From 232e35415c724a78a39b16087001996939b6d841 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 22:24:03 +0000 Subject: [PATCH 01/13] Update .gitignore, Dockerfile, script/application-template.yaml, script/build-config-test.yaml, script/cluster-catrust.yaml, script/deployment-config.yaml, script/pvc.yaml, script/image-stream-test.yaml, hardening_manifest.yaml, README.md files --- .gitignore | 2 + Dockerfile | 77 +++++++++++++++ README.md | 5 +- hardening_manifest.yaml | 48 ++++++++++ script/application-template.yaml | 155 +++++++++++++++++++++++++++++++ script/build-config-test.yaml | 34 +++++++ script/cluster-catrust.yaml | 6 ++ script/deployment-config.yaml | 89 ++++++++++++++++++ script/image-stream-test.yaml | 6 ++ script/pvc.yaml | 18 ++++ 10 files changed, 437 insertions(+), 3 deletions(-) create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 hardening_manifest.yaml create mode 100644 script/application-template.yaml create mode 100644 script/build-config-test.yaml create mode 100644 script/cluster-catrust.yaml create mode 100644 script/deployment-config.yaml create mode 100644 script/image-stream-test.yaml create mode 100644 script/pvc.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d71f403 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.nfs* +root/user/bin/.nfs* diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..854cd81 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,77 @@ +FROM registry.access.redhat.com/ubi8:8.2 + +# Set necessary environment variables for python and python development environment +ARG APP_ROOT=/opt/app-root +ENV PYTHON_VERSION=3.8 \ + APP_ROOT=$APP_ROOT \ + USER_NAME=hero \ + HOME=${APP_ROOT} \ + PATH=$HOME/.local/bin/:$APP_ROOT/.local/bin:/opt/app-root/src/bin:/opt/app-root/bin:$PATH: \ + EDITOR=/usr/bin/vim \ + PS1="AAP \W\$ " \ + PYTHONUNBUFFERED=1 \ + PYTHONIOENCODING=UTF-8 \ + PIP_NO_CACHE_DIR=off \ + LANG="en_US.UTF-8" + +# - Enable the virtual python environment and default interactive and non-interactive +# shell environment upon container startup +ENV PROMPT_COMMAND="" + +# ^^^ BASH_ENV and ENV provide the name of a startup file to read before bash is used to execute a script +# ^^^ Bash provides an environment variable called PROMPT_COMMAND. The contents of this variable are executed as a regular Bash command just before Bash displays a prompt. +# https://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x264.html +# https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html + +ENV SUMMARY="Platform for building and running Python $PYTHON_VERSION applications" \ +DESCRIPTION="Python $PYTHON_VERSION available as container is a base platform for \ +building and running various Python $PYTHON_VERSION applications and frameworks. " + +LABEL summary="$SUMMARY" \ + description="$DESCRIPTION" \ + io.k8s.description="$DESCRIPTION" \ + io.k8s.display-name="Python 3.8" \ + io.openshift.tags="builder,python,python38,python-38,rh-python38" \ + com.redhat.component="ubi8-container" \ + name="ubi8/python-38" \ + version="1" \ + com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI" \ + maintainer="NAVAIR Advanced Analytics Platform (AAP) Product Team" + +# Copy extra files to the image. +COPY ./root / +RUN chmod a+x /usr/bin/container-entrypoint && \ + chmod a+x /usr/bin/fix-permissions && \ + chmod a+x /usr/bin/rpm-file-permissions && \ + chmod a+x /usr/bin/generate-container-user && \ + chmod a+x /usr/bin/py-enable + +# Install packages +RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip " && \ + yum -y update-minimal --setopt=tsflags=nodocs --security && \ + yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + yum -y remove vim-minimal && \ + rpm -V $INSTALL_PKGS && \ + yum -y clean all --enablerepo="*" + +# - Create a Python virtual environment for use by any application to avoid +# potential conflicts with Python packages preinstalled in the main Python +# installation. +# - In order to drop the root user, we have to make some directories world +# writable as multi-tenant Kubernetes clusters' default security model +# should run the container under a random UID. +# - For any python applications use this default user +RUN python$PYTHON_VERSION -m venv ${APP_ROOT} && /usr/bin/py-enable + + +# Set up container user and adjust permissions to run in OpenShift environment +WORKDIR ${HOME} +RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ + -c "Default Application User" default && \ + fix-permissions ${APP_ROOT} -P && \ + fix-permissions ${HOME} -P && \ + rpm-file-permissions + +ENTRYPOINT ["/usr/bin/container-entrypoint"] + +HEALTHCHECK CMD python --version diff --git a/README.md b/README.md index 5dc6fa6..14dc575 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,2 @@ -# - -Project template for all Iron Bank container repositories. \ No newline at end of file +# AAP Python base image +_Use as a base image for custom python apps._ diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..4552e85 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "diat/aap-python" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "14.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_REGISTRY: "registry1.dsop.io" + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "aap-python" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Use as a base image for custom python apps" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "AAP License" + # URL to find more information on the image + org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "aap-python" + # Authoritative version of the software + org.opencontainers.image.version: "14.0" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "aap,python,aappython,aap-python,pythonent,atlas,diat" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "diat/aap-python" + +# List of resources to make available to the offline build context +resources: {} + +# List of project maintainers +maintainers: +- email: "wingkwan.lau1@navy.mil" + name: "WingKwan Lau" + username: "wlau" + diff --git a/script/application-template.yaml b/script/application-template.yaml new file mode 100644 index 0000000..017ddfc --- /dev/null +++ b/script/application-template.yaml @@ -0,0 +1,155 @@ +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: aap-cli +message: |- + The following services have been created in your project: ${APPLICATION_NAME} + + For more information about using this template, see https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform +metadata: + annotations: + description: Command line interface for the Advanced Analytics Platform. For more information, + see https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform + iconClass: icon-python + openshift.io/display-name: AAP CLI + openshift.io/documentation-url: https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform + openshift.io/long-description: This template defines resources needed to spin + up AAP CLI on OpenShift. + openshift.io/provider-display-name: AAP on Atlas + openshift.io/support-url: https://chat.navair1.navy.mil/channel/aap_support + tags: python,quickstart,advanced-analytics,data-science,cli + template.openshift.io/bindable: "false" + name: aap-cli +objects: +- apiVersion: v1 + kind: ConfigMap + metadata: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' + app: ${APPLICATION_NAME} + name: ${APPLICATION_NAME}-ca-trust +- apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: ${APPLICATION_NAME}-data + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: managed-nfs-storage + volumeMode: Filesystem +- apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + metadata: + labels: + app: ${APPLICATION_NAME} + name: ${APPLICATION_NAME} + spec: + replicas: 1 + revisionHistoryLimit: 5 + selector: + app: ${APPLICATION_NAME} + strategy: + activeDeadlineSeconds: 21600 + recreateParams: + timeoutSeconds: 600 + resources: {} + type: Recreate + template: + metadata: + annotations: + alpha.image.policy.openshift.io/resolve-names: '*' + labels: + app: ${APPLICATION_NAME} + spec: + volumes: + - name: ${APPLICATION_NAME}-ca-trust + configMap: + name: ${APPLICATION_NAME}-ca-trust + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + defaultMode: 420 + - name: ${APPLICATION_NAME}-data + persistentVolumeClaim: + claimName: ${APPLICATION_NAME}-data + containers: + - resources: + limits: + cpu: 200m + memory: 400Mi + requests: + cpu: 100m + memory: 200Mi + terminationMessagePath: /dev/termination-log + name: aap-cli-test + command: + - tail + - '-f' + - /dev/null + ports: + - containerPort: 5000 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: ${APPLICATION_NAME}-ca-trust + readOnly: true + mountPath: /etc/pki/ca-trust/extracted/pem + - name: ${APPLICATION_NAME}-data + mountPath: /opt/app-root + terminationMessagePolicy: File + envFrom: + - configMapRef: + name: env-app-config + image: >- + nexus00.unity.services.nres.navy.mil:5000/repository/containers/openshift/aap-cli:0.5 + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + test: false + triggers: + - type: ConfigChange +- apiVersion: v1 + kind: Service + metadata: + labels: + app: ${APPLICATION_NAME} + name: ${APPLICATION_NAME}-svc + spec: + ports: + - name: 5000-tcp + port: 5000 + protocol: TCP + targetPort: 5000 + selector: + app: ${APPLICATION_NAME} + sessionAffinity: None + type: ClusterIP +- apiVersion: route.openshift.io/v1 + kind: Route + metadata: + annotations: + openshift.io/host.generated: "true" + labels: + app: ${APPLICATION_NAME} + name: ${APPLICATION_NAME} + spec: + port: + targetPort: 5000-tcp + subdomain: "" + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: ${APPLICATION_NAME}-svc + weight: 100 + wildcardPolicy: None +parameters: +- name: APPLICATION_NAME + required: true + value: aap-cli diff --git a/script/build-config-test.yaml b/script/build-config-test.yaml new file mode 100644 index 0000000..e15c7a0 --- /dev/null +++ b/script/build-config-test.yaml @@ -0,0 +1,34 @@ +kind: BuildConfig +apiVersion: build.openshift.io/v1 +metadata: + name: aap-python-test + labels: + application: aap-python +spec: + nodeSelector: null + output: + to: + kind: ImageStreamTag + name: 'aap-python-test:0.1' + resources: + limits: + cpu: 200m + memory: 400Mi + requests: + cpu: 100m + memory: 200Mi + successfulBuildsHistoryLimit: 5 + failedBuildsHistoryLimit: 5 + strategy: + type: Docker + dockerStrategy: + dockerfilePath: Dockerfile + postCommit: {} + source: + type: Git + git: + uri: 'https://spork.navair1.navy.mil/unity/aap-python.git' + ref: master + triggers: + - type: ConfigChange + runPolicy: Serial \ No newline at end of file diff --git a/script/cluster-catrust.yaml b/script/cluster-catrust.yaml new file mode 100644 index 0000000..4c34fe3 --- /dev/null +++ b/script/cluster-catrust.yaml @@ -0,0 +1,6 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: cluster-catrust + labels: + config.openshift.io/inject-trusted-cabundle: 'true' \ No newline at end of file diff --git a/script/deployment-config.yaml b/script/deployment-config.yaml new file mode 100644 index 0000000..2f9a9e3 --- /dev/null +++ b/script/deployment-config.yaml @@ -0,0 +1,89 @@ +kind: DeploymentConfig +apiVersion: apps.openshift.io/v1 +metadata: + name: aap-cli-test + labels: + app: aap-cli + app.kubernetes.io/component: aap-cli-test + app.kubernetes.io/instance: aap-cli-test + app.kubernetes.io/part-of: aap-cli +spec: + strategy: + type: Rolling + rollingParams: + updatePeriodSeconds: 1 + intervalSeconds: 1 + timeoutSeconds: 600 + maxUnavailable: 25% + maxSurge: 25% + resources: {} + activeDeadlineSeconds: 21600 + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - aap-cli-test + from: + kind: ImageStreamTag + name: 'aap-cli-test:0.2' + - type: ConfigChange + replicas: 1 + revisionHistoryLimit: 5 + test: false + selector: + app: aap-cli + deploymentconfig: aap-cli-test + template: + metadata: + creationTimestamp: null + labels: + app: aap-cli + deploymentconfig: aap-cli-test + spec: + volumes: + - name: cluster-catrust + configMap: + name: cluster-catrust + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + defaultMode: 420 + - name: aap-cli-home + persistentVolumeClaim: + claimName: aap-cli-home + containers: + - resources: + limits: + cpu: 200m + memory: 400Mi + requests: + cpu: 100m + memory: 200Mi + terminationMessagePath: /dev/termination-log + name: aap-cli-test + command: + - tail + - '-f' + - /dev/null + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - name: cluster-catrust + readOnly: true + mountPath: /etc/pki/ca-trust/extracted/pem + - name: aap-cli-home + mountPath: /opt/app-root + terminationMessagePolicy: File + envFrom: + - configMapRef: + name: env-app-config + image: >- + image-registry.openshift-image-registry.svc:5000/aap-builds/aap-cli-test:0.2 + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler diff --git a/script/image-stream-test.yaml b/script/image-stream-test.yaml new file mode 100644 index 0000000..532473b --- /dev/null +++ b/script/image-stream-test.yaml @@ -0,0 +1,6 @@ +kind: ImageStream +apiVersion: image.openshift.io/v1 +metadata: + name: aap-python-test + labels: + application: aap-python diff --git a/script/pvc.yaml b/script/pvc.yaml new file mode 100644 index 0000000..390c6ce --- /dev/null +++ b/script/pvc.yaml @@ -0,0 +1,18 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: aap-cli-home + annotations: + pv.kubernetes.io/bind-completed: 'yes' + pv.kubernetes.io/bound-by-controller: 'yes' + volume.beta.kubernetes.io/storage-provisioner: fuseim.pri/ifs + finalizers: + - kubernetes.io/pvc-protection +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: managed-nfs-storage + volumeMode: Filesystem -- GitLab From b8621ee5fe9d36bc19d9c63266daa48bd3c4c236 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 22:34:46 +0000 Subject: [PATCH 02/13] Update LICENSE --- LICENSE | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..61afe9c --- /dev/null +++ b/LICENSE @@ -0,0 +1,46 @@ + + + Python: + + PSF LICENSE AGREEMENT FOR PYTHON 3.6.12 +1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and + the Individual or Organization ("Licensee") accessing and otherwise using Python + 3.6.12 software in source or binary form and its associated documentation. + +2. Subject to the terms and conditions of this License Agreement, PSF hereby + grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, + analyze, test, perform and/or display publicly, prepare derivative works, + distribute, and otherwise use Python 3.6.12 alone or in any derivative + version, provided, however, that PSF's License Agreement and PSF's notice of + copyright, i.e., "Copyright © 2001-2020 Python Software Foundation; All Rights + Reserved" are retained in Python 3.6.12 alone or in any derivative version + prepared by Licensee. + +3. In the event Licensee prepares a derivative work that is based on or + incorporates Python 3.6.12 or any part thereof, and wants to make the + derivative work available to others as provided herein, then Licensee hereby + agrees to include in any such work a brief summary of the changes made to Python + 3.6.12. + +4. PSF is making Python 3.6.12 available to Licensee on an "AS IS" basis. + PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF + EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR + WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE + USE OF PYTHON 3.6.12 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + +5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 3.6.12 + FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF + MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 3.6.12, OR ANY DERIVATIVE + THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +6. This License Agreement will automatically terminate upon a material breach of + its terms and conditions. + +7. Nothing in this License Agreement shall be deemed to create any relationship + of agency, partnership, or joint venture between PSF and Licensee. This License + Agreement does not grant permission to use PSF trademarks or trade name in a + trademark sense to endorse or promote products or services of Licensee, or any + third party. + +8. By copying, installing or otherwise using Python 3.6.12, Licensee agrees + to be bound by the terms and conditions of this License Agreement. -- GitLab From 34edf103dd09676037af751df48e4ff648b84b40 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 22:58:28 +0000 Subject: [PATCH 03/13] Update Dockerfile, hardening_manifest.yaml files --- Dockerfile | 14 -------------- hardening_manifest.yaml | 3 ++- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 854cd81..cccba73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,20 +23,6 @@ ENV PROMPT_COMMAND="" # https://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x264.html # https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html -ENV SUMMARY="Platform for building and running Python $PYTHON_VERSION applications" \ -DESCRIPTION="Python $PYTHON_VERSION available as container is a base platform for \ -building and running various Python $PYTHON_VERSION applications and frameworks. " - -LABEL summary="$SUMMARY" \ - description="$DESCRIPTION" \ - io.k8s.description="$DESCRIPTION" \ - io.k8s.display-name="Python 3.8" \ - io.openshift.tags="builder,python,python38,python-38,rh-python38" \ - com.redhat.component="ubi8-container" \ - name="ubi8/python-38" \ - version="1" \ - com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI" \ - maintainer="NAVAIR Advanced Analytics Platform (AAP) Product Team" # Copy extra files to the image. COPY ./root / diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 4552e85..b74f223 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -21,7 +21,7 @@ labels: # Name of the image org.opencontainers.image.title: "aap-python" # Human-readable description of the software packaged in the image - org.opencontainers.image.description: "Use as a base image for custom python apps" + org.opencontainers.image.description: "Python $PYTHON_VERSION available as container is a base platform for building and running various Python $PYTHON_VERSION applications and frameworks." # License(s) under which contained software is distributed org.opencontainers.image.licenses: "AAP License" # URL to find more information on the image @@ -37,6 +37,7 @@ labels: # Product the image belongs to for grouping multiple images mil.dso.ironbank.product.name: "diat/aap-python" + # List of resources to make available to the offline build context resources: {} -- GitLab From b4fceecafb0094b1a731afb40853142ed4176372 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:07:14 +0000 Subject: [PATCH 04/13] Update hardening_manifest.yaml --- hardening_manifest.yaml | 47 ----------------------------------------- 1 file changed, 47 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index b74f223..1f05a35 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,49 +1,2 @@ apiVersion: v1 -# The repository name in registry1, excluding /ironbank/ -name: "diat/aap-python" - -# List of tags to push for the repository in registry1 -# The most specific version should be the first tag and will be shown -# on ironbank.dso.mil -tags: -- "14.0" -- "latest" - -# Build args passed to Dockerfile ARGs -args: - BASE_REGISTRY: "registry1.dsop.io" - BASE_IMAGE: "redhat/ubi/ubi8" - BASE_TAG: "8.3" - -# Docker image labels -labels: - # Name of the image - org.opencontainers.image.title: "aap-python" - # Human-readable description of the software packaged in the image - org.opencontainers.image.description: "Python $PYTHON_VERSION available as container is a base platform for building and running various Python $PYTHON_VERSION applications and frameworks." - # License(s) under which contained software is distributed - org.opencontainers.image.licenses: "AAP License" - # URL to find more information on the image - org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform" - # Name of the distributing entity, organization or individual - org.opencontainers.image.vendor: "aap-python" - # Authoritative version of the software - org.opencontainers.image.version: "14.0" - # Keywords to help with search (ex. "cicd,gitops,golang") - mil.dso.ironbank.image.keywords: "aap,python,aappython,aap-python,pythonent,atlas,diat" - # This value can be "opensource" or "commercial" - mil.dso.ironbank.image.type: "commercial" - # Product the image belongs to for grouping multiple images - mil.dso.ironbank.product.name: "diat/aap-python" - - -# List of resources to make available to the offline build context -resources: {} - -# List of project maintainers -maintainers: -- email: "wingkwan.lau1@navy.mil" - name: "WingKwan Lau" - username: "wlau" - -- GitLab From afe57a5f9f8bf324b1e5fe06c41c714b4b64a614 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:10:44 +0000 Subject: [PATCH 05/13] Update hardening_manifest.yaml --- hardening_manifest.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 1f05a35..6084f31 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,2 +1,4 @@ apiVersion: v1 +# The repository name in registry1, excluding /ironbank/ +name: "diat/aap-python" -- GitLab From 2d2e21bfcf9cff054bd259a90e2873075c56dee9 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:16:36 +0000 Subject: [PATCH 06/13] Update hardening_manifest.yaml --- hardening_manifest.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 6084f31..c6240a5 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -2,3 +2,16 @@ apiVersion: v1 # The repository name in registry1, excluding /ironbank/ name: "diat/aap-python" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "14.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_REGISTRY: "registry1.dsop.io" + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" -- GitLab From dd966cebc16c0acab048a8bd8cddefc5de42bfaa Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:19:50 +0000 Subject: [PATCH 07/13] Update hardening_manifest.yaml --- hardening_manifest.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index c6240a5..873532b 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -15,3 +15,30 @@ args: BASE_REGISTRY: "registry1.dsop.io" BASE_IMAGE: "redhat/ubi/ubi8" BASE_TAG: "8.3" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "aap-python" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Python $PYTHON_VERSION available as container is a base platform for building and running various Python $PYTHON_VERSION applications and frameworks." + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "AAP License" + # URL to find more information on the image + org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "aap-python" + # Authoritative version of the software + org.opencontainers.image.version: "14.0" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "aap,python,aappython,aap-python,pythonent,atlas,diat" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "diat/aap-python" + +# List of project maintainers +maintainers: +- email: "wingkwan.lau1@navy.mil" + name: "WingKwan Lau" + username: "wlau" -- GitLab From e96fc17b495a9c113cc904bf529c58fc36367f2b Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:34:59 +0000 Subject: [PATCH 08/13] Update Dockerfile --- Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cccba73..207e7c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,8 @@ -FROM registry.access.redhat.com/ubi8:8.2 +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=redhat/ubi/ubi8 +ARG BASE_TAG=8.3 + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} # Set necessary environment variables for python and python development environment ARG APP_ROOT=/opt/app-root -- GitLab From 9412a859930214002811af86fe2c7ebd2d12d223 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:41:22 +0000 Subject: [PATCH 09/13] Update Dockerfile --- Dockerfile | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 207e7c0..4495cfc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,19 +22,14 @@ ENV PYTHON_VERSION=3.8 \ # shell environment upon container startup ENV PROMPT_COMMAND="" -# ^^^ BASH_ENV and ENV provide the name of a startup file to read before bash is used to execute a script -# ^^^ Bash provides an environment variable called PROMPT_COMMAND. The contents of this variable are executed as a regular Bash command just before Bash displays a prompt. -# https://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x264.html -# https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html - - # Copy extra files to the image. -COPY ./root / +COPY ./scripts /usr/bin RUN chmod a+x /usr/bin/container-entrypoint && \ chmod a+x /usr/bin/fix-permissions && \ chmod a+x /usr/bin/rpm-file-permissions && \ chmod a+x /usr/bin/generate-container-user && \ - chmod a+x /usr/bin/py-enable + chmod a+x /usr/bin/py-enable && \ + chmod a+x /usr/bin/aap # Install packages RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip " && \ -- GitLab From 00aea05898e9e5f74efb644b374376dbb3b41b05 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:52:52 +0000 Subject: [PATCH 10/13] Update scripts/application-template.yaml, scripts/build-config-test.yaml, scripts/cluster-catrust.yaml, scripts/deployment-config.yaml, scripts/image-stream-test.yaml, scripts/pvc.yaml files --- {script => scripts}/application-template.yaml | 0 {script => scripts}/build-config-test.yaml | 0 {script => scripts}/cluster-catrust.yaml | 0 {script => scripts}/deployment-config.yaml | 0 {script => scripts}/image-stream-test.yaml | 0 {script => scripts}/pvc.yaml | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename {script => scripts}/application-template.yaml (100%) rename {script => scripts}/build-config-test.yaml (100%) rename {script => scripts}/cluster-catrust.yaml (100%) rename {script => scripts}/deployment-config.yaml (100%) rename {script => scripts}/image-stream-test.yaml (100%) rename {script => scripts}/pvc.yaml (100%) diff --git a/script/application-template.yaml b/scripts/application-template.yaml similarity index 100% rename from script/application-template.yaml rename to scripts/application-template.yaml diff --git a/script/build-config-test.yaml b/scripts/build-config-test.yaml similarity index 100% rename from script/build-config-test.yaml rename to scripts/build-config-test.yaml diff --git a/script/cluster-catrust.yaml b/scripts/cluster-catrust.yaml similarity index 100% rename from script/cluster-catrust.yaml rename to scripts/cluster-catrust.yaml diff --git a/script/deployment-config.yaml b/scripts/deployment-config.yaml similarity index 100% rename from script/deployment-config.yaml rename to scripts/deployment-config.yaml diff --git a/script/image-stream-test.yaml b/scripts/image-stream-test.yaml similarity index 100% rename from script/image-stream-test.yaml rename to scripts/image-stream-test.yaml diff --git a/script/pvc.yaml b/scripts/pvc.yaml similarity index 100% rename from script/pvc.yaml rename to scripts/pvc.yaml -- GitLab From 0dc13bf1e043279b4d6dabd064d10c50be72174a Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Tue, 29 Jun 2021 23:58:20 +0000 Subject: [PATCH 11/13] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4495cfc..7a811e9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,8 +28,8 @@ RUN chmod a+x /usr/bin/container-entrypoint && \ chmod a+x /usr/bin/fix-permissions && \ chmod a+x /usr/bin/rpm-file-permissions && \ chmod a+x /usr/bin/generate-container-user && \ - chmod a+x /usr/bin/py-enable && \ - chmod a+x /usr/bin/aap + chmod a+x /usr/bin/py-enable + # Install packages RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip " && \ -- GitLab From d5c653c4e0f047e84776acfef8d15da448a722c0 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 30 Jun 2021 00:03:41 +0000 Subject: [PATCH 12/13] Update scripts/container-entrypoint, scripts/fix-permissions, scripts/generate-container-user, scripts/py-enable, scripts/rpm-file-permissions files Deleted scripts/application-template.yaml, scripts/build-config-test.yaml, scripts/cluster-catrust.yaml, scripts/deployment-config.yaml, scripts/image-stream-test.yaml, scripts/pvc.yaml files --- scripts/application-template.yaml | 155 ------------------------------ scripts/build-config-test.yaml | 34 ------- scripts/cluster-catrust.yaml | 6 -- scripts/container-entrypoint | 9 ++ scripts/deployment-config.yaml | 89 ----------------- scripts/fix-permissions | 28 ++++++ scripts/generate-container-user | 20 ++++ scripts/image-stream-test.yaml | 6 -- scripts/pvc.yaml | 18 ---- scripts/py-enable | 6 ++ scripts/rpm-file-permissions | 22 +++++ 11 files changed, 85 insertions(+), 308 deletions(-) delete mode 100644 scripts/application-template.yaml delete mode 100644 scripts/build-config-test.yaml delete mode 100644 scripts/cluster-catrust.yaml create mode 100644 scripts/container-entrypoint delete mode 100644 scripts/deployment-config.yaml create mode 100644 scripts/fix-permissions create mode 100644 scripts/generate-container-user delete mode 100644 scripts/image-stream-test.yaml delete mode 100644 scripts/pvc.yaml create mode 100644 scripts/py-enable create mode 100644 scripts/rpm-file-permissions diff --git a/scripts/application-template.yaml b/scripts/application-template.yaml deleted file mode 100644 index 017ddfc..0000000 --- a/scripts/application-template.yaml +++ /dev/null @@ -1,155 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -labels: - template: aap-cli -message: |- - The following services have been created in your project: ${APPLICATION_NAME} - - For more information about using this template, see https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform -metadata: - annotations: - description: Command line interface for the Advanced Analytics Platform. For more information, - see https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform - iconClass: icon-python - openshift.io/display-name: AAP CLI - openshift.io/documentation-url: https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform - openshift.io/long-description: This template defines resources needed to spin - up AAP CLI on OpenShift. - openshift.io/provider-display-name: AAP on Atlas - openshift.io/support-url: https://chat.navair1.navy.mil/channel/aap_support - tags: python,quickstart,advanced-analytics,data-science,cli - template.openshift.io/bindable: "false" - name: aap-cli -objects: -- apiVersion: v1 - kind: ConfigMap - metadata: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' - app: ${APPLICATION_NAME} - name: ${APPLICATION_NAME}-ca-trust -- apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: ${APPLICATION_NAME}-data - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - storageClassName: managed-nfs-storage - volumeMode: Filesystem -- apiVersion: apps.openshift.io/v1 - kind: DeploymentConfig - metadata: - labels: - app: ${APPLICATION_NAME} - name: ${APPLICATION_NAME} - spec: - replicas: 1 - revisionHistoryLimit: 5 - selector: - app: ${APPLICATION_NAME} - strategy: - activeDeadlineSeconds: 21600 - recreateParams: - timeoutSeconds: 600 - resources: {} - type: Recreate - template: - metadata: - annotations: - alpha.image.policy.openshift.io/resolve-names: '*' - labels: - app: ${APPLICATION_NAME} - spec: - volumes: - - name: ${APPLICATION_NAME}-ca-trust - configMap: - name: ${APPLICATION_NAME}-ca-trust - items: - - key: ca-bundle.crt - path: tls-ca-bundle.pem - defaultMode: 420 - - name: ${APPLICATION_NAME}-data - persistentVolumeClaim: - claimName: ${APPLICATION_NAME}-data - containers: - - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - terminationMessagePath: /dev/termination-log - name: aap-cli-test - command: - - tail - - '-f' - - /dev/null - ports: - - containerPort: 5000 - protocol: TCP - imagePullPolicy: IfNotPresent - volumeMounts: - - name: ${APPLICATION_NAME}-ca-trust - readOnly: true - mountPath: /etc/pki/ca-trust/extracted/pem - - name: ${APPLICATION_NAME}-data - mountPath: /opt/app-root - terminationMessagePolicy: File - envFrom: - - configMapRef: - name: env-app-config - image: >- - nexus00.unity.services.nres.navy.mil:5000/repository/containers/openshift/aap-cli:0.5 - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - test: false - triggers: - - type: ConfigChange -- apiVersion: v1 - kind: Service - metadata: - labels: - app: ${APPLICATION_NAME} - name: ${APPLICATION_NAME}-svc - spec: - ports: - - name: 5000-tcp - port: 5000 - protocol: TCP - targetPort: 5000 - selector: - app: ${APPLICATION_NAME} - sessionAffinity: None - type: ClusterIP -- apiVersion: route.openshift.io/v1 - kind: Route - metadata: - annotations: - openshift.io/host.generated: "true" - labels: - app: ${APPLICATION_NAME} - name: ${APPLICATION_NAME} - spec: - port: - targetPort: 5000-tcp - subdomain: "" - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - to: - kind: Service - name: ${APPLICATION_NAME}-svc - weight: 100 - wildcardPolicy: None -parameters: -- name: APPLICATION_NAME - required: true - value: aap-cli diff --git a/scripts/build-config-test.yaml b/scripts/build-config-test.yaml deleted file mode 100644 index e15c7a0..0000000 --- a/scripts/build-config-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: aap-python-test - labels: - application: aap-python -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'aap-python-test:0.1' - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - strategy: - type: Docker - dockerStrategy: - dockerfilePath: Dockerfile - postCommit: {} - source: - type: Git - git: - uri: 'https://spork.navair1.navy.mil/unity/aap-python.git' - ref: master - triggers: - - type: ConfigChange - runPolicy: Serial \ No newline at end of file diff --git a/scripts/cluster-catrust.yaml b/scripts/cluster-catrust.yaml deleted file mode 100644 index 4c34fe3..0000000 --- a/scripts/cluster-catrust.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: cluster-catrust - labels: - config.openshift.io/inject-trusted-cabundle: 'true' \ No newline at end of file diff --git a/scripts/container-entrypoint b/scripts/container-entrypoint new file mode 100644 index 0000000..339a74c --- /dev/null +++ b/scripts/container-entrypoint @@ -0,0 +1,9 @@ +#!/bin/bash + +# temp: hard coding "hero" as container username (todo: fix to use env vars for username and homedir) +if [ `id -u` -ge 1 ]; then + echo "hero:x:`id -u`:`id -g`:here:/opt/app-root:/bin/bash" >> /etc/passwd +fi + +exec "$@" + diff --git a/scripts/deployment-config.yaml b/scripts/deployment-config.yaml deleted file mode 100644 index 2f9a9e3..0000000 --- a/scripts/deployment-config.yaml +++ /dev/null @@ -1,89 +0,0 @@ -kind: DeploymentConfig -apiVersion: apps.openshift.io/v1 -metadata: - name: aap-cli-test - labels: - app: aap-cli - app.kubernetes.io/component: aap-cli-test - app.kubernetes.io/instance: aap-cli-test - app.kubernetes.io/part-of: aap-cli -spec: - strategy: - type: Rolling - rollingParams: - updatePeriodSeconds: 1 - intervalSeconds: 1 - timeoutSeconds: 600 - maxUnavailable: 25% - maxSurge: 25% - resources: {} - activeDeadlineSeconds: 21600 - triggers: - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - aap-cli-test - from: - kind: ImageStreamTag - name: 'aap-cli-test:0.2' - - type: ConfigChange - replicas: 1 - revisionHistoryLimit: 5 - test: false - selector: - app: aap-cli - deploymentconfig: aap-cli-test - template: - metadata: - creationTimestamp: null - labels: - app: aap-cli - deploymentconfig: aap-cli-test - spec: - volumes: - - name: cluster-catrust - configMap: - name: cluster-catrust - items: - - key: ca-bundle.crt - path: tls-ca-bundle.pem - defaultMode: 420 - - name: aap-cli-home - persistentVolumeClaim: - claimName: aap-cli-home - containers: - - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - terminationMessagePath: /dev/termination-log - name: aap-cli-test - command: - - tail - - '-f' - - /dev/null - ports: - - containerPort: 8080 - protocol: TCP - imagePullPolicy: IfNotPresent - volumeMounts: - - name: cluster-catrust - readOnly: true - mountPath: /etc/pki/ca-trust/extracted/pem - - name: aap-cli-home - mountPath: /opt/app-root - terminationMessagePolicy: File - envFrom: - - configMapRef: - name: env-app-config - image: >- - image-registry.openshift-image-registry.svc:5000/aap-builds/aap-cli-test:0.2 - restartPolicy: Always - terminationGracePeriodSeconds: 30 - dnsPolicy: ClusterFirst - securityContext: {} - schedulerName: default-scheduler diff --git a/scripts/fix-permissions b/scripts/fix-permissions new file mode 100644 index 0000000..827eeb5 --- /dev/null +++ b/scripts/fix-permissions @@ -0,0 +1,28 @@ +#!/bin/sh + +# Allow this script to fail without failing a build +set +e + +SYMLINK_OPT=${2:--L} + +# Fix permissions on the given directory or file to allow group read/write of +# regular files and execute of directories. + +[ $(id -u) -ne 0 ] && CHECK_OWNER=" -uid $(id -u)" + +# If argument does not exist, script will still exit with 0, +# but at least we'll see something went wrong in the log +if ! [ -e "$1" ] ; then + echo "ERROR: File or directory $1 does not exist." >&2 + # We still want to end successfully + exit 0 +fi + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -gid 0 -exec chgrp 0 {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -perm -g+rw -exec chmod g+rw {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -perm /u+x -a \! -perm /g+x -exec chmod g+x {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -type d \! -perm /g+x -exec chmod g+x {} + + +# Always end successfully +exit 0 + diff --git a/scripts/generate-container-user b/scripts/generate-container-user new file mode 100644 index 0000000..f092c51 --- /dev/null +++ b/scripts/generate-container-user @@ -0,0 +1,20 @@ +# Set current user in nss_wrapper +USER_ID=$(id -u) +GROUP_ID=$(id -g) + +if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then + + NSS_WRAPPER_PASSWD=/opt/app-root/etc/passwd + NSS_WRAPPER_GROUP=/etc/group + + cat /etc/passwd | sed -e 's/^default:/builder:/' > $NSS_WRAPPER_PASSWD + + echo "default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin" >> $NSS_WRAPPER_PASSWD + + export NSS_WRAPPER_PASSWD + export NSS_WRAPPER_GROUP + + LD_PRELOAD=libnss_wrapper.so + export LD_PRELOAD +fi + diff --git a/scripts/image-stream-test.yaml b/scripts/image-stream-test.yaml deleted file mode 100644 index 532473b..0000000 --- a/scripts/image-stream-test.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: ImageStream -apiVersion: image.openshift.io/v1 -metadata: - name: aap-python-test - labels: - application: aap-python diff --git a/scripts/pvc.yaml b/scripts/pvc.yaml deleted file mode 100644 index 390c6ce..0000000 --- a/scripts/pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: aap-cli-home - annotations: - pv.kubernetes.io/bind-completed: 'yes' - pv.kubernetes.io/bound-by-controller: 'yes' - volume.beta.kubernetes.io/storage-provisioner: fuseim.pri/ifs - finalizers: - - kubernetes.io/pvc-protection -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: managed-nfs-storage - volumeMode: Filesystem diff --git a/scripts/py-enable b/scripts/py-enable new file mode 100644 index 0000000..9d1443b --- /dev/null +++ b/scripts/py-enable @@ -0,0 +1,6 @@ +# IMPORTANT: Do not add more content to this file unless you know what you are +# doing. This file is sourced everytime the shell session is opened. +# This will make the python libraries work out of the box. +unset BASH_ENV PROMPT_COMMAND ENV +source /opt/app-root/bin/activate + diff --git a/scripts/rpm-file-permissions b/scripts/rpm-file-permissions new file mode 100644 index 0000000..e96e705 --- /dev/null +++ b/scripts/rpm-file-permissions @@ -0,0 +1,22 @@ +#!/bin/sh + +CHECK_DIRS="/ /opt /etc /usr /usr/bin /usr/lib /usr/lib64 /usr/share /usr/libexec" + +rpm_format="[%{FILESTATES:fstate} %7{FILEMODES:octal} %{FILENAMES:shescape}\n]" + +rpm -q --qf "$rpm_format" filesystem | while read line +do + eval "set -- $line" + + case $1 in + normal) ;; + *) continue ;; + esac + + case " $CHECK_DIRS " in + *" $3 "*) + chmod "${2: -4}" "$3" + ;; + esac +done + -- GitLab From f33605839e97a65f516828b15e7b616cece74484 Mon Sep 17 00:00:00 2001 From: WingKwan Lau Date: Wed, 30 Jun 2021 00:21:19 +0000 Subject: [PATCH 13/13] Update Dockerfile --- Dockerfile | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7a811e9..3646244 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,16 +39,10 @@ RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-de rpm -V $INSTALL_PKGS && \ yum -y clean all --enablerepo="*" -# - Create a Python virtual environment for use by any application to avoid -# potential conflicts with Python packages preinstalled in the main Python -# installation. -# - In order to drop the root user, we have to make some directories world -# writable as multi-tenant Kubernetes clusters' default security model -# should run the container under a random UID. -# - For any python applications use this default user +# - Create a Python virtual environment for use by any application to avoid potential conflicts with Python packages +# preinstalled in the main Python installation. RUN python$PYTHON_VERSION -m venv ${APP_ROOT} && /usr/bin/py-enable - # Set up container user and adjust permissions to run in OpenShift environment WORKDIR ${HOME} RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ -- GitLab