Be able to run as non-root

Fix for kubernetes (RunAsGroup is not yet available)
camptocamp · Jun 22, 2018 · 2317108 · 2317108
1 parent ca6c2f0
commit 2317108
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 21 deletions.
diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/create/Dockerfile b/geoportal/c2cgeoportal_geoportal/scaffolds/create/Dockerfile
@@ -7,24 +7,24 @@ RUN \
   apt-get clean && \
   rm --recursive --force /var/lib/apt/lists/*
 
-COPY bin/* /usr/bin/
-
-COPY mapserver /etc/mapserver
-VOLUME /etc/mapserver
-
-#COPY qgisserver /project
-#VOLUME /project
-
-COPY mapcache /mapcache
-VOLUME /mapcache
-
-COPY tilegeneration /etc/tilegeneration
-VOLUME /etc/tilegeneration
-
-COPY print/print-apps /usr/local/tomcat/webapps/ROOT/print-apps
-VOLUME /usr/local/tomcat/webapps/ROOT/print-apps
-
-COPY front /etc/haproxy
-VOLUME /etc/haproxy
+COPY . /tmp/config/
+
+RUN mv /tmp/config/bin/* /usr/bin/ && \
+    if [ -e /tmp/config/mapserver ]; then mv /tmp/config/mapserver /etc/; fi && \
+    if [ -e /tmp/config/tilegeneration ]; then mv /tmp/config/tilegeneration /etc/; fi && \
+    if [ -e /tmp/config/qgisserver ]; then mv /tmp/config/qgisserver /project; fi && \
+    if [ -e /tmp/config/mapcache ]; then mv /tmp/config/mapcache /etc/; fi && \
+    if [ -e /tmp/config/front ]; then mv /tmp/config/front /etc/haproxy; fi && \
+    mkdir --parent /usr/local/tomcat/webapps/ROOT/ && \
+    if [ -e /tmp/config/print ]; then mv /tmp/config/print/print-apps /usr/local/tomcat/webapps/ROOT/; fi && \
+    chmod g+w -R /etc /usr/local/tomcat/webapps && \
+    adduser www-data root
+
+VOLUME /etc/mapserver \
+    /project \
+    /mapcache \
+    /etc/tilegeneration \
+    /usr/local/tomcat/webapps/ROOT/print-apps \
+    /etc/haproxy
 
 ENTRYPOINT [ "/usr/bin/eval-templates" ]
diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/create/bin/eval-templates b/geoportal/c2cgeoportal_geoportal/scaffolds/create/bin/eval-templates
@@ -3,7 +3,7 @@
 export VISIBLE_WEB_HOST_RE_ESCAPED=`python3 -c "print(__import__('re').escape('${VISIBLE_WEB_HOST}'))"`
 export VISIBLE_ENTRY_POINT_RE_ESCAPED=`python3 -c "print(__import__('re').escape('${VISIBLE_ENTRY_POINT}'))"`
 
-find /etc /mapcache /usr/local/tomcat/webapps/ -name '*.tmpl' -print | while read file
+find /etc /usr/local/tomcat/webapps/ -name '*.tmpl' -print | while read file
 do
     echo "Evaluate: ${file}"
     envsubst < ${file} > ${file%.tmpl}

diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/create/docker-compose.yaml.mako b/geoportal/c2cgeoportal_geoportal/scaffolds/create/docker-compose.yaml.mako
@@ -8,10 +8,12 @@ version: '2'
 services:
   config:
     image: ${docker_base}-config:${docker_tag}
+    user: www-data
 ${service_defaults('config')}\
 
   print:
     image: camptocamp/mapfish_print:3.14
+    user: www-data
     volumes_from:
       - config:ro
 ${service_defaults('print', 8080)}\
@@ -45,13 +47,15 @@ ${service_defaults('mapcache', 80)}\
 
   memcached:
     image: memcached:1.5
+    user: www-data
     command:
       - memcached
       - --memory-limit=512
 ${service_defaults('memcached', 11211)}\
 
   redis:
     image: redis:3.2
+    user: www-data
     command:
       - redis-server
       - --save
@@ -82,12 +86,14 @@ ${service_defaults('tilecloudchain')}\
 
   geoportal:
     image: ${docker_base}-geoportal:${docker_tag}
+    user: www-data
     volumes:
       - /var/sig:/var/sig:ro
 ${service_defaults('geoportal', 8080)}\
 
   alembic:
     image: ${docker_base}-geoportal:${docker_tag}
+    user: www-data
     command:
       - alembic
       - --name=static

diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/create/geoportal/Dockerfile.mako b/geoportal/c2cgeoportal_geoportal/scaffolds/create/geoportal/Dockerfile.mako
@@ -21,7 +21,9 @@ WORKDIR /app
 COPY . /app
 
 RUN mv webpack.apps.js webpack.apps.js.tmpl && \
-    ln --symbolic /usr/lib/node_modules/ .
+    ln --symbolic /usr/lib/node_modules/ . && \
+    chmod g+w -R . && \
+    adduser www-data root
 
 ARG GIT_HASH
 

diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/update/CONST_vars.yaml_tmpl b/geoportal/c2cgeoportal_geoportal/scaffolds/update/CONST_vars.yaml_tmpl
@@ -78,6 +78,12 @@ vars:
         C2C_BROADCAST_PREFIX: broadcast_geoportal_
     tilecloudchain:
       environment:
+        GUNICORN_PARAMS:
+          --bind=:8080
+          --worker-class=gthread
+          --threads=10
+          --workers=5
+          --worker-connections=1000
         VISIBLE_ENTRY_POINT: '{docker_entry_point}'
         TILEGENERATION_CONFIGFILE: /etc/tilegeneration/config.yaml
         C2C_BASE_PATH: /c2c_tiles

diff --git a/travis/docker-compose.yaml.mako b/travis/docker-compose.yaml.mako
@@ -7,6 +7,8 @@ version: '2'
 services:
   config:
     image: ${docker_base}-config:${docker_tag}
+    user: www-data
+${service_defaults('config')}\
 
   db:
     image: ${docker_base}-testdb:${docker_tag}
@@ -18,6 +20,7 @@ ${service_defaults('external-db', 5432)}\
 
   print:
     image: camptocamp/mapfish_print:3.14
+    user: www-data
     volumes_from:
       - config:ro
 ${service_defaults('print', 8080)}\
@@ -26,12 +29,15 @@ ${service_defaults('print', 8080)}\
     image: camptocamp/mapserver:7.0
     volumes_from:
       - config:rw
+    entrypoint: []
 ${service_defaults('mapserver', 80)}\
 
   redis:
     image: redis:3.2
+    user: www-data
 ${service_defaults('mapserver', 6379)}\
 
   geoportal:
     image: ${docker_base}-geoportal:${docker_tag}
+    user: www-data
 ${service_defaults('geoportal', 8080, True)}\