ci: run datatracker pod as non-root user (#7366)
* feat: patch_libraries management command * ci: Patch libraries in docker img build * ci: non-root datatracker user * ci: securityContext for datatracker pod
This commit is contained in:
Jennifer Richards
Nicolas Giard
parent
30a4a5a77b
commit
c8ee43da95
|
|
@ -3,6 +3,9 @@ LABEL maintainer="IETF Tools Team <tools-discuss@ietf.org>"
|
||||||
|
|
||||||
ENV DEBIAN_FRONTEND=noninteractive
|
ENV DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
|
RUN groupadd -g 1000 datatracker && \
|
||||||
|
useradd -c "Datatracker User" -u 1000 -g datatracker -m -s /bin/false datatracker
|
||||||
|
|
||||||
RUN apt-get purge -y imagemagick imagemagick-6-common
|
RUN apt-get purge -y imagemagick imagemagick-6-common
|
||||||
|
|
||||||
# Install libreoffice (needed via PPT2PDF_COMMAND)
|
# Install libreoffice (needed via PPT2PDF_COMMAND)
|
||||||
|
|
@ -15,7 +18,8 @@ COPY ./dev/build/start.sh ./start.sh
|
||||||
COPY ./dev/build/datatracker-start.sh ./datatracker-start.sh
|
COPY ./dev/build/datatracker-start.sh ./datatracker-start.sh
|
||||||
COPY ./dev/build/celery-start.sh ./celery-start.sh
|
COPY ./dev/build/celery-start.sh ./celery-start.sh
|
||||||
|
|
||||||
RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt
|
RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt && \
|
||||||
|
ietf/manage.py patch_libraries
|
||||||
|
|
||||||
RUN chmod +x start.sh && \
|
RUN chmod +x start.sh && \
|
||||||
chmod +x datatracker-start.sh && \
|
chmod +x datatracker-start.sh && \
|
||||||
|
|
|
||||||
|
|
@ -67,9 +67,6 @@ datatracker:
|
||||||
podAnnotations: {}
|
podAnnotations: {}
|
||||||
podLabels: {}
|
podLabels: {}
|
||||||
|
|
||||||
podSecurityContext: {}
|
|
||||||
# fsGroup: 2000
|
|
||||||
|
|
||||||
#readinessProbe:
|
#readinessProbe:
|
||||||
# httpGet:
|
# httpGet:
|
||||||
# # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint
|
# # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint
|
||||||
|
|
@ -90,13 +87,17 @@ datatracker:
|
||||||
# cpu: 100m
|
# cpu: 100m
|
||||||
# memory: 128Mi
|
# memory: 128Mi
|
||||||
|
|
||||||
securityContext: {}
|
podSecurityContext:
|
||||||
# capabilities:
|
runAsNonRoot: true
|
||||||
# drop:
|
|
||||||
# - ALL
|
securityContext:
|
||||||
# readOnlyRootFilesystem: true
|
allowPrivilegeEscalation: false
|
||||||
# runAsNonRoot: true
|
capabilities:
|
||||||
# runAsUser: 1000
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
|
||||||
service:
|
service:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
|
|
@ -132,17 +133,9 @@ datatracker:
|
||||||
- name: datatracker-shared-volume
|
- name: datatracker-shared-volume
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: "datatracker-shared-volume-claim"
|
claimName: "datatracker-shared-volume-claim"
|
||||||
# cache-volume and staging-volume are a hack to create paths for debugging without a /a volume
|
- name: datatracker-tmp
|
||||||
# - name: cache-volume
|
emptyDir:
|
||||||
# emptyDir:
|
sizeLimit: "2Gi"
|
||||||
# sizeLimit: 1Gi
|
|
||||||
# - name: staging-volume
|
|
||||||
# emptyDir:
|
|
||||||
# sizeLimit: 1Gi
|
|
||||||
# - name: foo
|
|
||||||
# secret:
|
|
||||||
# secretName: mysecret
|
|
||||||
# optional: false
|
|
||||||
|
|
||||||
# Additional volumeMounts on the output Deployment definition.
|
# Additional volumeMounts on the output Deployment definition.
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|
@ -152,14 +145,8 @@ datatracker:
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: datatracker-shared-volume
|
- name: datatracker-shared-volume
|
||||||
mountPath: /a
|
mountPath: /a
|
||||||
# cache-volume and staging-volume are a hack to create paths for debugging without a /a volume
|
- name: datatracker-tmp
|
||||||
# - name: cache-volume
|
mountPath: /tmp
|
||||||
# mountPath: "/a/cache"
|
|
||||||
# - name: staging-volume
|
|
||||||
# mountPath: "/test/staging"
|
|
||||||
# - name: foo
|
|
||||||
# mountPath: "/etc/foo"
|
|
||||||
# readOnly: true
|
|
||||||
|
|
||||||
tolerations: []
|
tolerations: []
|
||||||
|
|
||||||
|
|
|
||||||
32
ietf/utils/management/commands/patch_libraries.py
Normal file
32
ietf/utils/management/commands/patch_libraries.py
Normal file
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Copyright The IETF Trust 2024, All Rights Reserved
|
||||||
|
import django
|
||||||
|
import os
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
|
from django.core.management.base import BaseCommand, CommandError
|
||||||
|
from pathlib import Path
|
||||||
|
|
||||||
|
from ietf.utils import patch
|
||||||
|
|
||||||
|
|
||||||
|
class Command(BaseCommand):
|
||||||
|
"""Apply IETF patches to libraries"""
|
||||||
|
requires_system_checks = tuple()
|
||||||
|
|
||||||
|
def handle(self, *args, **options):
|
||||||
|
library_path = Path(django.__file__).parent.parent
|
||||||
|
top_dir = Path(settings.BASE_DIR).parent
|
||||||
|
|
||||||
|
# All patches in settings.CHECKS_LIBRARY_PATCHES_TO_APPLY must have a
|
||||||
|
# relative file path starting from the site-packages dir, e.g.
|
||||||
|
# 'django/db/models/fields/__init__.py'
|
||||||
|
for patch_file in settings.CHECKS_LIBRARY_PATCHES_TO_APPLY:
|
||||||
|
patch_set = patch.fromfile(top_dir / Path(patch_file))
|
||||||
|
if not patch_set:
|
||||||
|
raise CommandError(f"Could not parse patch file '{patch_file}'")
|
||||||
|
if not patch_set.apply(root=bytes(library_path)):
|
||||||
|
raise CommandError(f"Could not apply the patch from '{patch_file}'")
|
||||||
|
if patch_set.already_patched:
|
||||||
|
self.stdout.write(f"Patch from '{patch_file}' was already applied")
|
||||||
|
else:
|
||||||
|
self.stdout.write(f"Applied the patch from '{patch_file}'")
|
||||||
Loading…
Reference in a new issue