Skip to content

Commit 68cce9a

Browse files
nkiryanovnkiryanov
authored
Run backend services from restricted web user (#811)
1 parent c3cdd3a commit 68cce9a

File tree

1 file changed

+37
-11
lines changed

1 file changed

+37
-11
lines changed

{{ cookiecutter.name }}/Dockerfile

Lines changed: 37 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -38,21 +38,27 @@ LABEL maintainer="{{ cookiecutter.email }}"
3838
ENV DEBIAN_FRONTEND=noninteractive
3939
ENV PYTHONUNBUFFERED=1
4040
ENV STATIC_ROOT=/var/lib/django-static
41+
# Define user ids to ensure consistent permissions, e.g., for mounted volumes
42+
ENV UID=999 GID=999
4143

4244
RUN apt-get update \
4345
&& apt-get --no-install-recommends install -y gettext locales-all tzdata git wait-for-it wget \
4446
&& rm -rf /var/lib/apt/lists/*
4547

48+
RUN groupadd --system --gid=${GID} "web" \
49+
&& useradd --system --uid=${UID} --gid=${GID} --create-home --home-dir "/code" "web"
50+
4651
COPY --from=uwsgi-compile /uwsgi /usr/local/bin/
47-
COPY --from=deps-compile /code/.venv /code/.venv
48-
COPY src /code/src
52+
COPY --from=deps-compile --chown=web:web /code/.venv /code/.venv
53+
COPY --chown=web:web src /code/src
4954
ENV PATH="/code/.venv/bin:$PATH"
5055

5156
WORKDIR /code/src
5257

53-
RUN chmod +x ./manage.py
54-
RUN ./manage.py compilemessages
55-
RUN ./manage.py collectstatic --noinput
58+
RUN python manage.py compilemessages
59+
RUN python manage.py collectstatic --noinput
60+
61+
USER web
5662

5763
# Also to mark that when CMD is used in shell form, it is a conscious decision
5864
SHELL ["/bin/bash", "-c"]
@@ -62,26 +68,46 @@ FROM base AS web
6268
HEALTHCHECK --interval=15s --timeout=15s --start-period=15s --retries=3 \
6369
CMD wget --quiet --tries=1 --spider http://localhost:8000/api/v1/healthchecks/
6470

65-
CMD ./manage.py migrate && uwsgi --master --http :8000 --venv /code/.venv/ --wsgi app.wsgi --workers 2 --threads 2 --harakiri 25 --max-requests 1000 --log-x-forwarded-for
66-
71+
CMD python manage.py migrate \
72+
&& uwsgi \
73+
--master \
74+
--http=:8000 \
75+
--venv=/code/.venv/ \
76+
--wsgi=app.wsgi \
77+
--workers=2 \
78+
--threads=2 \
79+
--harakiri=25 \
80+
--max-requests=1000 \
81+
--log-x-forwarded-for
6782

6883
FROM base AS worker
6984

7085
ENV _CELERY_APP=app.celery
7186
HEALTHCHECK --interval=15s --timeout=15s --start-period=5s --retries=3 \
7287
CMD celery --app=${_CELERY_APP} inspect ping --destination=celery@$HOSTNAME
7388

74-
CMD celery --app=${_CELERY_APP} worker --concurrency=${CONCURENCY:-2} --hostname="celery@%h" --max-tasks-per-child=${MAX_REQUESTS_PER_CHILD:-50} --time-limit=${TIME_LIMIT:-900} --soft-time-limit=${SOFT_TIME_LIMIT:-45}
89+
CMD celery \
90+
--app=${_CELERY_APP} \
91+
worker \
92+
--concurrency=${CONCURENCY:-2} \
93+
--hostname="celery@%h" \
94+
--max-tasks-per-child=${MAX_REQUESTS_PER_CHILD:-50} \
95+
--time-limit=${TIME_LIMIT:-900} \
96+
--soft-time-limit=${SOFT_TIME_LIMIT:-45}
7597

7698

7799
FROM base AS scheduler
78100

79101
ENV _SCHEDULER_DB_PATH=/var/db/scheduler
80102
USER root
81-
RUN mkdir -p ${_SCHEDULER_DB_PATH} && chown nobody ${_SCHEDULER_DB_PATH}
103+
RUN mkdir --parent ${_SCHEDULER_DB_PATH} && chown web:web ${_SCHEDULER_DB_PATH}
104+
USER web
82105
VOLUME ${_SCHEDULER_DB_PATH}
83-
USER nobody
84106

85107
ENV _CELERY_APP=app.celery
86108
HEALTHCHECK NONE
87-
CMD celery --app=${_CELERY_APP} beat --pidfile=/tmp/celerybeat.pid --schedule=${_SCHEDULER_DB_PATH}/celerybeat-schedule.db
109+
CMD celery \
110+
--app=${_CELERY_APP} \
111+
beat \
112+
--pidfile=/tmp/celerybeat.pid \
113+
--schedule=${_SCHEDULER_DB_PATH}/celerybeat-schedule.db

0 commit comments

Comments
 (0)