diff --git a/ckan-2.10/base/Dockerfile.py3.10 b/ckan-2.10/base/Dockerfile.py3.10 index 4ca48a6..890a85b 100644 --- a/ckan-2.10/base/Dockerfile.py3.10 +++ b/ckan-2.10/base/Dockerfile.py3.10 @@ -60,7 +60,6 @@ RUN pip3 install -U pip && \ cd ${SRC_DIR} && \ pip3 install -e git+${GIT_URL}@${CKAN_VERSION}#egg=ckan && \ cd ckan && \ - cp who.ini ${APP_DIR} && \ pip3 install --no-binary markdown -r requirements.txt && \ # Install CKAN envvars to support loading config from environment variables pip3 install -e git+https://github.com/okfn/ckanext-envvars.git@v0.0.6#egg=ckanext-envvars && \ @@ -69,19 +68,31 @@ RUN pip3 install -U pip && \ ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \ ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}" -# Create a local user and group plus set up the storage path -RUN groupadd -g 92 ckan && \ - useradd -rm -d /srv/app -s /bin/bash -g ckan -u 92 ckan && \ - mkdir -p ${CKAN_STORAGE_PATH} && \ - chown -R ckan:ckan ${CKAN_STORAGE_PATH} - +# Create ckan and ckan-sys users and the ckan-sys group plus set up the storage path +RUN groupadd -g 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 503 ckan + COPY setup/prerun.py ${APP_DIR} COPY setup/start_ckan.sh ${APP_DIR} ADD https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/wsgi.py ${APP_DIR} RUN chmod 644 ${APP_DIR}/wsgi.py # Create entrypoint directory for children image scripts -ONBUILD RUN mkdir /docker-entrypoint.d +RUN mkdir -p /docker-entrypoint.d && chmod 755 /docker-entrypoint.d + +# Set the ownership of the app directory, usr/local and the entrypoint directory to the ckan-sys user +RUN chown -R ckan-sys:ckan-sys ${APP_DIR} && \ + chown -R ckan-sys:ckan-sys /docker-entrypoint.d && \ + chown -R ckan-sys:ckan-sys /usr/local + +# Set the ownership of the CKAN config file, src and the storage path to the ckan user +RUN chown ckan:ckan-sys ${APP_DIR}/ckan.ini && \ + chown -R ckan:ckan-sys ${APP_DIR}/src && \ + mkdir -p ${CKAN_STORAGE_PATH} && \ + chown -R ckan:ckan-sys ${CKAN_STORAGE_PATH} + +USER ckan EXPOSE 5000 diff --git a/ckan-2.10/base/Makefile b/ckan-2.10/base/Makefile index 565ab26..7d63242 100644 --- a/ckan-2.10/base/Makefile +++ b/ckan-2.10/base/Makefile @@ -17,7 +17,7 @@ help: build: ## Build CKAN 2.x.x images , `make build` echo "Building $(TAG_NAME) and $(ALT_TAG_NAME) and $(PYTHON_TAG_NAME) images" docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(TAG_NAME) -t $(ALT_TAG_NAME) . -# docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) . + docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) . push: ## Push CKAN 2.x.x images to the DockerHub registry, `make push` echo "Pushing $(TAG_NAME) image" diff --git a/ckan-2.10/base/setup/prerun.py b/ckan-2.10/base/setup/prerun.py index 037ddc2..4cc8f35 100644 --- a/ckan-2.10/base/setup/prerun.py +++ b/ckan-2.10/base/setup/prerun.py @@ -200,7 +200,7 @@ def create_sysadmin(): # We're running as root before pivoting to uwsgi and dropping privs data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH'] - command = ["chown", "-R", "ckan:ckan", data_dir] + command = ["chown", "-R", "ckan:ckan-sys", data_dir] subprocess.call(command) print("[prerun] Ensured storage directory is owned by ckan") diff --git a/ckan-2.10/base/setup/start_ckan.sh b/ckan-2.10/base/setup/start_ckan.sh index 6f5c20d..7a6b2ab 100755 --- a/ckan-2.10/base/setup/start_ckan.sh +++ b/ckan-2.10/base/setup/start_ckan.sh @@ -33,12 +33,9 @@ then done fi -# Set the common uwsgi options -UWSGI_OPTS="--plugins http,python \ - --socket /tmp/uwsgi.sock \ +UWSGI_OPTS="--socket /tmp/uwsgi.sock \ --wsgi-file /srv/app/wsgi.py \ --module wsgi:application \ - --uid 92 --gid 92 \ --http [::]:5000 \ --master --enable-threads \ --lazy-apps \ diff --git a/ckan-2.10/base/setup/supervisord.conf b/ckan-2.10/base/setup/supervisord.conf index a3f6671..72aa099 100644 --- a/ckan-2.10/base/setup/supervisord.conf +++ b/ckan-2.10/base/setup/supervisord.conf @@ -1,7 +1,7 @@ [unix_http_server] file = /tmp/supervisor.sock chmod = 0777 -chown = nobody:nogroup +chown = ckan:ckan-sys [supervisord] logfile = /tmp/supervisord.log diff --git a/ckan-2.10/dev/Dockerfile.py3.10 b/ckan-2.10/dev/Dockerfile.py3.10 index 9d32e10..e766c6e 100644 --- a/ckan-2.10/dev/Dockerfile.py3.10 +++ b/ckan-2.10/dev/Dockerfile.py3.10 @@ -6,17 +6,20 @@ ARG CKAN_VERSION=${CKAN_VERSION} ENV APP_DIR=/srv/app ENV SRC_EXTENSIONS_DIR=${APP_DIR}/src_extensions +USER root + # Install CKAN dev requirements -#RUN . ${APP_DIR}/bin/activate && \ RUN cd ${SRC_DIR}/ckan && \ pip3 install -r https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/dev-requirements.txt -# Create folder for local extensions sources -RUN mkdir -p ${SRC_EXTENSIONS_DIR} +COPY --chown=ckan-sys:ckan-sys setup/unsafe.cert setup/unsafe.key setup/start_ckan_development.sh setup/install_src.sh ${APP_DIR} -# These are used to run https on development mode -COPY setup/unsafe.cert setup/unsafe.key ${APP_DIR} +# Update local directories +RUN mkdir -p ${SRC_EXTENSIONS_DIR} /var/lib/ckan && \ + chown -R ckan-sys:ckan-sys ${SRC_EXTENSIONS_DIR} && \ + chown -R ckan:ckan-sys /var/lib/ckan/ && \ + chmod 775 ${SRC_EXTENSIONS_DIR} -COPY setup/start_ckan_development.sh ${APP_DIR} +USER ckan CMD ["/srv/app/start_ckan_development.sh"] diff --git a/ckan-2.10/dev/Makefile b/ckan-2.10/dev/Makefile index 1a2f146..3445b14 100644 --- a/ckan-2.10/dev/Makefile +++ b/ckan-2.10/dev/Makefile @@ -17,7 +17,7 @@ help: build: ## Build a CKAN 2.x-dev image , `make build` echo "Building $(TAG_NAME) and $(ALT_TAG_NAME) images" docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(TAG_NAME) -t $(ALT_TAG_NAME) . - docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) --no-cache . + docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) . push: ## Push a CKAN 2.x-dev image to the DockerHub registry, `make push` echo "Pushing $(TAG_NAME) image" diff --git a/ckan-2.10/dev/setup/install_src.sh b/ckan-2.10/dev/setup/install_src.sh new file mode 100755 index 0000000..8cd6735 --- /dev/null +++ b/ckan-2.10/dev/setup/install_src.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +if [ $(id -u) -ne 0 ]; then + echo "Please run as root" + exit 1 +fi + +# Install any local extensions in the src_extensions volume +echo "Looking for local extensions to install..." +echo "Extension dir contents:" +ls -la $SRC_EXTENSIONS_DIR +for i in $SRC_EXTENSIONS_DIR/* +do + if [ -d $i ]; + then + if [ -d $SRC_DIR/$(basename $i) ]; + then + pip uninstall -y "$(basename $i)" + fi + + if [ -f $i/pip-requirements.txt ]; + then + pip install -r $i/pip-requirements.txt + echo "Found requirements file in $i" + fi + if [ -f $i/requirements.txt ]; + then + pip install -r $i/requirements.txt + echo "Found requirements file in $i" + fi + if [ -f $i/dev-requirements.txt ]; + then + pip install -r $i/dev-requirements.txt + echo "Found dev-requirements file in $i" + fi + if [ -f $i/setup.py ]; + then + cd $i + python3 $i/setup.py develop + echo "Found setup.py file in $i" + cd $APP_DIR + fi + if [ -f $i/pyproject.toml ]; + then + cd $i + pip install -e . + echo "Found pyproject.toml file in $i" + cd $APP_DIR + fi + + # Point `use` in test.ini to location of `test-core.ini` + if [ -f $i/test.ini ]; + then + echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i" + ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini" + fi + fi +done diff --git a/ckan-2.10/dev/setup/start_ckan_development.sh b/ckan-2.10/dev/setup/start_ckan_development.sh index fb2dd15..fc85e28 100755 --- a/ckan-2.10/dev/setup/start_ckan_development.sh +++ b/ckan-2.10/dev/setup/start_ckan_development.sh @@ -6,58 +6,6 @@ if [[ $CKAN__PLUGINS == *"datapusher"* ]]; then ckan config-tool $CKAN_INI ckan.datapusher.api_token=xxx fi -# Install any local extensions in the src_extensions volume -echo "Looking for local extensions to install..." -echo "Extension dir contents:" -ls -la $SRC_EXTENSIONS_DIR -for i in $SRC_EXTENSIONS_DIR/* -do - if [ -d $i ]; - then - if [ -d $SRC_DIR/$(basename $i) ]; - then - pip uninstall -y "$(basename $i)" - fi - - if [ -f $i/pip-requirements.txt ]; - then - pip install -r $i/pip-requirements.txt - echo "Found requirements file in $i" - fi - if [ -f $i/requirements.txt ]; - then - pip install -r $i/requirements.txt - echo "Found requirements file in $i" - fi - if [ -f $i/dev-requirements.txt ]; - then - pip install -r $i/dev-requirements.txt - echo "Found dev-requirements file in $i" - fi - if [ -f $i/setup.py ]; - then - cd $i - python3 $i/setup.py develop - echo "Found setup.py file in $i" - cd $APP_DIR - fi - if [ -f $i/pyproject.toml ]; - then - cd $i - pip install -e . - echo "Found pyproject.toml file in $i" - cd $APP_DIR - fi - - # Point `use` in test.ini to location of `test-core.ini` - if [ -f $i/test.ini ]; - then - echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i" - ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini" - fi - fi -done - # Set debug to true echo "Enabling debug mode" ckan config-tool $CKAN_INI -s DEFAULT "debug = true" @@ -117,7 +65,7 @@ fi # Start the development server as the ckan user with automatic reload while true; do - su ckan -c "$CKAN_RUN $CKAN_OPTIONS" + $CKAN_RUN $CKAN_OPTIONS echo Exit with status $?. Restarting. sleep 2 done diff --git a/ckan-2.11/base/Dockerfile b/ckan-2.11/base/Dockerfile index fb82720..02b1090 100644 --- a/ckan-2.11/base/Dockerfile +++ b/ckan-2.11/base/Dockerfile @@ -36,7 +36,7 @@ RUN update-locale LANG=${LC_ALL} # Install system libraries RUN apt-get install --no-install-recommends -y \ - apt-utils \ + apt-utils \ git \ libpq-dev \ g++ \ @@ -61,11 +61,10 @@ RUN pip3 install -U pip && \ ckan config-tool ${CKAN_INI} "SECRET_KEY = " && \ ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}" -# Create a local user and group plus set up the storage path -RUN groupadd -g 92 ckan && \ - useradd -rm -d /srv/app -s /bin/bash -g ckan -u 92 ckan && \ - mkdir -p ${CKAN_STORAGE_PATH} && \ - chown -R ckan:ckan ${CKAN_STORAGE_PATH} +# Create ckan and ckan-sys users and the ckan-sys group plus set up the storage path +RUN groupadd -g 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 503 ckan COPY setup/prerun.py ${APP_DIR} COPY setup/start_ckan.sh ${APP_DIR} @@ -73,8 +72,21 @@ ADD https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/wsgi.py ${APP_DI RUN chmod 644 ${APP_DIR}/wsgi.py # Create entrypoint directory for children image scripts -ONBUILD RUN mkdir /docker-entrypoint.d +RUN mkdir -p /docker-entrypoint.d && chmod 755 /docker-entrypoint.d + +# Set the ownership of the app directory, usr/local and the entrypoint directory to the ckan-sys user +RUN chown -R ckan-sys:ckan-sys ${APP_DIR} && \ + chown -R ckan-sys:ckan-sys /docker-entrypoint.d && \ + chown -R ckan-sys:ckan-sys /usr/local + +# Set the ownership of the CKAN config file, src and the storage path to the ckan user +RUN chown ckan:ckan-sys ${APP_DIR}/ckan.ini && \ + chown -R ckan:ckan-sys ${APP_DIR}/src && \ + mkdir -p ${CKAN_STORAGE_PATH} && \ + chown -R ckan:ckan-sys ${CKAN_STORAGE_PATH} + +USER ckan EXPOSE 5000 -CMD ["/srv/app/start_ckan.sh"] +CMD ["/srv/app/start_ckan.sh"] \ No newline at end of file diff --git a/ckan-2.11/base/setup/prerun.py b/ckan-2.11/base/setup/prerun.py index abd00ad..8f43fa4 100644 --- a/ckan-2.11/base/setup/prerun.py +++ b/ckan-2.11/base/setup/prerun.py @@ -199,7 +199,7 @@ def create_sysadmin(): # We're running as root before pivoting to uwsgi and dropping privs data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH'] - command = ["chown", "-R", "ckan:ckan", data_dir] + command = ["chown", "-R", "ckan:ckan-sys", data_dir] subprocess.call(command) print("[prerun] Ensured storage directory is owned by ckan") diff --git a/ckan-2.11/base/setup/start_ckan.sh b/ckan-2.11/base/setup/start_ckan.sh index 949d11f..8799f03 100755 --- a/ckan-2.11/base/setup/start_ckan.sh +++ b/ckan-2.11/base/setup/start_ckan.sh @@ -33,12 +33,9 @@ then done fi -# Set the common uwsgi options -UWSGI_OPTS="--plugins http,python \ - --socket /tmp/uwsgi.sock \ +UWSGI_OPTS="--socket /tmp/uwsgi.sock \ --wsgi-file /srv/app/wsgi.py \ --module wsgi:application \ - --uid 92 --gid 92 \ --http [::]:5000 \ --master --enable-threads \ --lazy-apps \ diff --git a/ckan-2.11/dev/Dockerfile b/ckan-2.11/dev/Dockerfile index 0996bae..37d4a12 100644 --- a/ckan-2.11/dev/Dockerfile +++ b/ckan-2.11/dev/Dockerfile @@ -6,17 +6,18 @@ ARG CKAN_VERSION=${CKAN_VERSION} ENV APP_DIR=/srv/app ENV SRC_EXTENSIONS_DIR=${APP_DIR}/src_extensions +USER root + # Install CKAN dev requirements -#RUN . ${APP_DIR}/bin/activate && \ RUN cd ${SRC_DIR}/ckan && \ pip3 install -r https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/dev-requirements.txt -# Create folder for local extensions sources -RUN mkdir -p ${SRC_EXTENSIONS_DIR} +COPY --chown=ckan-sys:ckan-sys setup/unsafe.cert setup/unsafe.key setup/start_ckan_development.sh setup/install_src.sh ${APP_DIR} -# These are used to run https on development mode -COPY setup/unsafe.cert setup/unsafe.key ${APP_DIR} +# Update local directories +RUN mkdir -p ${SRC_EXTENSIONS_DIR} /var/lib/ckan && \ + chown -R ckan:ckan-sys ${SRC_EXTENSIONS_DIR} ${APP_DIR}/ckan.ini /var/lib/ckan/ -COPY setup/start_ckan_development.sh ${APP_DIR} +USER ckan CMD ["/srv/app/start_ckan_development.sh"] diff --git a/ckan-2.11/dev/setup/install_src.sh b/ckan-2.11/dev/setup/install_src.sh new file mode 100755 index 0000000..8cd6735 --- /dev/null +++ b/ckan-2.11/dev/setup/install_src.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +if [ $(id -u) -ne 0 ]; then + echo "Please run as root" + exit 1 +fi + +# Install any local extensions in the src_extensions volume +echo "Looking for local extensions to install..." +echo "Extension dir contents:" +ls -la $SRC_EXTENSIONS_DIR +for i in $SRC_EXTENSIONS_DIR/* +do + if [ -d $i ]; + then + if [ -d $SRC_DIR/$(basename $i) ]; + then + pip uninstall -y "$(basename $i)" + fi + + if [ -f $i/pip-requirements.txt ]; + then + pip install -r $i/pip-requirements.txt + echo "Found requirements file in $i" + fi + if [ -f $i/requirements.txt ]; + then + pip install -r $i/requirements.txt + echo "Found requirements file in $i" + fi + if [ -f $i/dev-requirements.txt ]; + then + pip install -r $i/dev-requirements.txt + echo "Found dev-requirements file in $i" + fi + if [ -f $i/setup.py ]; + then + cd $i + python3 $i/setup.py develop + echo "Found setup.py file in $i" + cd $APP_DIR + fi + if [ -f $i/pyproject.toml ]; + then + cd $i + pip install -e . + echo "Found pyproject.toml file in $i" + cd $APP_DIR + fi + + # Point `use` in test.ini to location of `test-core.ini` + if [ -f $i/test.ini ]; + then + echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i" + ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini" + fi + fi +done diff --git a/ckan-2.11/dev/setup/start_ckan_development.sh b/ckan-2.11/dev/setup/start_ckan_development.sh index 5f61c84..ed9aeb9 100755 --- a/ckan-2.11/dev/setup/start_ckan_development.sh +++ b/ckan-2.11/dev/setup/start_ckan_development.sh @@ -6,58 +6,6 @@ if [[ $CKAN__PLUGINS == *"datapusher"* ]]; then ckan config-tool $CKAN_INI ckan.datapusher.api_token=xxx fi -# Install any local extensions in the src_extensions volume -echo "Looking for local extensions to install..." -echo "Extension dir contents:" -ls -la $SRC_EXTENSIONS_DIR -for i in $SRC_EXTENSIONS_DIR/* -do - if [ -d $i ]; - then - if [ -d $SRC_DIR/$(basename $i) ]; - then - pip uninstall -y "$(basename $i)" - fi - - if [ -f $i/pip-requirements.txt ]; - then - pip install -r $i/pip-requirements.txt - echo "Found requirements file in $i" - fi - if [ -f $i/requirements.txt ]; - then - pip install -r $i/requirements.txt - echo "Found requirements file in $i" - fi - if [ -f $i/dev-requirements.txt ]; - then - pip install -r $i/dev-requirements.txt - echo "Found dev-requirements file in $i" - fi - if [ -f $i/setup.py ]; - then - cd $i - python3 $i/setup.py develop - echo "Found setup.py file in $i" - cd $APP_DIR - fi - if [ -f $i/pyproject.toml ]; - then - cd $i - pip install -e . - echo "Found pyproject.toml file in $i" - cd $APP_DIR - fi - - # Point `use` in test.ini to location of `test-core.ini` - if [ -f $i/test.ini ]; - then - echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i" - ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini" - fi - fi -done - # Set debug to true echo "Enabling debug mode" ckan config-tool $CKAN_INI -s DEFAULT "debug = true" @@ -117,7 +65,7 @@ fi # Start the development server as the ckan user with automatic reload while true; do - su ckan -c "$CKAN_RUN $CKAN_OPTIONS" + $CKAN_RUN $CKAN_OPTIONS echo Exit with status $?. Restarting. sleep 2 done diff --git a/ckan-2.9/base/Dockerfile.py3.9 b/ckan-2.9/base/Dockerfile.py3.9 index 300a4e7..3a38490 100644 --- a/ckan-2.9/base/Dockerfile.py3.9 +++ b/ckan-2.9/base/Dockerfile.py3.9 @@ -74,11 +74,10 @@ RUN pip3 install "webassets==0.12.1" && \ ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \ ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}" -# Create a local user and group plus set up the storage path -RUN groupadd -g 92 ckan && \ - useradd -rm -d /srv/app -s /bin/bash -g ckan -u 92 ckan && \ - mkdir -p ${CKAN_STORAGE_PATH} && \ - chown -R ckan:ckan ${CKAN_STORAGE_PATH} +# Create ckan and ckan-sys users and the ckan-sys group plus set up the storage path +RUN groupadd -g 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 503 ckan COPY setup/prerun.py ${APP_DIR} COPY setup/start_ckan.sh ${APP_DIR} @@ -86,7 +85,20 @@ ADD https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/wsgi.py ${APP_DI RUN chmod 644 ${APP_DIR}/wsgi.py # Create entrypoint directory for children image scripts -ONBUILD RUN mkdir /docker-entrypoint.d +RUN mkdir -p /docker-entrypoint.d && chmod 755 /docker-entrypoint.d + +# Set the ownership of the app directory, usr/local and the entrypoint directory to the ckan-sys user +RUN chown -R ckan-sys:ckan-sys ${APP_DIR} && \ + chown -R ckan-sys:ckan-sys /docker-entrypoint.d && \ + chown -R ckan-sys:ckan-sys /usr/local + +# Set the ownership of the CKAN config file, src and the storage path to the ckan user +RUN chown ckan:ckan-sys ${APP_DIR}/ckan.ini && \ + chown -R ckan:ckan-sys ${APP_DIR}/src && \ + mkdir -p ${CKAN_STORAGE_PATH} && \ + chown -R ckan:ckan-sys ${CKAN_STORAGE_PATH} + +USER ckan EXPOSE 5000 diff --git a/ckan-2.9/base/Makefile b/ckan-2.9/base/Makefile index ab5bcc9..bfb4243 100644 --- a/ckan-2.9/base/Makefile +++ b/ckan-2.9/base/Makefile @@ -15,7 +15,7 @@ help: @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' build: ## Build CKAN 2.x.x images , `make build` - echo "Building $(TAG_NAME) and $(ALT_TAG_NAME) and $(PYTHON_TAG_NAME) images" + echo "Building $(TAG_NAME), $(ALT_TAG_NAME), $(PYTHON_TAG_NAME) and $(PYTHON_ALT_TAG_NAME) images" docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(TAG_NAME) -t $(ALT_TAG_NAME) . docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) . diff --git a/ckan-2.9/base/setup/start_ckan.sh b/ckan-2.9/base/setup/start_ckan.sh index d44f564..13a6dce 100755 --- a/ckan-2.9/base/setup/start_ckan.sh +++ b/ckan-2.9/base/setup/start_ckan.sh @@ -23,7 +23,6 @@ then *.py) echo "$0: Running init file $f"; python3 "$f"; echo ;; *) echo "$0: Ignoring $f (not an sh or py file)" ;; esac - echo done fi @@ -32,7 +31,6 @@ UWSGI_OPTS="--plugins http,python \ --socket /tmp/uwsgi.sock \ --wsgi-file /srv/app/wsgi.py \ --module wsgi:application \ - --uid 92 --gid 92 \ --http 0.0.0.0:5000 \ --master --enable-threads \ --lazy-apps \ diff --git a/ckan-2.9/dev/Dockerfile.py3.9 b/ckan-2.9/dev/Dockerfile.py3.9 index 09153a8..3ce4d73 100644 --- a/ckan-2.9/dev/Dockerfile.py3.9 +++ b/ckan-2.9/dev/Dockerfile.py3.9 @@ -1,4 +1,4 @@ -FROM ckan/ckan-base:2.9.11-py3.9 +FROM ckan/ckan-base:2.9-py3.9 # Tag passed through via the Makefile ARG CKAN_VERSION=${CKAN_VERSION} @@ -6,6 +6,8 @@ ARG CKAN_VERSION=${CKAN_VERSION} ENV APP_DIR=/srv/app ENV SRC_EXTENSIONS_DIR=${APP_DIR}/src_extensions +USER root + # Install CKAN dev requirements #RUN . ${APP_DIR}/bin/activate && \ RUN cd ${SRC_DIR}/ckan && \ @@ -14,9 +16,14 @@ pip3 install -r https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/dev- # Create folder for local extensions sources RUN mkdir -p ${SRC_EXTENSIONS_DIR} -# These are used to run https on development mode -COPY setup/unsafe.cert setup/unsafe.key ${APP_DIR} +COPY --chown=ckan-sys:ckan-sys setup/unsafe.cert setup/unsafe.key setup/start_ckan_development.sh ${APP_DIR} + +# Update local directories +RUN mkdir -p ${SRC_EXTENSIONS_DIR} /var/lib/ckan && \ + chown -R ckan-sys:ckan-sys ${SRC_EXTENSIONS_DIR} && \ + chown -R ckan:ckan-sys /var/lib/ckan/ && \ + chmod 775 ${SRC_EXTENSIONS_DIR} -COPY setup/start_ckan_development.sh ${APP_DIR} +USER ckan CMD ["/srv/app/start_ckan_development.sh"] diff --git a/ckan-2.9/dev/Makefile b/ckan-2.9/dev/Makefile index ffb1117..1990818 100644 --- a/ckan-2.9/dev/Makefile +++ b/ckan-2.9/dev/Makefile @@ -15,9 +15,9 @@ help: @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' build: ## Build a CKAN 2.x-dev image , `make build` - echo "Building $(TAG_NAME) and $(ALT_TAG_NAME) images" + echo "Building $(TAG_NAME), $(ALT_TAG_NAME), $(PYTHON_TAG_NAME) and $(PYTHON_ALT_TAG_NAME) images" docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(TAG_NAME) -t $(ALT_TAG_NAME) . - docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) --no-cache . + docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) . push: ## Push a CKAN 2.x-dev image to the DockerHub registry, `make push` echo "Pushing $(TAG_NAME) image" diff --git a/ckan-2.9/dev/setup/start_ckan_development.sh b/ckan-2.9/dev/setup/start_ckan_development.sh index d5a134e..3a784b5 100755 --- a/ckan-2.9/dev/setup/start_ckan_development.sh +++ b/ckan-2.9/dev/setup/start_ckan_development.sh @@ -116,7 +116,7 @@ fi # Start the development server as the ckan user with automatic reload while true; do - su ckan -c "$CKAN_RUN $CKAN_OPTIONS" + $CKAN_RUN $CKAN_OPTIONS echo Exit with status $?. Restarting. sleep 2 done diff --git a/ckan-master/base/Dockerfile b/ckan-master/base/Dockerfile index fb82720..4bb9733 100644 --- a/ckan-master/base/Dockerfile +++ b/ckan-master/base/Dockerfile @@ -61,11 +61,10 @@ RUN pip3 install -U pip && \ ckan config-tool ${CKAN_INI} "SECRET_KEY = " && \ ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}" -# Create a local user and group plus set up the storage path -RUN groupadd -g 92 ckan && \ - useradd -rm -d /srv/app -s /bin/bash -g ckan -u 92 ckan && \ - mkdir -p ${CKAN_STORAGE_PATH} && \ - chown -R ckan:ckan ${CKAN_STORAGE_PATH} +# Create ckan and ckan-sys users and the ckan-sys group plus set up the storage path +RUN groupadd -g 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 502 ckan-sys && \ + useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 503 ckan COPY setup/prerun.py ${APP_DIR} COPY setup/start_ckan.sh ${APP_DIR} @@ -73,7 +72,20 @@ ADD https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/wsgi.py ${APP_DI RUN chmod 644 ${APP_DIR}/wsgi.py # Create entrypoint directory for children image scripts -ONBUILD RUN mkdir /docker-entrypoint.d +RUN mkdir -p /docker-entrypoint.d && chmod 755 /docker-entrypoint.d + +# Set the ownership of the app directory, usr/local and the entrypoint directory to the ckan-sys user +RUN chown -R ckan-sys:ckan-sys ${APP_DIR} && \ + chown -R ckan-sys:ckan-sys /docker-entrypoint.d && \ + chown -R ckan-sys:ckan-sys /usr/local + +# Set the ownership of the CKAN config file, src and the storage path to the ckan user +RUN chown ckan:ckan-sys ${APP_DIR}/ckan.ini && \ + chown -R ckan:ckan-sys ${APP_DIR}/src && \ + mkdir -p ${CKAN_STORAGE_PATH} && \ + chown -R ckan:ckan-sys ${CKAN_STORAGE_PATH} + +USER ckan EXPOSE 5000 diff --git a/ckan-master/base/setup/prerun.py b/ckan-master/base/setup/prerun.py index abd00ad..8f43fa4 100644 --- a/ckan-master/base/setup/prerun.py +++ b/ckan-master/base/setup/prerun.py @@ -199,7 +199,7 @@ def create_sysadmin(): # We're running as root before pivoting to uwsgi and dropping privs data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH'] - command = ["chown", "-R", "ckan:ckan", data_dir] + command = ["chown", "-R", "ckan:ckan-sys", data_dir] subprocess.call(command) print("[prerun] Ensured storage directory is owned by ckan") diff --git a/ckan-master/base/setup/start_ckan.sh b/ckan-master/base/setup/start_ckan.sh index 949d11f..d01c677 100755 --- a/ckan-master/base/setup/start_ckan.sh +++ b/ckan-master/base/setup/start_ckan.sh @@ -34,11 +34,9 @@ then fi # Set the common uwsgi options -UWSGI_OPTS="--plugins http,python \ - --socket /tmp/uwsgi.sock \ +UWSGI_OPTS="--socket /tmp/uwsgi.sock \ --wsgi-file /srv/app/wsgi.py \ --module wsgi:application \ - --uid 92 --gid 92 \ --http [::]:5000 \ --master --enable-threads \ --lazy-apps \ diff --git a/ckan-master/dev/Dockerfile b/ckan-master/dev/Dockerfile index fe8ea0c..b4934a5 100644 --- a/ckan-master/dev/Dockerfile +++ b/ckan-master/dev/Dockerfile @@ -6,17 +6,18 @@ ARG CKAN_VERSION=${CKAN_VERSION} ENV APP_DIR=/srv/app ENV SRC_EXTENSIONS_DIR=${APP_DIR}/src_extensions +USER root + # Install CKAN dev requirements -#RUN . ${APP_DIR}/bin/activate && \ RUN cd ${SRC_DIR}/ckan && \ pip3 install -r https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/dev-requirements.txt -# Create folder for local extensions sources -RUN mkdir -p ${SRC_EXTENSIONS_DIR} +COPY --chown=ckan-sys:ckan-sys setup/unsafe.cert setup/unsafe.key setup/start_ckan_development.sh setup/install_src.sh ${APP_DIR} -# These are used to run https on development mode -COPY setup/unsafe.cert setup/unsafe.key ${APP_DIR} +# Update local directories +RUN mkdir -p ${SRC_EXTENSIONS_DIR} /var/lib/ckan && \ + chown -R ckan:ckan-sys ${SRC_EXTENSIONS_DIR} ${APP_DIR}/ckan.ini /var/lib/ckan/ -COPY setup/start_ckan_development.sh ${APP_DIR} +USER ckan CMD ["/srv/app/start_ckan_development.sh"] diff --git a/ckan-master/dev/setup/install_src.sh b/ckan-master/dev/setup/install_src.sh new file mode 100755 index 0000000..8cd6735 --- /dev/null +++ b/ckan-master/dev/setup/install_src.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +if [ $(id -u) -ne 0 ]; then + echo "Please run as root" + exit 1 +fi + +# Install any local extensions in the src_extensions volume +echo "Looking for local extensions to install..." +echo "Extension dir contents:" +ls -la $SRC_EXTENSIONS_DIR +for i in $SRC_EXTENSIONS_DIR/* +do + if [ -d $i ]; + then + if [ -d $SRC_DIR/$(basename $i) ]; + then + pip uninstall -y "$(basename $i)" + fi + + if [ -f $i/pip-requirements.txt ]; + then + pip install -r $i/pip-requirements.txt + echo "Found requirements file in $i" + fi + if [ -f $i/requirements.txt ]; + then + pip install -r $i/requirements.txt + echo "Found requirements file in $i" + fi + if [ -f $i/dev-requirements.txt ]; + then + pip install -r $i/dev-requirements.txt + echo "Found dev-requirements file in $i" + fi + if [ -f $i/setup.py ]; + then + cd $i + python3 $i/setup.py develop + echo "Found setup.py file in $i" + cd $APP_DIR + fi + if [ -f $i/pyproject.toml ]; + then + cd $i + pip install -e . + echo "Found pyproject.toml file in $i" + cd $APP_DIR + fi + + # Point `use` in test.ini to location of `test-core.ini` + if [ -f $i/test.ini ]; + then + echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i" + ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini" + fi + fi +done diff --git a/ckan-master/dev/setup/start_ckan_development.sh b/ckan-master/dev/setup/start_ckan_development.sh index 5f61c84..ed9aeb9 100755 --- a/ckan-master/dev/setup/start_ckan_development.sh +++ b/ckan-master/dev/setup/start_ckan_development.sh @@ -6,58 +6,6 @@ if [[ $CKAN__PLUGINS == *"datapusher"* ]]; then ckan config-tool $CKAN_INI ckan.datapusher.api_token=xxx fi -# Install any local extensions in the src_extensions volume -echo "Looking for local extensions to install..." -echo "Extension dir contents:" -ls -la $SRC_EXTENSIONS_DIR -for i in $SRC_EXTENSIONS_DIR/* -do - if [ -d $i ]; - then - if [ -d $SRC_DIR/$(basename $i) ]; - then - pip uninstall -y "$(basename $i)" - fi - - if [ -f $i/pip-requirements.txt ]; - then - pip install -r $i/pip-requirements.txt - echo "Found requirements file in $i" - fi - if [ -f $i/requirements.txt ]; - then - pip install -r $i/requirements.txt - echo "Found requirements file in $i" - fi - if [ -f $i/dev-requirements.txt ]; - then - pip install -r $i/dev-requirements.txt - echo "Found dev-requirements file in $i" - fi - if [ -f $i/setup.py ]; - then - cd $i - python3 $i/setup.py develop - echo "Found setup.py file in $i" - cd $APP_DIR - fi - if [ -f $i/pyproject.toml ]; - then - cd $i - pip install -e . - echo "Found pyproject.toml file in $i" - cd $APP_DIR - fi - - # Point `use` in test.ini to location of `test-core.ini` - if [ -f $i/test.ini ]; - then - echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i" - ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini" - fi - fi -done - # Set debug to true echo "Enabling debug mode" ckan config-tool $CKAN_INI -s DEFAULT "debug = true" @@ -117,7 +65,7 @@ fi # Start the development server as the ckan user with automatic reload while true; do - su ckan -c "$CKAN_RUN $CKAN_OPTIONS" + $CKAN_RUN $CKAN_OPTIONS echo Exit with status $?. Restarting. sleep 2 done