run as non-root and improved paths

vshn · Sep 10, 2024 · f62f236 · f62f236
1 parent 2874beb
commit f62f236
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 15 deletions.
diff --git a/Dockerfile.contactform b/Dockerfile.contactform
@@ -18,20 +18,31 @@ RUN --mount=type=cache,target=$POETRY_CACHE_DIR poetry install --no-root
 ### RUNTIME
 FROM python:3.12-bookworm as runtime
 
+WORKDIR /app
+
 RUN apt-get update && \
-    apt-get install -y nginx chromium && \
+    apt-get install -y nginx chromium dbus && \
     rm -rf /var/lib/apt/lists/*
 
 ENV VIRTUAL_ENV=/app/.venv \
     PATH="/app/.venv/bin:$PATH" \
-    PYTHONPATH="/conferenceli" \
+    PYTHONPATH="/app/contactform" \
     GUNICORN_CMD_ARGS="--workers=1 --bind=unix:/app/gunicorn.sock --access-logfile=-"
 
 COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 
-COPY contactform ./conferenceli
+COPY contactform ./contactform
 COPY nginx.conf /etc/nginx/nginx.conf
 
+RUN set -x && \
+    useradd -ms /bin/bash contactform && \
+    mkdir -p /opt/data && \
+    ls -Alh /opt/data && \
+    chown -R contactform:root /app /opt/data /var/log/nginx /var/lib/nginx && \
+    chmod -R g=u /app /opt/data /var/log/nginx /var/lib/nginx
+
+USER contactform:root
+
 EXPOSE 8080
 
-CMD ["sh", "-c", "nginx && gunicorn conferenceli.app:app"]
+CMD ["sh", "-c", "nginx && gunicorn contactform.app:app"]
diff --git a/contactform/config.py b/contactform/config.py
@@ -45,7 +45,7 @@ def __init__(self):
             "APPUIO_SIGNUP_URL", "https://www.appuio.ch/sign-up"
         )
         self.APPUIO_LOGO_PATH = self.get_env_var(
-            "APPUIO_LOGO_PATH", "/conferenceli/static/images/appuio-bw.png"
+            "APPUIO_LOGO_PATH", "contactform/static/images/appuio-bw.png"
         )
         self.TAG_ID = None
         self.CAMPAIGN_ID = None

diff --git a/contactform/label_raffle.py b/contactform/label_raffle.py
@@ -39,11 +39,9 @@ def print_raffle(form, config, printer_config):
 
     hti = Html2Image(
         size=(590, 300),
-        output_path="/tmp",
         custom_flags=[
-            "--default-background-color=000000",
+            "--default-background-color=FFFFFF",
             "--hide-scrollbars",
-            "--no-sandbox",
         ],
     )
     hti.screenshot(
@@ -52,7 +50,7 @@ def print_raffle(form, config, printer_config):
         save_as=label_filename,
     )
 
-    label_image = open(f"/tmp/{label_filename}", "rb")
+    label_image = open(label_filename, "rb")
 
     parameters = LabelParameters(
         configuration=printer_config,

diff --git a/contactform/label_voucher.py b/contactform/label_voucher.py
@@ -64,11 +64,9 @@ def print_voucher(form, voucher_code, config, printer_config):
 
     hti = Html2Image(
         size=(590, 1050),
-        output_path="/tmp",
         custom_flags=[
-            "--default-background-color=000000",
+            "--default-background-color=FFFFFF",
             "--hide-scrollbars",
-            "--no-sandbox",
         ],
     )
     hti.load_file(config.APPUIO_LOGO_PATH)
@@ -80,7 +78,7 @@ def print_voucher(form, voucher_code, config, printer_config):
         save_as=label_filename,
     )
 
-    label_image = open(f"/tmp/{label_filename}", "rb")
+    label_image = open(label_filename, "rb")
 
     parameters = LabelParameters(
         configuration=printer_config,

diff --git a/nginx.conf b/nginx.conf
@@ -1,8 +1,7 @@
 worker_processes 1;
 
-user nobody nogroup;
 error_log  /var/log/nginx/error.log warn;
-pid /var/run/nginx.pid;
+pid /app/nginx.pid;
 
 error_log /dev/stdout info;