From bf73dd44f5194ee2e58f15d2f43723a0aaa15223 Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Thu, 17 Jun 2021 10:15:52 -0400 Subject: [PATCH 01/14] bumped to v.1.14.4 --- Dockerfile | 2 +- hardening_manifest.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 393cf49..d3748d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs12 ARG BASE_TAG=12.22.1 -FROM lovasoa/wbo:v1.14.0 as base +FROM lovasoa/wbo:v1.14.4 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index fff602b..e1e3122 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "opensource/lovasoa/wbo" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "v1.14.0" +- "v1.14.4" - "latest" # Build args passed to Dockerfile ARGs @@ -27,7 +27,7 @@ labels: org.opencontainers.image.url: "https://github.com/lovasoa/whitebophir" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "lovasoa" - org.opencontainers.image.version: "v1.14.0" + org.opencontainers.image.version: "v1.14.4" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "opensource" ## This value can be "opensource" or "commercial" @@ -37,7 +37,7 @@ labels: # List of resources to make available to the offline build context resources: -- tag: lovasoa/wbo:1.14.1 +- tag: lovasoa/wbo:1.14.4 url: docker://docker.io/lovasoa/wbo@sha256:bdd41d3d6e266baf8a1f3047c3697615973d56a6fcf874801e15ae785941c9f9 # List of project maintainers -- GitLab From 2a26aeafb7b012569dfe55f44d776e0fda62e033 Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Thu, 17 Jun 2021 10:24:15 -0400 Subject: [PATCH 02/14] bumped to v.1.14.4 --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index e1e3122..76f38a0 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -38,7 +38,7 @@ labels: # List of resources to make available to the offline build context resources: - tag: lovasoa/wbo:1.14.4 - url: docker://docker.io/lovasoa/wbo@sha256:bdd41d3d6e266baf8a1f3047c3697615973d56a6fcf874801e15ae785941c9f9 + url: docker://docker.io/lovasoa/wbo@sha256:50fcda9c6ca92b955df7ed19bcea6dd3671f4b8c338c0ebdc21a4da7b82f3767 # List of project maintainers maintainers: -- GitLab From 1a3e99b0b9d1d9bdcfeefc3134319e9c81195b4f Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Thu, 17 Jun 2021 20:53:47 -0400 Subject: [PATCH 03/14] fixed typo --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d3748d2..cfc2988 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs12 ARG BASE_TAG=12.22.1 -FROM lovasoa/wbo:v1.14.4 as base +FROM lovasoa/wbo:1.14.4 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -- GitLab From d1aa54f0362df89bd9a11566675810a1958f873f Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Fri, 18 Jun 2021 15:42:43 -0400 Subject: [PATCH 04/14] fixed typo --- Dockerfile | 2 +- hardening_manifest.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index cfc2988..d3748d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs12 ARG BASE_TAG=12.22.1 -FROM lovasoa/wbo:1.14.4 as base +FROM lovasoa/wbo:v1.14.4 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 76f38a0..3fbeeae 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -37,7 +37,7 @@ labels: # List of resources to make available to the offline build context resources: -- tag: lovasoa/wbo:1.14.4 +- tag: lovasoa/wbo:v1.14.4 url: docker://docker.io/lovasoa/wbo@sha256:50fcda9c6ca92b955df7ed19bcea6dd3671f4b8c338c0ebdc21a4da7b82f3767 # List of project maintainers -- GitLab From 38c9d7ffa026fe89d4c542cc98237d0113f5c1ce Mon Sep 17 00:00:00 2001 From: David Freeman Date: Fri, 18 Jun 2021 22:54:56 +0000 Subject: [PATCH 05/14] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d3748d2..a6485a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG BASE_REGISTRY=registry1.dso.mil -ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs12 -ARG BASE_TAG=12.22.1 +ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs16 +ARG BASE_TAG=16.3.0 FROM lovasoa/wbo:v1.14.4 as base -- GitLab From d8f117f1818583af5559e638df4a0e33fccbdd5e Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Mon, 21 Jun 2021 14:08:24 -0400 Subject: [PATCH 06/14] rebuilt --- Dockerfile | 36 +++--- deploy/deployment.yaml | 54 --------- hardening_manifest.yaml | 16 +-- renovate.json | 10 -- scripts/docker-entrypoint.sh | 8 ++ scripts/server.js | 221 +++++++++++++++++++++++++++++++++++ 6 files changed, 257 insertions(+), 88 deletions(-) delete mode 100644 deploy/deployment.yaml create mode 100644 scripts/docker-entrypoint.sh create mode 100644 scripts/server.js diff --git a/Dockerfile b/Dockerfile index 8fe03e8..7c8439d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,36 +1,40 @@ ARG BASE_REGISTRY=registry1.dso.mil -ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs12 -ARG BASE_TAG=12.22.1 +ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 +ARG BASE_TAG=14.15.3 -FROM lovasoa/wbo:v1.14.3 as base +FROM lovasoa/wbo:v1.14.4 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} USER 0 -RUN rm -rf /opt/app && \ - mkdir /opt/app +WORKDIR /opt/app COPY --from=base /opt/app /opt/app - -WORKDIR /opt/app +COPY --from=base /usr/local/bin/node /usr/local/bin/node +COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +COPY scripts/server.js /opt/app/server/server.js RUN dnf upgrade -y && \ - dnf install npm -y && \ - npm install --production && \ + dnf install npm libcap -y && \ + setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/node && \ + npm ci --production && \ dnf -y remove npm && \ dnf clean all && \ rm -rf /var/cache/dnf && \ - chown -R $USER:$(id -gn $USER) /home/node/.config + chown -R node:node /opt/app && \ + chmod 775 /usr/local/bin/docker-entrypoint.sh -ENV PORT 8080 -EXPOSE 8080 +USER node:node -USER 1001 +ENV PORT=80 +EXPOSE 80 VOLUME /opt/app/server-data -HEALTHCHECK --start-period=5s --timeout=5s \ - CMD curl -fs http://127.0.0.1:8080/ || exit 1 +HEALTHCHECK --start-period=3s --timeout=5s --interval=3s --retries=3 \ + CMD curl --fail http://localhost:80 || exit 1 + +ENTRYPOINT ["docker-entrypoint.sh"] -CMD ["npm", "start"] +CMD ["/usr/local/bin/node", "server/server.js"] diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml deleted file mode 100644 index f69cf7c..0000000 --- a/deploy/deployment.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: wbo -spec: - selector: - app: wbo - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - nodePort: 32767 - type: NodePort ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wbo-deployment - labels: - app: wbo -spec: - replicas: 1 - selector: - matchLabels: - app: wbo - template: - metadata: - labels: - app: wbo - spec: - containers: - - name: wbo - image: registry1.dsop.io/ironbank/opensource/lovasoa/wbo:1.14.3 - ports: - - containerPort: 8080 - volumeMounts: - - name: wbo-vol-storage - mountPath: /opt/app/server-data - volumes: - - name: wbo-vol-storage - persistentVolumeClaim: - claimName: wbo-pvc ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: wbo-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 8573628..9280bd5 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,13 +8,13 @@ name: "opensource/lovasoa/wbo" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "v1.14.3" +- "v1.14.4" - "latest" # Build args passed to Dockerfile ARGs args: - BASE_IMAGE: "opensource/nodejs/nodejs12" - BASE_TAG: "12.22.1" + BASE_IMAGE: "opensource/nodejs/nodejs14" + BASE_TAG: "14.15.3" # Docker image labels labels: @@ -22,23 +22,23 @@ labels: ## Human-readable description of the software packaged in the image org.opencontainers.image.description: "WBO is an online collaborative whiteboard." ## License(s) under which contained software is distributed - org.opencontainers.image.licenses: "AGPL-3.19" + org.opencontainers.image.licenses: "AGPL-v3.0" ## URL to find more information on the image org.opencontainers.image.url: "https://github.com/lovasoa/whitebophir" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "lovasoa" - org.opencontainers.image.version: "v1.14.3" + org.opencontainers.image.version: "v1.14.4" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "opensource" ## This value can be "opensource" or "commercial" mil.dso.ironbank.image.type: "opensource" ## Product the image belongs to for grouping multiple images - mil.dso.ironbank.product.name: "lovasoa/wbo" + mil.dso.ironbank.product.name: "lovasoa/whitebophir" # List of resources to make available to the offline build context resources: -- tag: lovasoa/wbo:v1.14.3 - url: docker://docker.io/lovasoa/wbo@sha256:a85b3972cfd27df6920008b13c70c6b6cc930bc261bfa24e04ec802cb04999ac +- tag: lovasoa/wbo:v1.14.4 + url: docker://docker.io/lovasoa/wbo@sha256:50fcda9c6ca92b955df7ed19bcea6dd3671f4b8c338c0ebdc21a4da7b82f3767 # List of project maintainers maintainers: diff --git a/renovate.json b/renovate.json index 1620ea2..5a5872c 100644 --- a/renovate.json +++ b/renovate.json @@ -18,15 +18,5 @@ "depNameTemplate": "lovasoa/wbo", "datasourceTemplate": "docker" }, - { - "fileMatch": [ - "^hardening_manifest.yaml$" - ], - "matchStrings": [ - "tags:\\s+-\\s+\"(?.+?)\"" - ], - "depNameTemplate": "lovasoa/wbo", - "datasourceTemplate": "docker" - } ] } diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh new file mode 100644 index 0000000..de6fa8a --- /dev/null +++ b/scripts/docker-entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "${1#-}" != "${1}" ] || [ -z "$(command -v "${1}")" ]; then + set -- node "$@" +fi + +exec "$@" diff --git a/scripts/server.js b/scripts/server.js new file mode 100644 index 0000000..db7a20b --- /dev/null +++ b/scripts/server.js @@ -0,0 +1,221 @@ +var app = require("http").createServer(handler), + sockets = require("./sockets.js"), + {log, monitorFunction} = require("./log.js"), + path = require("path"), + fs = require("fs"), + crypto = require("crypto"), + serveStatic = require("serve-static"), + createSVG = require("./createSVG.js"), + templating = require("./templating.js"), + config = require("./configuration.js"), + polyfillLibrary = require("polyfill-library"), + check_output_directory = require("./check_output_directory.js"); + +var MIN_NODE_VERSION = 10.0; + +if (parseFloat(process.versions.node) < MIN_NODE_VERSION) { + console.warn( + "!!! You are using node " + + process.version + + ", wbo requires at least " + + MIN_NODE_VERSION + + " !!!" + ); +} + +check_output_directory(config.HISTORY_DIR); + +sockets.start(app); + +app.listen(config.PORT, config.HOST); +log("server started", { port: config.PORT }); + +var CSP = + "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss:"; + +var fileserver = serveStatic(config.WEBROOT, { + maxAge: 2 * 3600 * 1000, + setHeaders: function (res) { + res.setHeader("X-UA-Compatible", "IE=Edge"); + res.setHeader("Content-Security-Policy", CSP); + }, +}); + +var errorPage = fs.readFileSync(path.join(config.WEBROOT, "error.html")); +function serveError(request, response) { + return function (err) { + log("error", { error: err && err.toString(), url: request.url }); + response.writeHead(err ? 500 : 404, { "Content-Length": errorPage.length }); + response.end(errorPage); + }; +} + +/** + * Write a request to the logs + * @param {import("http").IncomingMessage} request + */ +function logRequest(request) { + log("connection", { + ip: request.socket.remoteAddress, + original_ip: + request.headers["x-forwarded-for"] || request.headers["forwarded"], + user_agent: request.headers["user-agent"], + referer: request.headers["referer"], + language: request.headers["accept-language"], + url: request.url, + }); +} + +/** + * @type {import('http').RequestListener} + */ +function handler(request, response) { + try { + handleRequestAndLog(request, response); + } catch (err) { + console.trace(err); + response.writeHead(500, { "Content-Type": "text/plain" }); + response.end(err.toString()); + } +} + +const boardTemplate = new templating.BoardTemplate( + path.join(config.WEBROOT, "board.html") +); +const indexTemplate = new templating.Template( + path.join(config.WEBROOT, "index.html") +); + +/** + * Throws an error if the given board name is not allowed + * @param {string} boardName + * @throws {Error} + */ +function validateBoardName(boardName) { + if (/^[\w%\-_~()]*$/.test(boardName)) return boardName; + throw new Error("Illegal board name: " + boardName); +} + +/** + * @type {import('http').RequestListener} + */ +function handleRequest(request, response) { + var parsedUrl = new URL(request.url, 'http://wbo/'); + var parts = parsedUrl.pathname.split("/"); + if (parts[0] === "") parts.shift(); + + switch (parts[0]) { + case "boards": + // "boards" refers to the root directory + if (parts.length === 1) { + // '/boards?board=...' This allows html forms to point to boards + var boardName = parsedUrl.searchParams.get("board") || "anonymous"; + var headers = { Location: "boards/" + encodeURIComponent(boardName) }; + response.writeHead(301, headers); + response.end(); + } else if (parts.length === 2 && request.url.indexOf(".") === -1) { + validateBoardName(parts[1]); + // If there is no dot and no directory, parts[1] is the board name + boardTemplate.serve(request, response); + } else { + // Else, it's a resource + request.url = "/" + parts.slice(1).join("/"); + fileserver(request, response, serveError(request, response)); + } + break; + + case "download": + var boardName = validateBoardName(parts[1]), + history_file = path.join( + config.HISTORY_DIR, + "board-" + boardName + ".json" + ); + if (parts.length > 2 && /^[0-9A-Za-z.\-]+$/.test(parts[2])) { + history_file += "." + parts[2] + ".bak"; + } + log("download", { file: history_file }); + fs.readFile(history_file, function (err, data) { + if (err) return serveError(request, response)(err); + response.writeHead(200, { + "Content-Type": "application/json", + "Content-Disposition": 'attachment; filename="' + boardName + '.wbo"', + "Content-Length": data.length, + }); + response.end(data); + }); + break; + + case "export": + case "preview": + var boardName = validateBoardName(parts[1]), + history_file = path.join( + config.HISTORY_DIR, + "board-" + boardName + ".json" + ); + response.writeHead(200, { + "Content-Type": "image/svg+xml", + "Content-Security-Policy": CSP, + "Cache-Control": "public, max-age=30", + }); + var t = Date.now(); + createSVG + .renderBoard(history_file, response) + .then(function () { + log("preview", { board: boardName, time: Date.now() - t }); + response.end(); + }) + .catch(function (err) { + log("error", { error: err.toString(), stack: err.stack }); + response.end("Sorry, an error occured"); + }); + break; + + case "random": + var name = crypto + .randomBytes(32) + .toString("base64") + .replace(/[^\w]/g, "-"); + response.writeHead(307, { Location: "boards/" + name }); + response.end(name); + break; + + case "polyfill.js": // serve tailored polyfills + case "polyfill.min.js": + polyfillLibrary + .getPolyfillString({ + uaString: request.headers["user-agent"], + minify: request.url.endsWith(".min.js"), + features: { + default: { flags: ["gated"] }, + es5: { flags: ["gated"] }, + es6: { flags: ["gated"] }, + es7: { flags: ["gated"] }, + es2017: { flags: ["gated"] }, + es2018: { flags: ["gated"] }, + es2019: { flags: ["gated"] }, + "performance.now": { flags: ["gated"] }, + }, + }) + .then(function (bundleString) { + response.setHeader( + "Cache-Control", + "private, max-age=172800, stale-while-revalidate=1728000" + ); + response.setHeader("Vary", "User-Agent"); + response.setHeader("Content-Type", "application/javascript"); + response.end(bundleString); + }); + break; + + case "": // Index page + logRequest(request); + indexTemplate.serve(request, response); + break; + + default: + fileserver(request, response, serveError(request, response)); + } +} + +const handleRequestAndLog = monitorFunction(handleRequest); +module.exports = app; -- GitLab From 3d0120a9ecf268bf2fb898b508e35590e5ed66cf Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Mon, 21 Jun 2021 14:33:20 -0400 Subject: [PATCH 07/14] testing --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7c8439d..8018dce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,13 +11,11 @@ USER 0 WORKDIR /opt/app COPY --from=base /opt/app /opt/app -COPY --from=base /usr/local/bin/node /usr/local/bin/node COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY scripts/server.js /opt/app/server/server.js RUN dnf upgrade -y && \ - dnf install npm libcap -y && \ - setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/node && \ + dnf install npm -y && \ npm ci --production && \ dnf -y remove npm && \ dnf clean all && \ -- GitLab From f43c6702c1022ffc319e6b0e16b4e2e0d8da9585 Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Mon, 21 Jun 2021 16:41:42 -0400 Subject: [PATCH 08/14] testing --- Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8018dce..05f23e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,12 +8,12 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} USER 0 -WORKDIR /opt/app - COPY --from=base /opt/app /opt/app COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY scripts/server.js /opt/app/server/server.js +WORKDIR /opt/app + RUN dnf upgrade -y && \ dnf install npm -y && \ npm ci --production && \ @@ -30,8 +30,7 @@ EXPOSE 80 VOLUME /opt/app/server-data -HEALTHCHECK --start-period=3s --timeout=5s --interval=3s --retries=3 \ - CMD curl --fail http://localhost:80 || exit 1 +HEALTHCHECK --start-period=5s --timeout=5s CMD curl -fs http://127.0.0.1:80/ || exit 1 ENTRYPOINT ["docker-entrypoint.sh"] -- GitLab From e6e977dbbcc3b0d319f57d2b774b760e61be47be Mon Sep 17 00:00:00 2001 From: David Freeman Date: Mon, 21 Jun 2021 15:18:36 -0600 Subject: [PATCH 09/14] comment out npm clean install --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6d40cf0..ec0d8f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ WORKDIR /opt/app RUN dnf upgrade -y && \ dnf install npm -y && \ - npm ci --production && \ + # npm ci --production && \ dnf -y remove npm && \ dnf clean all && \ rm -rf /var/cache/dnf && \ -- GitLab From 85f230dd1b748d07464d8bf238a700be1f334c73 Mon Sep 17 00:00:00 2001 From: David Freeman Date: Mon, 21 Jun 2021 15:34:33 -0600 Subject: [PATCH 10/14] update upstream img digest --- Dockerfile | 2 +- hardening_manifest.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ec0d8f1..6d40cf0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ WORKDIR /opt/app RUN dnf upgrade -y && \ dnf install npm -y && \ - # npm ci --production && \ + npm ci --production && \ dnf -y remove npm && \ dnf clean all && \ rm -rf /var/cache/dnf && \ diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 9280bd5..023c435 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -38,7 +38,7 @@ labels: # List of resources to make available to the offline build context resources: - tag: lovasoa/wbo:v1.14.4 - url: docker://docker.io/lovasoa/wbo@sha256:50fcda9c6ca92b955df7ed19bcea6dd3671f4b8c338c0ebdc21a4da7b82f3767 + url: docker://docker.io/lovasoa/wbo@sha256:4614b2d3399be083130987f66737dfc3513da86f1954ea10faa4415d9c614498 # List of project maintainers maintainers: -- GitLab From e6f784412df9de44d179f334ac07139900377a19 Mon Sep 17 00:00:00 2001 From: David Freeman Date: Mon, 21 Jun 2021 15:57:01 -0600 Subject: [PATCH 11/14] add statsd dep to resources --- Dockerfile | 3 +++ hardening_manifest.yaml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/Dockerfile b/Dockerfile index 6d40cf0..d49ad0d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,11 +11,14 @@ USER 0 COPY --from=base /opt/app /opt/app COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY scripts/server.js /opt/app/server/server.js +COPY statsd-client-0.4.7.tgz /opt/app WORKDIR /opt/app RUN dnf upgrade -y && \ dnf install npm -y && \ + npm install statsd-client-0.4.7.tgz && \ + rm statsd-client-0.4.7.tgz && \ npm ci --production && \ dnf -y remove npm && \ dnf clean all && \ diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 023c435..bec5b5a 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -39,6 +39,11 @@ labels: resources: - tag: lovasoa/wbo:v1.14.4 url: docker://docker.io/lovasoa/wbo@sha256:4614b2d3399be083130987f66737dfc3513da86f1954ea10faa4415d9c614498 +- filename: statsd-client-0.4.7.tgz + url: https://registry.npmjs.org/statsd-client/-/statsd-client-0.4.7.tgz + validation: + type: sha256 + value: 8816d88915b047f97d72b7fa06e0b62fb2ec6fc0e2c78092d0d013cf31285c84 # List of project maintainers maintainers: -- GitLab From 021ec48770639f62f9d32f5ade2041a44a7bd383 Mon Sep 17 00:00:00 2001 From: David Freeman Date: Tue, 22 Jun 2021 08:52:49 -0600 Subject: [PATCH 12/14] copy global node modules --- Dockerfile | 3 ++- hardening_manifest.yaml | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index d49ad0d..1450e66 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,9 +9,10 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} USER 0 COPY --from=base /opt/app /opt/app +COPY --from=base /usr/local/lib/node_modules /usr/local/lib/node_modules COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh COPY scripts/server.js /opt/app/server/server.js -COPY statsd-client-0.4.7.tgz /opt/app +# COPY statsd-client-0.4.7.tgz /opt/app WORKDIR /opt/app diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index bec5b5a..230465c 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -39,11 +39,11 @@ labels: resources: - tag: lovasoa/wbo:v1.14.4 url: docker://docker.io/lovasoa/wbo@sha256:4614b2d3399be083130987f66737dfc3513da86f1954ea10faa4415d9c614498 -- filename: statsd-client-0.4.7.tgz - url: https://registry.npmjs.org/statsd-client/-/statsd-client-0.4.7.tgz - validation: - type: sha256 - value: 8816d88915b047f97d72b7fa06e0b62fb2ec6fc0e2c78092d0d013cf31285c84 +# - filename: statsd-client-0.4.7.tgz +# url: https://registry.npmjs.org/statsd-client/-/statsd-client-0.4.7.tgz +# validation: +# type: sha256 +# value: 8816d88915b047f97d72b7fa06e0b62fb2ec6fc0e2c78092d0d013cf31285c84 # List of project maintainers maintainers: -- GitLab From 48d423cdc4411822bbb3a30699f274008fefee6f Mon Sep 17 00:00:00 2001 From: David Freeman Date: Tue, 22 Jun 2021 09:02:52 -0600 Subject: [PATCH 13/14] comment out intstall and removal of statsd package --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1450e66..848892f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,8 +18,8 @@ WORKDIR /opt/app RUN dnf upgrade -y && \ dnf install npm -y && \ - npm install statsd-client-0.4.7.tgz && \ - rm statsd-client-0.4.7.tgz && \ + # npm install statsd-client-0.4.7.tgz && \ + # rm statsd-client-0.4.7.tgz && \ npm ci --production && \ dnf -y remove npm && \ dnf clean all && \ -- GitLab From ad242483b3dc562613d6b850ab689cdd086ddd38 Mon Sep 17 00:00:00 2001 From: David Freeman Date: Tue, 22 Jun 2021 09:14:13 -0600 Subject: [PATCH 14/14] use regular npm install --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 848892f..e35a48a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN dnf upgrade -y && \ dnf install npm -y && \ # npm install statsd-client-0.4.7.tgz && \ # rm statsd-client-0.4.7.tgz && \ - npm ci --production && \ + npm install --production && \ dnf -y remove npm && \ dnf clean all && \ rm -rf /var/cache/dnf && \ -- GitLab