Minimise all root-owned files/directories in the running CKAN container

ckan-2.10/base/Dockerfile.py3.10

@@ -60,7 +60,6 @@ RUN pip3 install -U pip && \
     cd ${SRC_DIR} && \
     pip3 install -e git+${GIT_URL}@${CKAN_VERSION}#egg=ckan && \
     cd ckan && \
-    cp who.ini ${APP_DIR} && \
     pip3 install --no-binary markdown -r requirements.txt && \
     # Install CKAN envvars to support loading config from environment variables
     pip3 install -e git+https://github.com/okfn/[email protected]#egg=ckanext-envvars && \
@@ -69,19 +68,31 @@ RUN pip3 install -U pip && \
     ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \
     ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 
-# Create a local user and group plus set up the storage path
-RUN groupadd -g 92 ckan && \
-    useradd -rm -d /srv/app -s /bin/bash -g ckan -u 92 ckan && \
-    mkdir -p ${CKAN_STORAGE_PATH} && \
-    chown -R ckan:ckan ${CKAN_STORAGE_PATH}
-
+# Create ckan and ckan-sys users and the ckan-sys group plus set up the storage path
+RUN groupadd -g 502 ckan-sys && \
+    useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 502 ckan-sys && \
+    useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 503 ckan
+
 COPY setup/prerun.py ${APP_DIR}
 COPY setup/start_ckan.sh ${APP_DIR}
 ADD https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/wsgi.py ${APP_DIR}
 RUN chmod 644 ${APP_DIR}/wsgi.py
 
 # Create entrypoint directory for children image scripts
-ONBUILD RUN mkdir /docker-entrypoint.d
+RUN mkdir -p /docker-entrypoint.d && chmod 755 /docker-entrypoint.d
+
+# Set the ownership of the app directory, usr/local and the entrypoint directory to the ckan-sys user
+RUN chown -R ckan-sys:ckan-sys ${APP_DIR} && \
+    chown -R ckan-sys:ckan-sys /docker-entrypoint.d && \
+    chown -R ckan-sys:ckan-sys /usr/local
+
+# Set the ownership of the CKAN config file, src and the storage path to the ckan user
+RUN chown ckan:ckan-sys ${APP_DIR}/ckan.ini && \
+    chown -R ckan:ckan-sys ${APP_DIR}/src && \
+    mkdir -p ${CKAN_STORAGE_PATH} && \
+    chown -R ckan:ckan-sys ${CKAN_STORAGE_PATH}
+
+USER ckan
 
 EXPOSE 5000
 

ckan-2.10/base/Makefile

@@ -17,7 +17,7 @@ help:
 build:	## Build CKAN 2.x.x images , `make build`
 	echo "Building $(TAG_NAME) and $(ALT_TAG_NAME) and $(PYTHON_TAG_NAME) images"
 	docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(TAG_NAME) -t $(ALT_TAG_NAME) .
-#	docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) .
+	docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) .
 
 push: ## Push CKAN 2.x.x images to the DockerHub registry, `make push`
 	echo "Pushing $(TAG_NAME) image"

ckan-2.10/base/setup/prerun.py

@@ -200,7 +200,7 @@ def create_sysadmin():
         # We're running as root before pivoting to uwsgi and dropping privs
         data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH']
 
-        command = ["chown", "-R", "ckan:ckan", data_dir]
+        command = ["chown", "-R", "ckan:ckan-sys", data_dir]
         subprocess.call(command)
         print("[prerun] Ensured storage directory is owned by ckan")
 

ckan-2.10/base/setup/start_ckan.sh

@@ -33,12 +33,9 @@ then
     done
 fi
 
-# Set the common uwsgi options
-UWSGI_OPTS="--plugins http,python \
-            --socket /tmp/uwsgi.sock \
+UWSGI_OPTS="--socket /tmp/uwsgi.sock \
             --wsgi-file /srv/app/wsgi.py \
             --module wsgi:application \
-            --uid 92 --gid 92 \
             --http [::]:5000 \
             --master --enable-threads \
             --lazy-apps \

ckan-2.10/base/setup/supervisord.conf

@@ -1,7 +1,7 @@
 [unix_http_server]
 file = /tmp/supervisor.sock
 chmod = 0777
-chown = nobody:nogroup
+chown = ckan:ckan-sys
 
 [supervisord]
 logfile = /tmp/supervisord.log

ckan-2.10/dev/Dockerfile.py3.10

@@ -6,17 +6,20 @@ ARG CKAN_VERSION=${CKAN_VERSION}
 ENV APP_DIR=/srv/app
 ENV SRC_EXTENSIONS_DIR=${APP_DIR}/src_extensions
 
+USER root
+
 # Install CKAN dev requirements
-#RUN . ${APP_DIR}/bin/activate && \
 RUN cd ${SRC_DIR}/ckan && \ 
 pip3 install -r https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/dev-requirements.txt
 
-# Create folder for local extensions sources
-RUN mkdir -p ${SRC_EXTENSIONS_DIR}
+COPY --chown=ckan-sys:ckan-sys setup/unsafe.cert setup/unsafe.key setup/start_ckan_development.sh setup/install_src.sh ${APP_DIR}
 
-# These are used to run https on development mode
-COPY setup/unsafe.cert setup/unsafe.key ${APP_DIR}
+# Update local directories
+RUN mkdir -p ${SRC_EXTENSIONS_DIR} /var/lib/ckan && \
+    chown -R ckan-sys:ckan-sys ${SRC_EXTENSIONS_DIR} && \
+    chown -R ckan:ckan-sys /var/lib/ckan/ && \
+    chmod 775 ${SRC_EXTENSIONS_DIR}
 
-COPY setup/start_ckan_development.sh ${APP_DIR}
+USER ckan
 
 CMD ["/srv/app/start_ckan_development.sh"]

ckan-2.10/dev/Makefile

@@ -17,7 +17,7 @@ help:
 build:	## Build a CKAN 2.x-dev image , `make build`
 	echo "Building $(TAG_NAME) and $(ALT_TAG_NAME) images"
 	docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(TAG_NAME) -t $(ALT_TAG_NAME) .
-	docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) --no-cache .
+	docker build --build-arg="CKAN_VERSION=ckan-$(CKAN_VERSION)" -t $(PYTHON_TAG_NAME) -t $(PYTHON_ALT_TAG_NAME) -f $(PYTHON.DOCKERFILE) .
 
 push: ## Push a CKAN 2.x-dev image to the DockerHub registry, `make push`
 	echo "Pushing $(TAG_NAME) image"

ckan-2.10/dev/setup/install_src.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [ $(id -u) -ne 0 ]; then
+    echo "Please run as root"
+    exit 1
+fi
+
+# Install any local extensions in the src_extensions volume
+echo "Looking for local extensions to install..."
+echo "Extension dir contents:"
+ls -la $SRC_EXTENSIONS_DIR
+for i in $SRC_EXTENSIONS_DIR/*
+do
+    if [ -d $i ];
+    then
+        if [ -d $SRC_DIR/$(basename $i) ];
+        then
+            pip uninstall -y "$(basename $i)"
+        fi
+
+        if [ -f $i/pip-requirements.txt ];
+        then
+            pip install -r $i/pip-requirements.txt
+            echo "Found requirements file in $i"
+        fi
+        if [ -f $i/requirements.txt ];
+        then
+            pip install -r $i/requirements.txt
+            echo "Found requirements file in $i"
+        fi
+        if [ -f $i/dev-requirements.txt ];
+        then
+            pip install -r $i/dev-requirements.txt
+            echo "Found dev-requirements file in $i"
+        fi
+        if [ -f $i/setup.py ];
+        then
+            cd $i
+            python3 $i/setup.py develop
+            echo "Found setup.py file in $i"
+            cd $APP_DIR
+        fi
+        if [ -f $i/pyproject.toml ];
+        then
+            cd $i
+            pip install -e .
+            echo "Found pyproject.toml file in $i"
+            cd $APP_DIR
+        fi
+
+        # Point `use` in test.ini to location of `test-core.ini`
+        if [ -f $i/test.ini ];
+        then
+            echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i"
+            ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini"
+        fi
+    fi
+done

ckan-2.10/dev/setup/start_ckan_development.sh

@@ -6,58 +6,6 @@ if [[ $CKAN__PLUGINS == *"datapusher"* ]]; then
     ckan config-tool $CKAN_INI ckan.datapusher.api_token=xxx
 fi
 
-# Install any local extensions in the src_extensions volume
-echo "Looking for local extensions to install..."
-echo "Extension dir contents:"
-ls -la $SRC_EXTENSIONS_DIR
-for i in $SRC_EXTENSIONS_DIR/*
-do
-    if [ -d $i ];
-    then
-    	if [ -d $SRC_DIR/$(basename $i) ];
-        then
-            pip uninstall -y "$(basename $i)"
-        fi
-
-        if [ -f $i/pip-requirements.txt ];
-        then
-            pip install -r $i/pip-requirements.txt
-            echo "Found requirements file in $i"
-        fi
-        if [ -f $i/requirements.txt ];
-        then
-            pip install -r $i/requirements.txt
-            echo "Found requirements file in $i"
-        fi
-        if [ -f $i/dev-requirements.txt ];
-        then
-            pip install -r $i/dev-requirements.txt
-            echo "Found dev-requirements file in $i"
-        fi
-        if [ -f $i/setup.py ];
-        then
-            cd $i
-            python3 $i/setup.py develop
-            echo "Found setup.py file in $i"
-            cd $APP_DIR
-        fi
-        if [ -f $i/pyproject.toml ];
-        then
-            cd $i
-            pip install -e .
-            echo "Found pyproject.toml file in $i"
-            cd $APP_DIR
-        fi
-
-        # Point `use` in test.ini to location of `test-core.ini`
-        if [ -f $i/test.ini ];
-        then
-            echo "Updating \`test.ini\` reference to \`test-core.ini\` for plugin $i"
-            ckan config-tool $i/test.ini "use = config:../../src/ckan/test-core.ini"
-        fi
-    fi
-done
-
 # Set debug to true
 echo "Enabling debug mode"
 ckan config-tool $CKAN_INI -s DEFAULT "debug = true"
@@ -117,7 +65,7 @@ fi
 
 # Start the development server as the ckan user with automatic reload
 while true; do
-    su ckan -c "$CKAN_RUN $CKAN_OPTIONS"
+    $CKAN_RUN $CKAN_OPTIONS
     echo Exit with status $?. Restarting.
     sleep 2
 done

ckan-2.11/base/Dockerfile

@@ -36,7 +36,7 @@ RUN update-locale LANG=${LC_ALL}
 
 # Install system libraries
 RUN apt-get install --no-install-recommends -y \
-        apt-utils \
+        apt-utils \   
         git \
         libpq-dev \
         g++ \
@@ -61,20 +61,32 @@ RUN pip3 install -U pip && \
     ckan config-tool ${CKAN_INI} "SECRET_KEY = " && \
     ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 
-# Create a local user and group plus set up the storage path
-RUN groupadd -g 92 ckan && \
-    useradd -rm -d /srv/app -s /bin/bash -g ckan -u 92 ckan && \
-    mkdir -p ${CKAN_STORAGE_PATH} && \
-    chown -R ckan:ckan ${CKAN_STORAGE_PATH}
+# Create ckan and ckan-sys users and the ckan-sys group plus set up the storage path
+RUN groupadd -g 502 ckan-sys && \
+    useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 502 ckan-sys && \
+    useradd -rm -d /srv/app -s /bin/bash -g ckan-sys -u 503 ckan
 
 COPY setup/prerun.py ${APP_DIR}
 COPY setup/start_ckan.sh ${APP_DIR}
 ADD https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/wsgi.py ${APP_DIR}
 RUN chmod 644 ${APP_DIR}/wsgi.py
 
 # Create entrypoint directory for children image scripts
-ONBUILD RUN mkdir /docker-entrypoint.d
+RUN mkdir -p /docker-entrypoint.d && chmod 755 /docker-entrypoint.d
+
+# Set the ownership of the app directory, usr/local and the entrypoint directory to the ckan-sys user
+RUN chown -R ckan-sys:ckan-sys ${APP_DIR} && \
+    chown -R ckan-sys:ckan-sys /docker-entrypoint.d && \
+    chown -R ckan-sys:ckan-sys /usr/local
+
+# Set the ownership of the CKAN config file, src and the storage path to the ckan user
+RUN chown ckan:ckan-sys ${APP_DIR}/ckan.ini && \
+    chown -R ckan:ckan-sys ${APP_DIR}/src && \
+    mkdir -p ${CKAN_STORAGE_PATH} && \
+    chown -R ckan:ckan-sys ${CKAN_STORAGE_PATH}
+
+USER ckan
 
 EXPOSE 5000
 
-CMD ["/srv/app/start_ckan.sh"]
+CMD ["/srv/app/start_ckan.sh"]

ckan-2.11/base/setup/prerun.py

@@ -199,7 +199,7 @@ def create_sysadmin():
         # We're running as root before pivoting to uwsgi and dropping privs
         data_dir = "%s/storage" % os.environ['CKAN_STORAGE_PATH']
 
-        command = ["chown", "-R", "ckan:ckan", data_dir]
+        command = ["chown", "-R", "ckan:ckan-sys", data_dir]
         subprocess.call(command)
         print("[prerun] Ensured storage directory is owned by ckan")
 

ckan-2.11/base/setup/start_ckan.sh

@@ -33,12 +33,9 @@ then
     done
 fi
 
-# Set the common uwsgi options
-UWSGI_OPTS="--plugins http,python \
-            --socket /tmp/uwsgi.sock \
+UWSGI_OPTS="--socket /tmp/uwsgi.sock \
             --wsgi-file /srv/app/wsgi.py \
             --module wsgi:application \
-            --uid 92 --gid 92 \
             --http [::]:5000 \
             --master --enable-threads \
             --lazy-apps \

ckan-2.11/dev/Dockerfile

@@ -6,17 +6,18 @@ ARG CKAN_VERSION=${CKAN_VERSION}
 ENV APP_DIR=/srv/app
 ENV SRC_EXTENSIONS_DIR=${APP_DIR}/src_extensions
 
+USER root
+
 # Install CKAN dev requirements
-#RUN . ${APP_DIR}/bin/activate && \
 RUN cd ${SRC_DIR}/ckan && \ 
 pip3 install -r https://raw.githubusercontent.com/ckan/ckan/${CKAN_VERSION}/dev-requirements.txt
 
-# Create folder for local extensions sources
-RUN mkdir -p ${SRC_EXTENSIONS_DIR}
+COPY --chown=ckan-sys:ckan-sys setup/unsafe.cert setup/unsafe.key setup/start_ckan_development.sh setup/install_src.sh ${APP_DIR}
 
-# These are used to run https on development mode
-COPY setup/unsafe.cert setup/unsafe.key ${APP_DIR}
+# Update local directories
+RUN mkdir -p ${SRC_EXTENSIONS_DIR} /var/lib/ckan && \
+    chown -R ckan:ckan-sys ${SRC_EXTENSIONS_DIR} ${APP_DIR}/ckan.ini /var/lib/ckan/
 
-COPY setup/start_ckan_development.sh ${APP_DIR}
+USER ckan
 
 CMD ["/srv/app/start_ckan_development.sh"]