diff --git a/dev/build/Dockerfile b/dev/build/Dockerfile index 267dbc587..51d2d3799 100644 --- a/dev/build/Dockerfile +++ b/dev/build/Dockerfile @@ -3,6 +3,9 @@ LABEL maintainer="IETF Tools Team " ENV DEBIAN_FRONTEND=noninteractive +RUN groupadd -g 1000 datatracker && \ + useradd -c "Datatracker User" -u 1000 -g datatracker -m -s /bin/false datatracker + RUN apt-get purge -y imagemagick imagemagick-6-common # Install libreoffice (needed via PPT2PDF_COMMAND) @@ -15,7 +18,8 @@ COPY ./dev/build/start.sh ./start.sh COPY ./dev/build/datatracker-start.sh ./datatracker-start.sh COPY ./dev/build/celery-start.sh ./celery-start.sh -RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt +RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt && \ + ietf/manage.py patch_libraries RUN chmod +x start.sh && \ chmod +x datatracker-start.sh && \ diff --git a/helm/values.yaml b/helm/values.yaml index 366cea3d4..28f976284 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -67,9 +67,6 @@ datatracker: podAnnotations: {} podLabels: {} - podSecurityContext: {} - # fsGroup: 2000 - #readinessProbe: # httpGet: # # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint @@ -90,13 +87,17 @@ datatracker: # cpu: 100m # memory: 128Mi - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + podSecurityContext: + runAsNonRoot: true + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 1000 + runAsGroup: 1000 service: type: ClusterIP @@ -132,17 +133,9 @@ datatracker: - name: datatracker-shared-volume persistentVolumeClaim: claimName: "datatracker-shared-volume-claim" -# cache-volume and staging-volume are a hack to create paths for debugging without a /a volume -# - name: cache-volume -# emptyDir: -# sizeLimit: 1Gi -# - name: staging-volume -# emptyDir: -# sizeLimit: 1Gi - # - name: foo - # secret: - # secretName: mysecret - # optional: false + - name: datatracker-tmp + emptyDir: + sizeLimit: "2Gi" # Additional volumeMounts on the output Deployment definition. volumeMounts: @@ -152,14 +145,8 @@ datatracker: readOnly: true - name: datatracker-shared-volume mountPath: /a -# cache-volume and staging-volume are a hack to create paths for debugging without a /a volume -# - name: cache-volume -# mountPath: "/a/cache" -# - name: staging-volume -# mountPath: "/test/staging" - # - name: foo - # mountPath: "/etc/foo" - # readOnly: true + - name: datatracker-tmp + mountPath: /tmp tolerations: [] diff --git a/ietf/utils/management/commands/patch_libraries.py b/ietf/utils/management/commands/patch_libraries.py new file mode 100644 index 000000000..2ada67a28 --- /dev/null +++ b/ietf/utils/management/commands/patch_libraries.py @@ -0,0 +1,32 @@ +# Copyright The IETF Trust 2024, All Rights Reserved +import django +import os + +from django.conf import settings +from django.core.management.base import BaseCommand, CommandError +from pathlib import Path + +from ietf.utils import patch + + +class Command(BaseCommand): + """Apply IETF patches to libraries""" + requires_system_checks = tuple() + + def handle(self, *args, **options): + library_path = Path(django.__file__).parent.parent + top_dir = Path(settings.BASE_DIR).parent + + # All patches in settings.CHECKS_LIBRARY_PATCHES_TO_APPLY must have a + # relative file path starting from the site-packages dir, e.g. + # 'django/db/models/fields/__init__.py' + for patch_file in settings.CHECKS_LIBRARY_PATCHES_TO_APPLY: + patch_set = patch.fromfile(top_dir / Path(patch_file)) + if not patch_set: + raise CommandError(f"Could not parse patch file '{patch_file}'") + if not patch_set.apply(root=bytes(library_path)): + raise CommandError(f"Could not apply the patch from '{patch_file}'") + if patch_set.already_patched: + self.stdout.write(f"Patch from '{patch_file}' was already applied") + else: + self.stdout.write(f"Applied the patch from '{patch_file}'")