feat(Dockerfile)!: use an unprivileged user to run application
Add an unprivileged user to the Dockerfile in both production and
development images.
This MR is based on uis/devops/regent-house-ballots/ballots-webapp!83
which was successfully deployed to the development instance with no
deployment-side changes needed.
Regent house ballots is a good test because, unlike the bare
boilerplate, it installs some system dependencies in order to run tox.
This required adding a workaround to the `container:tox` image in order
to run tests as the unprivileged user but still install dependencies.
Specifically the `.gitlab/webapp.gitlab-ci.yml` file needed the `docker`
command which runs tests changed to:
docker run --rm --network host --entrypoint=""
-e TEST_USE_EXTERNAL_DATABASE -e EXTERNAL_SETTING_DATABASES
--user root
"$APPLICATION_IMAGE"
"/bin/bash" "-c" "apt-get -y update && \
apt-get -y install pkg-config build-essential libxmlsec1-dev && \
su --shell=/usr/bin/bash \
'--command=poetry install --no-root --sync' webapp && \
su --shell=/usr/bin/bash '--command=poetry run pytest' webapp"
Since some other downstream projects may need similar workarounds, this
change is marked as **BREAKING**.
Closes #122
Loading
-
mentioned in merge request uis/devops/iam/activate-account/api!165
-
mentioned in merge request uis/devops/api/login-and-consent-webapp!55 (merged)
-
mentioned in merge request uis/devops/iar/webapp!79 (merged)
-
mentioned in merge request uis/devops/experiments/tb844-testing/webapp!28
Please sign in to comment