Dockerfile that builds with poetry

[DMRobertson]

To test:

DOCKER_BUILDKIT=1 docker build . -t sydent && docker run -p 8090:8090 sydent

I've seen this print sydent's startup lines and persist data to the /data volume. I could make a GET request to localhost:8090/ and got a 404 error page for my troubles, together with an entry in Sydent's log. I haven't tested this any more thoroughly than that.

To inspect the container while it's running, get the container id with
docker ps and then:

$ docker exec -it 001f9bfc6a54 bash
sydent@001f9bfc6a54:/home/sydent$ ls
src  venv
sydent@001f9bfc6a54:/home/sydent$ ls src
README.rst  poetry.lock  pyproject.toml  requirements.txt  res scripts  sydent
sydent@001f9bfc6a54:/home/sydent$ ls venv
bin  lib  pyvenv.cfg

Pull Request Checklist

• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fix a bug that prevented receiving messages from other servers." instead of "Move X method from EventStore to EventWorkerStore.".
  • Include 'Contributed by Your Name.' or 'Contributed by @your-github-username.' — unless you would prefer not to be credited in the changelog.
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
• Pull request includes a sign off

[reivilibre]

Seems good :)

[reivilibre]

I realise this isn't yours, but on the line above, why are we creating a password for the sydent user?
It originally has a disabled password. There's no reason to set a static password ... is there?

[DMRobertson]

I wondered about this too. I removed this from the builder step (see line -13).

[DMRobertson]

Seems to have been added in #290; wasn't present in #80. No clues in either PR.

[reivilibre]

I reckon we just remove it here as well. A password that is the same for every Sydent container doesn't seem to afford any security anyway.
I also notice --disabled-login is an option rather than --disabled-password

Excerpt from /etc/shadow:

dpass:*:19033:0:99999:7:::
dlogin:!:19033:0:99999:7:::

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

— man shadow

--disabled-login sounds like it (!) will also prevent SSH login using authorised keys. I guess we're not running an SSH daemon anyway, so it probably doesn't matter which one we use.

[DMRobertson]

A password that is the same for every Sydent container doesn't seem to afford any security anyway.

The password comes from /dev/random so I would expect it to be different every time you run build this container. I still think it's odd though.

[reivilibre]

But if it gets uploaded to Docker Hub or something, everyone can then pull that and even crack the password hash if they're so keen. I'd pull it out — the password isn't even being given to anyone so I can't see how it's useful.

[DMRobertson]

Oh I see---good point. Yes, let's excise it

[reivilibre]

thanks!