Skip to content

Commit

Permalink
chore: revert "ci: non-root container image (#437)" for MS8 as it cha…
Browse files Browse the repository at this point in the history
…nges a port

This reverts commit 7f732a1.
  • Loading branch information
richardtreier committed Sep 1, 2023
1 parent 776e70c commit 8d0d2ce
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 36 deletions.
6 changes: 0 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,10 @@ MDS 1.2 Release: MS8 Release with fixes for both the Connector UI and Broker UI.
- Removed 404-causing login polling from broker UI
- Broker: Fixed popularity not logged when clicking on a data offer.
- Broker: Fixed missing name in legal notice
- Docker Image now uses non-root user
- Renamed button from cancel to close in json-dialogs
- Added a workaround for our EDC UI image failing when requests contain large
cookies.

### Deployment Migration Notes

- The Docker Images no longer bind the port `:80` but the port `:8080`.
- The Docker Images now use non-root users.

## [v0.0.1-milestone-8-sovity12] 12.07.2023

### Overview
Expand Down
5 changes: 0 additions & 5 deletions docker/99-generate-app-config.sh

This file was deleted.

35 changes: 15 additions & 20 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,42 +1,37 @@
# Stage 1: Install node modules
FROM docker.io/library/node:lts as npm-install
FROM node:lts as npm-install

WORKDIR /app
COPY ./package*.json /app/
RUN npm install

# Stage 2: Build Project
FROM docker.io/library/node:lts as build
FROM node:lts as build

WORKDIR /app
COPY --from=npm-install /app/node_modules /app/node_modules
COPY ./ /app/
RUN npm run ng build --no-progress --configuration=production

# Stage 3: Serve app with nginx
FROM docker.io/nginxinc/nginx-unprivileged:1.25-alpine3.18
FROM nginx:1.25.2-alpine

# Temporarily switch to root to install packages and create symlink in restricted location
USER root
RUN apk add --no-cache jq curl
RUN apk update && apk add jq esh --no-cache

COPY --from=build /app/dist/edc-demo-client /usr/share/nginx/html
COPY --from=build /app/src/assets /usr/share/nginx/html/assets
COPY docker/default.conf.template etc/nginx/templates/default.conf.template
# Before starting nginx, apply ENV vars to create app-config.json from EDC_UI_* ENV Vars
# Use an entrypoint drop-in instead of modifying the default entrypoint or command,
# so that the automatic envsubst templating is not disabled.
COPY docker/99-generate-app-config.sh /docker-entrypoint.d/99-generate-app-config.sh
COPY docker/default.conf.esh etc/nginx/conf.d/default.conf.esh

RUN ln -sf /tmp/app-config.json /usr/share/nginx/html/assets/config/app-config.json \
# Nginx is configured to reject symlinks that point to a file owned by a different user, for security reasons
&& chown --no-dereference nginx:root /usr/share/nginx/html/assets/config/app-config.json
ENV NGINX_BIND=""
ENV NGINX_PORT=80

# Switch back to unprivileged user for runtime
USER nginx:nginx
HEALTHCHECK --interval=2s --timeout=5s --retries=10 \
CMD curl -f http://${NGINX_BIND:"localhost"}:$NGINX_PORT/ || exit 1

ENV NGINX_BIND="0.0.0.0"
ENV NGINX_PORT=8080
# Before starting nginx, apply ENV vars:
# (1) Apply NGINX_BIND and NGINX_PORT to nginx.conf
# (2) Create app-config.json from EDC_UI_* ENV Vars
CMD esh -o /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.esh \
&& jq -n 'env | with_entries( select(.key | startswith("EDC_UI_") ) )' > /usr/share/nginx/html/assets/config/app-config.json \
&& nginx -g "daemon off;"

HEALTHCHECK --interval=2s --timeout=5s --retries=10 \
CMD curl -f http://$NGINX_BIND:$NGINX_PORT/ || exit 1
7 changes: 2 additions & 5 deletions docker/default.conf.template → docker/default.conf.esh
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
access_log /dev/stdout;
error_log /dev/stderr;
disable_symlinks if_not_owner;

server {
listen ${NGINX_BIND}:${NGINX_PORT};
listen <%= $NGINX_BIND %><% if "$NGINX_BIND" ; then -%>:<% fi -%><%= $NGINX_PORT %>;
server_name localhost;

root /usr/share/nginx/html;
Expand All @@ -16,3 +12,4 @@ server {
# Our OAuth Proxies currently have an issue with very large cookies
large_client_header_buffers 8 32k;
}

0 comments on commit 8d0d2ce

Please sign in to comment.