Mirrored_Repos/crafty-4
1
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2024-08-30 18:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'devops/non-root-container-qol' into 'dev'

Browse Source 
QoL Improvements to non-root container

See merge request crafty-controller/crafty-commander!195
This commit is contained in:
Iain Powrie 2022-03-07 02:53:06 +00:00
commit 8292033b8f
3 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@ -8,13 +8,14 @@ LABEL maintainer="Dockerfile created by Zedifus <https://gitlab.com/zedifus>"
ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
# Create non-root user & required dirs # Create non-root user & required dirs
RUN useradd -M crafty \ RUN useradd -g root -M crafty \
&& mkdir /commander \ && mkdir /commander \
&& chown -R crafty:root /commander && chown -R crafty:root /commander
# Install required system packages # Install required system packages
RUN apt-get update \ RUN apt-get update \
&& apt-get -y --no-install-recommends install \ && apt-get -y --no-install-recommends install \
sudo \
gcc \ gcc \
python3 \ python3 \
python3-dev \ python3-dev \
@ -38,6 +39,7 @@ RUN python3 -m venv ./.venv \
&& pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \ && pip3 install --no-cache-dir --upgrade setuptools==50.3.2 pip==22.0.3 \
&& pip3 install --no-cache-dir -r requirements.txt \ && pip3 install --no-cache-dir -r requirements.txt \
&& deactivate && deactivate
USER root
# Copy Source w/ perms & prepare default config from example # Copy Source w/ perms & prepare default config from example
COPY --chown=crafty:root ./ ./ COPY --chown=crafty:root ./ ./

13
README.md
View File

@ -25,7 +25,7 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles,
### - Two big changes you will notice is: ### - Two big changes you will notice is:
- We now provide pre-built images for you guys. - We now provide pre-built images for you guys.
- Containers now run as non-root, using practices used by OpenSwift & Kubernetes (root group perms). - Containers now run as non-root, using practices used by OpenShift & Kubernetes (root group perms).
> __**⚠ 🔻WARNING: [WSL/WSL2 | WINDOWS 11 | DOCKER DESKTOP]🔻**__ <br> > __**⚠ 🔻WARNING: [WSL/WSL2 | WINDOWS 11 | DOCKER DESKTOP]🔻**__ <br>
@ -39,11 +39,8 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles,
All you need to do is pull the image from this git repository's registry. All you need to do is pull the image from this git repository's registry.
This is done by using `'docker-compose'` or `'docker run'` (You don't need to clone the Repository and build, like in 3.x ). This is done by using `'docker-compose'` or `'docker run'` (You don't need to clone the Repository and build, like in 3.x ).
If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume, if no config present then it will populate its own config folder for you. <br> <br> If you have a config folder already from previous local installation or _docker setup_*, the image should mount this volume and fix the permission as required, if no config present then it will populate its own config folder for you. <br> <br>
As the Dockerfile uses the permission structure of `crafty:root` **internally** there is no need to worry about matching the `UID` or `GID` on the host system :) As the Dockerfile uses the permission structure of `crafty:root` **internally** there is no need to worry about matching the `UID` or `GID` on the host system :)
> ***Make sure the ownership permissions on `servers/ backups/ logs/ configs/ imports/` in the `docker/` are not `root:root`, please just chown the dir recursively to your host user.**
> **Please make sure if you are using a `compose` file, that the above volume mount directories are present, otherwise, docker will just make them and they'll be `root:root` which is not what we want.💀**
<br> <br>
@ -81,9 +78,6 @@ $ cat ~/my_password.txt | docker login registry.gitlab.com -u <username> --passw
Then use one of the following methods: Then use one of the following methods:
### **docker-compose.yml:** ### **docker-compose.yml:**
```sh ```sh
# We need to make them because of permissions remember!
$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import
# Make your compose file # Make your compose file
$ vim docker-compose.yml $ vim docker-compose.yml
``` ```
@ -116,9 +110,6 @@ $ docker-compose up -d && docker-compose logs -f
### **docker run:** ### **docker run:**
```sh ```sh
# We need to make them because of permissions remember!
$ mkdir docker/ docker/backups docker/logs docker/servers docker/config docker/import
$ docker run \ $ docker run \
--name crafty_commander \ --name crafty_commander \
-p 8000:8000 \ -p 8000:8000 \

28
docker_launcher.sh
View File

@ -2,10 +2,32 @@
# Check if config exists from existing installation (venv or previous docker launch) # Check if config exists from existing installation (venv or previous docker launch)
if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then if [ ! "$(ls -A --ignore=.gitkeep ./app/config)" ]; then
mkdir ./app/config/ echo "Wrapper | Config not found, pulling defaults..."
mkdir ./app/config/ 2> /dev/null
cp -r ./app/config_original/* ./app/config/ cp -r ./app/config_original/* ./app/config/
fi fi
# Activate our prepared venv and launch crafty with provided args
. .venv/bin/activate if [ $(id -u) -eq 0 ]; then
# We're running as root;
# Need to ensure all dirs are owned by the root group,
# This fixes bind mounts that may have incorrect perms.
# Look for files & dirs that require group permissions to be fixed
echo "Wrapper | Looking for problem bind mount permissions"
find . ! -group root -exec chgrp root {} \;
find . ! -perm g+rw -exec chmod g+rw {} \;
find . -type d ! -perm g+s -exec chmod g+s {} \;
# Switch user, activate our prepared venv and lauch crafty
args="$@"
echo "Wrapper | Launching crafty with [$args]"
exec sudo -u crafty bash -c "source ./.venv/bin/activate && exec python3 main.py $args"
else
# Activate our prepared venv
echo "Wrapper | Non-root host detected, using normal exec"
. ./.venv/bin/activate
# Use exec as our perms are already correct
# This is likely if using Kubernetes/OpenShift etc
exec python3 main.py $@ exec python3 main.py $@
fi