-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDockerfile
161 lines (141 loc) · 4.55 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
ARG VERSION=unspecified
ARG PY_VERSION=3.10.7
FROM python:${PY_VERSION}-slim-bullseye AS compile-stage
ARG VERSION
###
# For a list of pre-defined annotation keys and value types see:
# https://github.com/opencontainers/image-spec/blob/master/annotations.md
#
# Note: Additional labels are added by the build workflow.
###
LABEL org.opencontainers.image.authors="[email protected]"
LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
###
# Unprivileged user setup variables
###
ARG CISA_UID=421
ARG CISA_GID=${CISA_UID}
ARG CISA_USER="cisa"
ENV CISA_GROUP=${CISA_USER}
ENV CISA_HOME="/home/${CISA_USER}"
###
# Upgrade the system
###
RUN apt-get update --quiet --quiet \
&& apt-get upgrade --quiet --quiet
###
# Create unprivileged user
###
RUN groupadd --system --gid ${CISA_GID} ${CISA_GROUP} \
&& useradd --system --uid ${CISA_UID} --gid ${CISA_GROUP} --comment "${CISA_USER} user" ${CISA_USER}
###
# Install everything we need
#
# Install dependencies are only needed for software installation and
# will not be included in the final Docker image.
###
ENV DEPS \
libpq-dev=13.13-0+deb11u1
# I'd like to pin the version of wget to keep the build reproducible,
# but it's tricky.
#
# I need to use version 1.21-1+b1 of wget for amd64 and version 1.21-1
# of wget otherwise.
# https://packages.debian.org/bullseye/wget
#
# I presume the solution is to somehow make use of this jazz:
# https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope)
#
# But I don't see a way to do ternary logic with ENVs in a Dockerfile.
#
# Here is a post from StackOverflow where someone asks a similar
# question:
# https://stackoverflow.com/questions/67596193/building-a-multi-architecture-docker-image-but-dockerfile-requires-different-pa
ENV INSTALL_DEPS \
wget
RUN apt-get install --quiet --quiet --yes \
--no-install-recommends --no-install-suggests \
$DEPS $INSTALL_DEPS
###
# Make sure pip, setuptools, and wheel are the latest versions
#
# Note that we use pip3 --no-cache-dir to avoid writing to a local
# cache. This results in a smaller final image, at the cost of
# slightly longer install times.
###
RUN pip3 install --no-cache-dir --upgrade \
pip \
setuptools \
wheel
###
# Perform remaining steps as the unprivileged user, from the
# unprivileged user's home directory
###
USER ${CISA_USER}:${CISA_GROUP}
WORKDIR ${CISA_HOME}
###
# Manually set up the virtual environment
###
ENV PY_VENV=${CISA_HOME}/.venv
RUN python3 -m venv ${PY_VENV}
ENV PATH="${PY_VENV}/bin:$PATH"
# Install/upgrade core Python dependencies
RUN python3 -m pip install --no-cache-dir --upgrade \
pip==21.3.1 \
setuptools==58.5.3 \
wheel==0.37.0
# Download and install guacscanner
RUN python3 -m pip install --no-cache-dir \
https://github.com/cisagov/guacscanner/archive/v${VERSION}.tar.gz
FROM python:${PY_VERSION}-slim-bullseye AS build-stage
###
# For a list of pre-defined annotation keys and value types see:
# https://github.com/opencontainers/image-spec/blob/master/annotations.md
#
# Note: Additional labels are added by the build workflow.
###
LABEL org.opencontainers.image.authors="[email protected]"
LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
###
# Unprivileged user setup variables
###
ARG CISA_UID=421
ARG CISA_GID=${CISA_UID}
ARG CISA_USER="cisa"
ENV CISA_GROUP=${CISA_USER}
ENV CISA_HOME="/home/${CISA_USER}"
###
# Upgrade the system
###
RUN apt-get update --quiet --quiet \
&& apt-get upgrade --quiet --quiet
###
# Create unprivileged user
###
RUN groupadd --system --gid ${CISA_GID} ${CISA_GROUP} \
&& useradd --system --uid ${CISA_UID} --gid ${CISA_GROUP} --comment "${CISA_USER} user" ${CISA_USER}
###
# Install everything we need
###
ENV DEPS \
libpq-dev=13.13-0+deb11u1
# Note that we clean up aptitude cruft after installing dependencies.
# This must be done in one fell swoop to actually reduce the size of
# the resulting Docker image:
# https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#minimize-the-number-of-layers
RUN apt-get install --quiet --quiet --yes \
--no-install-recommends --no-install-suggests \
$DEPS \
&& apt-get clean \
&& rm --recursive --force /var/lib/apt/lists/*
# Manually set up the virtual environment, copying the venv over from
# the compile stage
ENV PY_VENV=${CISA_HOME}/.venv
COPY --from=compile-stage ${CISA_HOME} ${CISA_HOME}/
ENV PATH="${PY_VENV}/bin:$PATH"
###
# Prepare to run
###
USER ${CISA_USER}:${CISA_GROUP}
WORKDIR ${CISA_HOME}
ENTRYPOINT ["guacscanner"]