Merge pull request #178 from bugsink/non-root-docker

non-root Docker

Dockerfile

@@ -47,6 +47,13 @@ COPY bugsink/conf_templates/docker.py.template bugsink_conf.py
 RUN apt update && apt install -y git
 RUN pip install -e .
 
+RUN groupadd --gid 14237 bugsink \
+ && useradd --uid 14237 --gid bugsink \
+ && mkdir -p /data \
+ && chown -R bugsink:bugsink /data
+
+USER bugsink
+
 RUN ["bugsink-manage", "migrate", "snappea", "--database=snappea"]
 
 HEALTHCHECK CMD python -c 'import requests; requests.get("http://localhost:8000/health/ready").raise_for_status()'

Dockerfile.fromwheel

@@ -72,6 +72,13 @@ RUN --mount=type=cache,target=/var/cache/buildkit/pip \
 RUN cp /usr/local/lib/python3.12/site-packages/bugsink/conf_templates/docker.py.template /app/bugsink_conf.py && \
     cp /usr/local/lib/python3.12/site-packages/bugsink/gunicorn.docker.conf.py /app/gunicorn.docker.conf.py
 
+RUN groupadd --gid 14237 bugsink \
+ && useradd --uid 14237 --gid bugsink \
+ && mkdir -p /data \
+ && chown -R bugsink:bugsink /data
+
+USER bugsink
+
 RUN ["bugsink-manage", "migrate", "snappea", "--database=snappea"]
 
 HEALTHCHECK CMD python -c 'import requests; requests.get("http://localhost:8000/health/ready").raise_for_status()'

bugsink/conf_templates/docker.py.template

@@ -67,6 +67,9 @@ SNAPPEA = {
 
 }
 
+# Not actually a "database", this is a (tmp to the container) message queue.
+DATABASES["snappea"]["NAME"] = '/tmp/snappea.sqlite3'
+
 
 if os.getenv("DATABASE_URL"):
     DATABASE_URL = os.getenv("DATABASE_URL")
@@ -100,10 +103,6 @@ else:
     # which allows for throwaway setups (no volume mounted) to work out of the box.
     DATABASES['default']['NAME'] = os.getenv("DATABASE_PATH", '/data/db.sqlite3')
     database_path = os.path.dirname(DATABASES['default']['NAME'])
-    if not os.path.exists(database_path):
-        print(f"WARNING: {database_path} dir does not exist; creating it.")
-        print("WARNING: data will be lost when the container is removed.")
-        os.makedirs(database_path)
 
 
 if os.getenv("EMAIL_HOST"):