From ca26f8c789c9458a7b429b24c4efacba011d2b09 Mon Sep 17 00:00:00 2001 From: Michael Folz Date: Tue, 14 Nov 2023 10:47:20 +0100 Subject: [PATCH] #237 - Minor suggestions to improve the container image - use user id instead of name - pin base image by digest - replace apt with apt-get - use docker metadata action --- .../check-if-running-as-feasibility-user.sh | 10 -------- .../scripts/check-if-running-as-user-10001.sh | 10 ++++++++ .github/workflows/ci.yml | 24 +++++++++++++++++-- Dockerfile | 17 ++++++------- 4 files changed, 39 insertions(+), 22 deletions(-) delete mode 100755 .github/scripts/check-if-running-as-feasibility-user.sh create mode 100755 .github/scripts/check-if-running-as-user-10001.sh diff --git a/.github/scripts/check-if-running-as-feasibility-user.sh b/.github/scripts/check-if-running-as-feasibility-user.sh deleted file mode 100755 index ef458a1f..00000000 --- a/.github/scripts/check-if-running-as-feasibility-user.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -e - -if docker exec -u0 feasibility-gui-backend pgrep -u feasibility java > /dev/null -then - echo "Java process is running as feasibility" - exit 0 -else - echo "Java process is not running as feasibility" - exit 1 -fi diff --git a/.github/scripts/check-if-running-as-user-10001.sh b/.github/scripts/check-if-running-as-user-10001.sh new file mode 100755 index 00000000..76a1d623 --- /dev/null +++ b/.github/scripts/check-if-running-as-user-10001.sh @@ -0,0 +1,10 @@ +#!/bin/bash -e + +if docker exec -u0 feasibility-gui-backend pgrep -u 10001 java > /dev/null +then + echo "Java process is running as user 10001" + exit 0 +else + echo "Java process is not running as user 10001" + exit 1 +fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5e13d95a..8bdc6ddb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,26 @@ jobs: steps: - uses: actions/checkout@v3 + - name: Docker Meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + labels: | + maintainer=medizininformatik-initiative + org.opencontainers.image.authors=medizininformatik-initiative + org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend + org.opencontainers.image.vendor=medizininformatik-initiative + org.opencontainers.image.title=feasibility backend + org.opencontainers.image.description=Provides backend functions for feasibility UI including query execution + - name: Set up JDK 17 uses: actions/setup-java@v3 with: @@ -148,8 +168,8 @@ jobs: - name: Wait for Feasibility Backend run: .github/scripts/wait-for-url.sh http://localhost:8091/actuator/health - - name: Check if Feasibility Backend is correctly running with the feasibility user - run: .github/scripts/check-if-running-as-feasibility-user.sh + - name: Check if Feasibility Backend is correctly running with the user with id 10001 + run: .github/scripts/check-if-running-as-user-10001.sh - name: Wait for Blaze run: .github/scripts/wait-for-url.sh http://localhost:8082/health diff --git a/Dockerfile b/Dockerfile index 62e78a55..85c28895 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,12 @@ -FROM eclipse-temurin:17-jre +FROM eclipse-temurin:17-jre@sha256:171e90d2ca55e6958d8b56b58670fe42e9986c540225ce9f61a67b477017c217 -RUN apt update -yqq && apt upgrade -yqq && \ +RUN apt-get update -yqq && apt-get upgrade -yqq && \ apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/ WORKDIR /opt/codex-feasibility-backend COPY ./target/*.jar ./feasibility-gui-backend.jar COPY ontology ontology -RUN addgroup --system feasibility && adduser --system feasibility --ingroup feasibility -RUN mkdir logging -RUN chown -R feasibility:feasibility /opt/codex-feasibility-backend - -USER feasibility:feasibility - ARG VERSION=2.1.0 ENV APP_VERSION=${VERSION} ENV FEASIBILITY_DATABASE_HOST="feasibility-network" @@ -23,8 +17,11 @@ ENV CERTIFICATE_PATH=/opt/codex-feasibility-backend/certs ENV TRUSTSTORE_PATH=/opt/codex-feasibility-backend/truststore ENV TRUSTSTORE_FILE=self-signed-truststore.jks -RUN mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH -RUN chown feasibility:feasibility $CERTIFICATE_PATH $TRUSTSTORE_PATH +RUN mkdir logging && \ + mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH && \ + chown -R 10001:10001 /opt/codex-feasibility-backend && \ + chown 10001:10001 $CERTIFICATE_PATH $TRUSTSTORE_PATH +USER 10001 HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1