forked from eclipse-edc/DataDashboard
-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make image work in a nonroot environment. * Docker: fully-qualified image names Consistency and compatibility with more container runtimes and builders. * Docker: rewrite to use unprivileged NGINX Instead of manually modifying the image to work in a non-root environment, use the official unprivileged NGINX image. To install packages and perform other privileged tasks, temporarily switch to root and subsequently switch back. Additionally, use the native envsubst templating already integrated into the NGINX images instead of recreating it. The reason it was not triggering before is that the entrypoint script in the base image checks if the command is `nginx` or `nginx-debug` and if not just executes the command directly without running any further setup. --------- Co-authored-by: Thomas <60181704+tsk9@users.noreply.github.com>
- Loading branch information
Showing
3 changed files
with
30 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/bin/sh | ||
|
||
set -e | ||
|
||
jq -n 'env | with_entries( select(.key | startswith("EDC_UI_") ) )' > /tmp/app-config.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,37 +1,42 @@ | ||
# Stage 1: Install node modules | ||
FROM node:lts as npm-install | ||
FROM docker.io/library/node:lts as npm-install | ||
|
||
WORKDIR /app | ||
COPY ./package*.json /app/ | ||
RUN npm install | ||
|
||
# Stage 2: Build Project | ||
FROM node:lts as build | ||
FROM docker.io/library/node:lts as build | ||
|
||
WORKDIR /app | ||
COPY --from=npm-install /app/node_modules /app/node_modules | ||
COPY ./ /app/ | ||
RUN npm run ng build --no-progress --configuration=production | ||
|
||
# Stage 3: Serve app with nginx | ||
FROM nginx:1.25.2-alpine | ||
FROM docker.io/nginxinc/nginx-unprivileged:1.25-alpine3.18 | ||
|
||
RUN apk update && apk add jq esh --no-cache | ||
# Temporarily switch to root to install packages and create symlink in restricted location | ||
USER root | ||
RUN apk add --no-cache jq curl | ||
|
||
COPY --from=build /app/dist/edc-demo-client /usr/share/nginx/html | ||
COPY --from=build /app/src/assets /usr/share/nginx/html/assets | ||
COPY docker/default.conf.esh etc/nginx/conf.d/default.conf.esh | ||
COPY docker/default.conf.template etc/nginx/templates/default.conf.template | ||
# Before starting nginx, apply ENV vars to create app-config.json from EDC_UI_* ENV Vars | ||
# Use an entrypoint drop-in instead of modifying the default entrypoint or command, | ||
# so that the automatic envsubst templating is not disabled. | ||
COPY docker/99-generate-app-config.sh /docker-entrypoint.d/99-generate-app-config.sh | ||
|
||
ENV NGINX_BIND="" | ||
ENV NGINX_PORT=80 | ||
RUN ln -sf /tmp/app-config.json /usr/share/nginx/html/assets/config/app-config.json \ | ||
# Nginx is configured to reject symlinks that point to a file owned by a different user, for security reasons | ||
&& chown --no-dereference nginx:root /usr/share/nginx/html/assets/config/app-config.json | ||
|
||
HEALTHCHECK --interval=2s --timeout=5s --retries=10 \ | ||
CMD curl -f http://${NGINX_BIND:"localhost"}:$NGINX_PORT/ || exit 1 | ||
# Switch back to unprivileged user for runtime | ||
USER nginx:nginx | ||
|
||
# Before starting nginx, apply ENV vars: | ||
# (1) Apply NGINX_BIND and NGINX_PORT to nginx.conf | ||
# (2) Create app-config.json from EDC_UI_* ENV Vars | ||
CMD esh -o /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.esh \ | ||
&& jq -n 'env | with_entries( select(.key | startswith("EDC_UI_") ) )' > /usr/share/nginx/html/assets/config/app-config.json \ | ||
&& nginx -g "daemon off;" | ||
ENV NGINX_BIND="0.0.0.0" | ||
ENV NGINX_PORT=8080 | ||
|
||
HEALTHCHECK --interval=2s --timeout=5s --retries=10 \ | ||
CMD curl -f http://$NGINX_BIND:$NGINX_PORT/ || exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters