /app

USER ${CONTAINER_USER}

RUN curl -L https://github.com/a8m/envsubst/releases/download/$ENVSUBST_VERSION/envsubst-`uname -s`-`uname -m` -o /usr/local/bin/envsubst && \
chmod +x /usr/local/bin/envsubst
COPY --chown=${CONTAINER_USER}:root ./documentation/userguide/docker/prod/nginx.config /etc/nginx/nginx.template
RUN python$PYTHON_VERSION -m pip install -r requirements.txt
RUN python$PYTHON_VERSION -m mkdocs build
RUN touch ~/.bashrc

COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} . ./

RUN python$PYTHON_VERSION -m pip install -r ./requirements.txt
RUN python$PYTHON_VERSION -m mkdocs build -d usr/local/site

RUN curl -L https://github.com/a8m/envsubst/releases/download/$ENVSUBST_VERSION/envsubst-`uname -s`-`uname -m` -o /usr/local/bin/envsubst && \
chmod +x /usr/local/bin/envsubst
COPY --chown=${CONTAINER_USER}:root ./documentation/userguide/docker/prod/nginx.config /etc/nginx/nginx.template
COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./docker/prod/nginx.config /etc/nginx/nginx.template

CMD ["/bin/sh", "-c", "envsubst < /etc/nginx/nginx.template > /etc/nginx/conf.d/default.conf"]
CMD ["/bin/sh", "-c", "/usr/local/bin/envsubst < /etc/nginx/nginx.template > /etc/nginx/conf.d/default.conf"]

RUN cp -a site/. /usr/share/nginx/html/
RUN cp -a usr/local/site/. /usr/share/nginx/html/

CMD ["nginx", "-g", "daemon off;"]

0 comments on commit a463374

Please sign in to comment.